Researchers have discovered malware that “can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.”

Dubbed BlackLotus, the malware is what’s known as a UEFI bootkit. These sophisticated pieces of malware target the UEFI—short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Previously discovered bootkits such as CosmicStrand, MosaicRegressor, and MoonBounce work by targeting the UEFI firmware stored in the flash storage chip. Others, including BlackLotus, target the software stored in the EFI system partition.

Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.

ESET has an analysis:

The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn’t gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature—UEFI Secure Boot—is now a reality. In this blogpost we present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022.

[…]

It’s capable of running on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.
It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability.
Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate—but vulnerable—binaries to the system in order to exploit the vulnerability.
It’s capable of disabling OS security mechanisms such as BitLocker, HVCI, and Windows Defender.
Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads.

This is impressive stuff.

Read More

In 1999, the United States began to shape its QIS strategy. The first document on file is a Scientific and Technical Report (STR) entitled: “Quantum Information Science. An Emerging Field of Interdisciplinary Research and Education in Science and Engineering.” This is the first report of an assortment of publications that help establish the US QIS strategy. To date, 55 publications contribute to the overall US strategy to advance QIS and quantum applications. These documents consist of Scientific and Technical Reports (STR), Strategy Documents, Event Summaries, and the National Quantum Initiative Supplement to the President’s Budget.

To begin, STRs are fundamental sources of scientific and technical information derived from research projects sponsored by the Department of Energy. On an annual basis, the US has released roughly 3.5 QIS reports (on average) since 1999; consequently, these publications make up 65% of the strategic documents related to QIS. Scientific and Technical Reports describe processes, progress, the results of R&D or other scientific and technological work. Additionally, recommendations or conclusions of research, original hypotheses, approaches used, and findings are also included. Scientific and Technical Reports have proven to be highly beneficial to researchers. STRs regularly include more comprehensive or detailed information than scholarly papers or presentations since STRs include experimental designs and technical diagrams.

Continuing, released in 2009, the National Science and Technology Council (NSTC) released the first QIS Strategy Document entitled “A Federal Vision for Quantum Information Science.” NSTC has the aim of articulating clear goals and a vision for federal service and technology investments, focusing on information technology, and strengthening fundamental research. This interagency document set conditions to coordinate federal efforts in QIS and other related fields. Furthermore, the strategy documents establish clear national goals for service and technology investments in information technologies and health research industries.

Additionally, in 2018, a Summary of the 2018 White House Summit on Advancing American Leadership in Quantum Information Science was published as an Event Summary. Event Summaries are published by the National Quantum Coordination Office (NSQO). Event summaries provide an executive summary of key engagements related to QIS. With six summaries published to date, the current theme revolves around events that promote leadership, education, outreach, and recruitment in the field of QIS. The summaries prove to be very advantageous since they provide a read-out document that can be archived to capture event background, discission topics, key takeaways, agency funding/research award announcements, next steps, and an event conclusion.

Furthermore, the National Quantum Initiative (NQI) Act, which became law in 2018, ensures the annual release of the National Quantum Initiative Supplement to the President’s Budget. This is the final document to reference which contributes to the US QIS strategy. The supplement details the current year’s efforts, progress, and budget for the National Quantum Initiative Program, along with, projecting a budget for the next fiscal year. The supplement also provides an analysis of the progress made toward achieving the goals and priorities of the NSTC Subcommittee on Quantum Information Science (SCQIS).

Since 1999, the US began charting a way to address QIS. Vision, strategy, R&D, agency coordination, funding, and QIS promotion efforts have been consistent. The strategy has also accelerated in the last five years. As advances in Quantum Science materialize, the US continues to make strides in coordinating across the Federal government, academic institutions, and industry. 21 different agencies in addition to Nobel Laureates and international partners are invested in the US strategy to address all aspects of Quantum Science. With certainty, there is a race to clearly understand all aspects of QIS and the impact it can have on our society. The US displays an inclusive, wide reaching, firm, and consistently accelerated strategy due to developments in QIS. US strategy and efforts toward QIS places the US on a path to lead the world in QIS. Simply put, the US strategy encompasses a whole of government approach, along with, collaborating with industry, academic institutions, and allies worldwide to bring to life the remarkable potential in how QIS can change the way citizens live, work, and understand the world.

“As new technologies continue to evolve, we’ll work together with our democratic partners to ensure that new advances in areas from biotechnology to quantum computing, 5G, artificial intelligence, and more are used to lift people up, to solve problems, and advance human freedom.” – President Biden

SECDEF Executive Fellowship Homepage

US Army Homepage

Army War College Homepage

Find Your Army Career

Read More

Activity linked to Pakistani state group APT36

Read More

CISO Nicole Darden Ford has become accustomed to doing more with less since the COVID-19 pandemic suddenly upended her company’s workforce. “I got off a plane from India and saw all these people with masks at the airport in Washington, DC, and I wondered what was going on. I went straight to the office where my CEO and CIO explained our new reality: We were going into quarantine and we had less than a week to come up with a way for people to work remotely.”

This was at her previous company, a startup spinning out of a larger company and preparing for IPO while transitioning to the cloud. With “limited time and minimal resources,” she managed to pull it off. Now, as global vice president and CISO at the $7.8-billion industrial automation company Rockwell Automation, she’s prepared for the economic uncertainty being felt by businesses around the globe, some of which are Rockwell Automation clients.

To read this article in full, please click here

Read More

Data Protection and Digital Information Bill designed to reduce paperwork

Read More

Trend Micro stops a record 146 billion discrete threats

Read More

The domain name registrar Freenom, whose free domain names have long been a draw for spammers and phishers, has stopped allowing new domain name registrations. The move comes just days after the Dutch registrar was sued by Meta, which alleges the company ignores abuse complaints about phishing websites while monetizing traffic to those abusive domains.

Freenom is the domain name registry service provider for five so-called “country code top level domains” (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.

Freenom has always waived the registration fees for domains in these country-code domains, presumably as a way to encourage users to pay for related services, such as registering a .com or .net domain, for which Freenom does charge a fee.

On March 3, 2023, social media giant Meta sued Freenom in a Northern California court, alleging cybersquatting violations and trademark infringement. The lawsuit also seeks information about the identities of 20 different “John Does” — Freenom customers that Meta says have been particularly active in phishing attacks against Facebook, Instagram, and WhatsApp users.

The lawsuit points to a 2021 study (PDF) on the abuse of domains conducted for the European Commission, which discovered that those ccTLDs operated by Freenom made up five of the Top Ten TLDs most abused by phishers.

“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” the complaint charges. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”

Meta further alleges that “Freenom has repeatedly failed to take appropriate steps to investigate and respond appropriately to reports of abuse,” and that it monetizes the traffic from infringing domains by reselling them and by adding “parking pages” that redirect visitors to other commercial websites, websites with pornographic content, and websites used for malicious activity like phishing.

Freenom has not yet responded to requests for comment. But attempts to register a domain through the company’s website as of publication time generated an error message that reads:

“Because of technical issues the Freenom application for new registrations is temporarily out-of-order. Please accept our apologies for the inconvenience. We are working on a solution and hope to resume operations shortly. Thank you for your understanding.”

Although Freenom is based in The Netherlands, some of its other sister companies named as defendants in the lawsuit names are incorporated in the United States.

Meta initially filed this lawsuit in December 2022, but it asked the court to seal the case, which would have restricted public access to court documents in the dispute. That request was denied, and Meta amended and re-filed the lawsuit last week.

According to Meta, this isn’t just a case of another domain name registrar ignoring abuse complaints because it’s bad for business. The lawsuit alleges that the owners of Freenom “are part of a web of companies created to facilitate cybersquatting, all for the benefit of Freenom.”

“On information and belief, one or more of the ccTLD Service Providers, ID Shield, Yoursafe, Freedom Registry, Fintag, Cervesia, VTL, Joost Zuurbier Management Services B.V., and Doe Defendants were created to hide assets, ensure unlawful activity including cybersquatting and phishing goes undetected, and to further the goals of Freenom,” Meta charged.

It remains unclear why Freenom has stopped allowing domain registration, but it could be that the company was recently the subject of some kind of disciplinary action by the Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit entity which oversees the domain registrars.

In June 2015, ICANN suspended Freenom’s ability to create new domain names or initiate inbound transfers of domain names for 90 days. According to Meta, the suspension was premised on ICANN’s determination that Freenom “has engaged in a pattern and practice of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party in which the Registered Name Holder has no rights or legitimate interest.”

ICANN has not yet responded to requests for comment.

A copy of the amended complaint against Freenom, et. al, is available here (PDF).

Read More