Cybersecurity researchers at Kaspersky have discovered a third known case of a firmware bootkit in the wild.

The kit, which made its first appearance in the wild in the spring of 2021, has been named MoonBounce. Researchers are confident that the campaign is the work of well-known Chinese-speaking advanced persistent threat (APT) actor APT41.

MoonBounce demonstrates a more complicated attack flow and greater technical sophistication than previously discovered bootkits LoJax and MosaicRegressor.

The malicious implant was found hiding inside the CORE_DXE component of the Unified Extensible Firmware Interface (UEFI) firmware. UEFI firmware is critical because its code is responsible for booting up a device and passing control to the software that loads the operating system (OS). 

Once MoonBounce’s components have made their way into the operating system, they reach out to a command & control server to retrieve further malicious payloads, which Kaspersky researchers could not retrieve.

The code to boot the device is stored in a non-volatile component external to the hard drive called the Serial Peripheral Interface (SPI) flash. 

Researchers said that Bootkits of this kind are extremely hard to detect because the code they target is located outside of the device’s hard drive in an area that most security solutions do not scan as standard. 

Firmware bootkits are also difficult to delete. They can’t be removed simply by reformatting a hard drive or reinstalling an OS because the code is launched before the operating system.

“The infection chain itself does not leave any traces on the hard drive, since its components operate in memory only, thus facilitating a fileless attack with a small footprint,” noted researchers. 

While investigating MoonBounce, researchers appeared to detect a link between the bootkit and Microcin malware used by the SixLittleMonkeys threat actor.

“While we can’t definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one another to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” said Denis Legezo, senior security researcher with GReAT (Kaspersky’s Global Research and Analysis Team).

Applications have opened for the latest NCSC for Startups program, which is focusing on companies developing products to protect SMEs from ransomware.

The program, designed to help the growth and development of the UK’s most promising cybersecurity startup firms, was launched last June. It is run by the National Cyber Security Centre (NCSC) and Plexal, and is a successor to the successful NCSC Cyber Accelerator program.

The first companies to participate in this new program were announced in August.

For its next cohort, NCSC for Startups is inviting applications from startups creating products designed to protect SMEs from surging ransomware attacks. Specifically, these are companies that:

Can defend SMEs from ransomware by providing accessible, low-cost protection
Encourage firms to implement secure backups to minimize the impact of an attack
Address risks posed by remote desktop protocol (RDP) as more businesses and individuals implement home and remote working

Cyber-criminals have dramatically increased their targeting of SMEs during the pandemic, with many of these businesses having to undertake rapid digital transformation projects. Yet many of these firms do not have the necessary cybersecurity skills or tools to protect themselves.

Successful applicants will receive continuous onboarding for 12 months, working with leading cybersecurity experts to develop, adapt and test their products.

Chris Ensor, deputy director for cyber growth at the NCSC, commented: “Ransomware presents the most serious cyber security threat to the UK, and it is vital that organizations protect themselves.

“Our latest NCSC for Startups challenge provides a great opportunity for innovative companies to collaborate with us in the fight against ransomware and strengthen the UK’s defenses.”

Saj Huq, director of innovation at Plexal, said: “Ransomware doesn’t just affect large, established companies: there is a growing risk to SMEs that make up the backbone of our economy, and anyone who lives and works online are potential victims.  

“This is a unique and game-changing opportunity for startups to work on the biggest cyber-threat around alongside experts from the NCSC and industry who are working day in, day out, to keep the UK safe – and I hope they respond to this call with a sense of urgency and mission.”

Interested companies can submit their applications at: https://www.ncsc.gov.uk/section/ncsc-for-startups/join-the-ncsc-for-start-ups.

The NCSC for Startups program forms part of the UK’s National Cyber Strategy, unveiled in December.

Monitoring Twitter mentions of vulnerabilities may be twice as effective as CVSS scores at helping organizations prioritize which bugs to patch first, according to new research.

Kenna Security’s latest report, Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability, was compiled with help from the Cyentia Institute.

It confirmed what many security experts have been saying for some time: the sheer volume of CVEs discovered today means organizations must get better at prioritizing which vulnerabilities to fix.

Although an average of 55 bugs were discovered every day in 2021, the good news is that only 4% posed a high risk to organizations, according to the research. It went further, claiming that 62% of the vulnerabilities studied had a less than a 1% chance of exploitation, while only 5% exceeded a 10% probability.

To arrive at its findings, Kenna Security used an industry-devised Exploit Prediction Scoring System (EPSS), which uses CVE information and real-world exploit data to predict “whether and when” vulnerabilities will be exploited in the wild.

Not all vulnerability management strategies are created equal, argued Kenna Security co-founder and CTO, Ed Bellis.

“Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about two times better),” he wrote.

“We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity … but doing both can achieve a 29-times reduction in exploitability.”

Bellis concluded that prioritizing bugs via exploitability rather than technical CVSS scores is “the strategy of the future” and one that US government security experts appear to be taking.

“The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees,” he argued.

Nigerian police have arrested 11 more suspected members of a prolific business email compromise (BEC) gang that may have targeted hundreds of thousands of organizations.

Interpol coordinated Operation Falcon II with the Nigerian Police Force (NPF) over 10 days in December 2021, having sought input from other police forces across the globe investigating BEC attacks via its I-24/7 communications network.

Those arrested are thought to be part of the Silver Terrier (aka TMT) group. One individual had the domain credentials of 800,000 potential victims on his laptop, while another was monitoring online conversations between 16 companies and their clients and diverting funds to TMT, Interpol claimed.

A third is suspected of BEC attacks across West Africa, including Nigeria, Gambia and Ghana.

Any intelligence and evidence gleaned from the operation will be fed into Interpol’s Global Financial Crime Taskforce (IGFCTF) to help prevent further fraud.

“Operation Falcon II sends a clear message that cybercrime will have serious repercussions for those involved in business email compromise fraud, particularly as we continue our onslaught against the threat actors, identifying and analyzing every cyber trace they leave,” said Interpol director of cybercrime, Craig Jones.

“Interpol is closing ranks on gangs like SilverTerrier. As investigations continue to unfold, we are building a very clear picture of how such groups function and corrupt for financial gain. Thanks to Operation Falcon II we know where and whom to target next.”

The first iteration of this anti-BEC campaign was run in 2020 and resulted in the arrest of three TMT suspects. The gang was thought to have compromised as many as 500,000 victim organizations by that time, according to Group-IB, which was involved in both operations.

“Group-IB’s APAC Cyber Investigations Team has contributed to the current operation by sharing information on the threat actors, having identified the attackers’ infrastructure, collected their digital traces and assembled data on their identities,” it explained in a statement.

“Group-IB has also expanded the investigation’s evidence base by reverse-engineering the samples of malware used by the cyber-criminals and conducting the digital forensics analysis of the files contained on the devices seized from the suspects.”

The International Committee of the Red Cross (ICRC) has revealed a major data breach that compromised the personal details of over 515,000 “highly vulnerable” victims.

It was stolen from a Swiss contractor that stores the data on behalf of the global humanitarian organization headquartered in Geneva.

The ICRC claimed it originated from at least 60 Red Cross and Red Crescent National Societies worldwide.

Some of the most vulnerable members of society are affected, including individuals separated from their families due to conflict, migration and disaster, missing persons and their families and people in detention, it added.

“An attack on the data of people who are missing makes the anguish and suffering for families even more difficult to endure. We are all appalled and perplexed that this humanitarian information would be targeted and compromised,” said Robert Mardini, the ICRC’s director-general.

“This cyber-attack puts vulnerable people, those already in need of humanitarian services, at further risk.”

There’s no indication the information has been shared publicly yet, but that’s no guarantee it won’t be in the future. That’s why Mardini pleaded with the threat actors not to leak or sell the spoils of its attack.

“Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering,” he said.

“The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

Given financially motivated cyber-criminals have targeted hospitals with ransomware in the past, there’s certainly no guarantee that Mardini’s words will be heard. Nor is it clear whether it was a criminal rather than a state-sponsored attack.

As a result of the attack, the ICRC said it had been forced to shut down its Restoring Family Links service, which it claims reunites 12 missing people on average with their families every day.