Image: Peter Kruse Since May 2018, a malware botnet has been launching brute-force attacks against Microsoft SQL (MSSQL) databases to take over admin accounts and then install cryptocurrency mining scripts on the underlying operating system. The botnet, detailed in a report published today by cyber-security firm Guardicore and shared with ZDNet, is still active and […] More

Image: Eclypsium

Details about a new vulnerability in a core component of the Secure Boot process have been published today.
The vulnerability, codenamed BootHole, allows attackers to tamper with the boot-loading process that precedes starting up the actual operating system (OS).
This process relies on components known as bootloaders that are responsible for loading the firmware of all computer hardware components on which the actual OS runs.
BootHole is a vulnerability in GRUB2, one of today’s most popular bootloader components. Currently, GRUB2 is used as the primary bootloader for all major Linux distros, but it can also boot and is sometimes used for Windows, macOS, and BSD-based systems as well.
How BootHole works
The BootHole vulnerability was discovered earlier this year by security researchers from Eclypsium. The actual full technical details about the bug have been published today on the Eclypsium blog.

Researchers say BootHole allows attackers to tamper with the GRUB2 component to insert and execute malicious code during the boot-loading process, effectively allowing attackers to plant code that has full control of the OS, launched at a later point.
This type of malware is usually known as a bootkit because it lives inside bootloaders, in the motherboard physical memory, in locations separate from the actual OS, allowing it to survive OS reinstalls.
According to Eclypsium, the actual BootHole vulnerability is located inside grub.cfg, a configuration file separate from the actual GRUB2 component, from where the bootloader pulls system-specific settings. Eclypsium says that attackers can modify values in this file to trigger a buffer overflow inside the GRUB2 component when it reads the file on every OS boot.
The image below shows a simplified explanation of the BootHole attack, where attackers can piggyback on the “overflowing” code from one or more grub.cfg options to execute malicious commands inside the GRUB2 component.

Eclypsium says BootHole can be (ab)used to tamper with the bootloader, or even replace it with a malicious or vulnerable version.

Making matters worse, Eclypsium says that a BootHole attack also works even when servers or workstations have Secure Boot enabled.
Secure Boot is a process where the server/computer uses cryptographic checks to make sure the boot process loads only cryptographically signed firmware components.
BootHole attack work even with Secure Boot enabled because, for some devices or OS setups, the Secure Boot process doesn’t cryptographically verify the grub.cfg file, allowing attackers to tamper with its content.

Some limitations to this attack also exist. Eclypsium says that the attacker needs admin access in order to tamper with the grub.cfg file. This looks like a limitation, but in reality, it is not. Operating systems and their components are littered with “elevation of privilege” bugs that could be exploited as part of a BootHole attack chain to let malware gain admin access and modify grub.cfg.
Furthermore, the Secure Boot process was specifically created to prevent even high-privileged admin accounts from compromising the boot process, meaning that BootHole is a major security hole in one of the IT ecosystem’s most secure operations.
Patches coming later today
For the past months, Eclypsium says it’s been notifying the entire hardware and software ecosystem about BootHole (CVE-2020-10713).
The company estimates that every Linux distribution is impacted by this vulnerability, as all use GRUB2 bootloaders that read commands from an external grub.cfg file.
“To date, more than 80 shims are known to be affected,” Eclypsium said. Shims are components that allow vendor/OEM-specific firmware code to interact with GRUB2.
“In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue,” the research team added, speaking about GRUB2’s possible impact on other operating systems that use GRUB2 in a Secure Boot process.
“As a result, we believe that the majority of modern systems in use today, including servers and workstations, laptops and desktops, and a large number of Linux-based OT and IoT systems, are potentially affected by these vulnerabilities.”
Eclypsium says that starting today and for the coming days and weeks, all sorts of IT companies are expected to release patches to address BootHole in their products.
The security vendor said it expected security alerts and patches from:
Microsoft
UEFI Security Response Team (USRT)
Oracle
Red Hat (Fedora and RHEL)
Canonical (Ubuntu)
SuSE (SLES and openSUSE)
Debian
Citrix
HP
VMware
OEMs
Software vendors, including security software
Eclypsium said it expects patching to take a long while, as fixing bootloader bugs is usually a complex process due to the multitude of components and advanced cryptography involved in the process. Anyway, look for CVE-2020-10713 patches in future changelogs. More

Business email compromise (BEC) attacks have more than doubled in the past year as cyber criminals try to use their email scams against big businesses. This form of cyber crime is often based around scammers pretending to be someone known to the victim – a colleague, a contractor, or maybe even their boss – and […] More

KrulUA/Getty Images With widening attack surfaces and technology infrastructures that are no longer necessarily physical, Singapore says its cybersecurity legislation must keep up with the changing threat landscape and be adequately administered to keep its critical infrastructures resilient. The Cybersecurity (Amendment) Bill was passed on Tuesday following two readings in parliament to address “shifts in […] More

The Mercedes-AMG Petronas Formula One team is one of the most dominant F1 teams of all time and has won seven Constructor’s World Championships in a row since 2014, with seven-time World Champion Lewis Hamilton, who many consider to be the greatest ever Formula 1 driver, winning the F1 Drivers’ Championship on six of those occasions. Mercedes face challenges from nine other teams on the track during race weekends, but these are far from the only adversaries that the team has to worry about. The high-profile, high-tech nature of Formula 1 makes it a tempting target for cyber criminals and sophisticated hackers of all kinds.  

ZDNet Recommends

“The profile of this organisation, the popularity of the sport and the fact that we’ve been pretty successful over the last few years actually acts as a little bit of a target for this type of activity,” explains Michael Taylor, IT director at Mercedes-AMG Petronas Formula One. SEE: A winning strategy for cybersecurity (ZDNet special report)Most of the cyber threats an F1 team faces will be familiar to organisations around the world, such as the phishing attacks attempting to steal usernames, passwords and other sensitive information, or the constant threat of ransomware. But then in F1, you also have to factor in the challenge of securing a remote workforce that can be in three countries in as many weeks because of the busy schedule across a hectic 22-race season.  And then, add on top the threat that comes from the most sophisticated online attackers who might be interested in the secrets of a high-performance racing team. “In this hybrid world, a lot of the technology comes out of Formula One and then trickles down into the cars that we drive, so there’s a tremendous amount of technology that’s on the cutting edge that obviously needs to be protected and certainly could be a target for nation-state actors,” says George Kurtz, CEO of CrowdStrike, the cybersecurity partner of Mercedes, which provides the team with technology to help secure its networks, as well as information on the evolving nature of cyber threats. 

This includes a dossier ahead of every race weekend, where CrowdStrike security analysts detail the potential cyber threats that members of the team could face in the country where the race circuit is located, and how to stay safe from these threats. “That’s always an eye opener that always helps raise some inconvenient truths and some questions,” says Taylor. Ensuring that the cybersecurity of a Formula 1 team is strong enough to protect against all these threats starts with securing the endpoints – the laptops, tablets and other devices that members of staff use on a daily basis.  “Endpoints for us are our biggest area of risk because they have a human at the other end of them and most of the risk is inherently carried by humans doing something they probably shouldn’t do or didn’t intentionally mean to do,” Taylor explains. “The endpoint is an area where we do have control over, but not full control and that’s really the biggest focus for us in terms of reducing the risk opportunity there.”Mercedes could completely lock down machines with strict controls on what actions users can perform; but restricting user activity like that in Formula 1, where time is of the essence and the split-second strategy decisions and the data that informs them can make or break a race weekend, could put a team at a massive disadvantage. “We’re very creative in terms of problem solving and design, and historical security controls would inhibit innovation or could potentially limit innovation,” says Taylor. That means heavily restricting access to data or making it cumbersome for engineers in the pit lane to collaborate with analysts at the factory isn’t the answer. Instead, a balance is needed between ensuring security and also ensuring that staff can efficiently do their jobs in a way that isn’t detrimental to Lewis Hamilton or his teammate Valtteri Bottas during race weekends.  “It’s always a balance of risk versus reward and it’s trying to be able to provide that flexible platform enabling collaboration, but understanding the potential risks and then addressing them,” says Taylor. Seven-time World Champion Lewis Hamilton behind the wheel of his Mercedes. 
Image: Mercedes
Cybersecurity applications like firewalls, network segmentation, providing access to data on a need-to-know basis, and multi-factor authentication play a role in helping to keep the team secure, but the globe-trotting nature of Formula 1 means that staff – and computer networks – don’t stay in the same place for long before being packed up and whisked away to another circuit on the calendar. That’s why many of the applications that help manage security procedures are cloud-based, allowing Mercedes to ensure endpoints are protected against the latest threats, no matter where they are in the world. “Whether in the factory in what we class our protective environment or out in Australia, it’s still the same consistent endpoint protection that we have in place; the fact it’s calling home to a cloud location somewhere in the world massively simplifies the complexity and the challenge for us organisationally,” Taylor explains. All ten Formula 1 teams face similar challenges around protecting their networks from data breaches and cyberattacks, no matter where they are in the world, while also attempting to work as efficiently as possible in a high-paced environment. Cyber criminals have long-exploited the hectic nature of businesses, and the sheer number of emails that get sent in a day as an entry point for cyberattacks – and that’s no different for Formula 1. For example, in November last year, Formula 1 was at Imola for the Emilia Romagna Grand Prix, the 13th race in the 2020 Formula One World Championship Season. It was late in the year for an F1 race, after the start of the season was delayed from March to July because of the impact of the COVID-19 pandemic, and the races came thick and fast during the truncated calendar; just days before, the teams had been in Portugal for the previous Grand Prix. 

It was at this point that some hackers went straight for a big prize, attempting to target Zak Brown, CEO of racing team McLaren Formula 1.  SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesThey’d created a sophisticated phishing email designed to look like business-related emails that Brown would expect to receive. But Brown never saw it, because the cybersecurity protections McLaren applies to the inboxes of all its staff meant it went straight to junk mail and the ability to click the link was disabled – despite the continued efforts of the attackers. “In terms of volume of attacks, they’ve definitely got smarter. They’re targeting individuals with phishing and spear-phishing attacks – it’s very targeted, very clever,” says Chris Hicks, group CIO at McLaren Group. “It is a cat and mouse game; the attackers will react to your changes, then we react in turn – but I feel like we’re always one step ahead”. McLaren fended off this particular attack by using technology supplied by Darktrace, the team’s official cybersecurity partner – its logo featuring prominently on the liveries of the cars driven by Lando Norris and Daniel Ricciardo. The nature of Formula 1, where team members could be in be in different parts of the world in consecutive weeks, means that blocking access to emails just because they’re being sent from an IP in an unfamiliar space wouldn’t work.  But McLaren’s email security software analyses information about previous activity and uses this to determine if the action is legitimate, meaning that important messages being delivered from unfamiliar time zones or locations don’t get blocked. Meanwhile, messages like the one cyber criminals attempted to send McLaren’s CEO get filtered out as they’re recognised as unusual or malicious. “Darktrace understands that actually the rest of the team is here, these are files you normally access, this is the normal chain so it’s okay. It works really well because we have to be seamless, we can’t be taking our staff offline,” Hicks explains. “That real-time accessibility to data and real-time collaboration wherever you are in the world is absolutely critical – anyone in Formula 1 will tell you every millisecond counts,” he adds. Lando Norris driving his McLaren Mercedes at the Austrian Grand Prix. 
Image: Getty
The sheer amount of data transferred over a race weekend is huge with potentially hundreds of thousands of emails being sent within McLaren as well as between McLaren and its partners. “On a race weekend, it’s measurable how many more attacks come into the business when Formula One’s on the TV,” says Dave Palmer, chief product officer at Darktrace. “There could be 250,000 emails over a race week and during a race weekend the number of malicious ones jumps up to about 3.5%, which is a lot – 3.5% of your inbound email has got something wrong with it, that needs to be acted on by the machine.” If just one malicious phishing email wasn’t identified and got through, that could be devastating – not only could it affect race plans, but there’s also the potential for a phishing email to be used as a gateway to a wider attack on the network.  “That’s something we’ve always been challenged with because in many areas intellectual property won’t be secret for very long – in six months or so it’s public knowledge, just due to the nature of Formula 1. But in in real time, we want to keep it close to our chest and often it’s for financial gain or various reasons why attackers might try and compromise us, so it’s imperative that we keep that IP secure,” says McLaren’s Hicks. McLaren doesn’t just rely on technology to keep staff secure – a key element of keeping the network protected from cyberattacks involves regular cybersecurity training for staff, including executives.  

“The awareness campaigns that we do are absolutely critical and it’s normally from the top down. It’s normally the CEOs you get targeted first or their PA; people right up the top”, says Hicks.  SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) Williams Racing is one of the most historically successful teams on the Formula 1 grid and it too has found itself being targeted by cyberattacks attempting to launch phishing attacks against the boardroom. The high-profile nature of Formula 1 means it’s easy to find out who runs teams – they’re often right there on TV – and cyber criminals will attempt to exploit this for social engineering. “We know we are constantly a target, there are even some spear phishing attacks where they go after the CEO or CFO,” says Graeme Hackland, CIO of Williams Racing F1.  “They don’t lock you out of your account, they just sit in your account and watch. We received a reply to an email from a supplier saying ‘we’ve changed our bank account, please can you update your records’ – and that reply was sent from the hacker not from the supplier,” Hackland explains. Attackers have also registered false Williams email addresses in efforts to commit attacks against the team – for example, they’ll try to register a URL where the lower case l’s are replaced with a capital L, something that unless somebody is really examining the email address, would look authentic. “It looks just like our email address, and so I don’t blame any of our staff who got caught by those things because it was very, very sophisticated – there’s a lot more social engineering going into the phishing emails now. They learn a huge amount of information,” says Hackland. Williams was sold to new owners, American private investment company Dorilton Capital, during 2020 – and with new executives, and new staff around them, it was vital these people were aware of the potential security threats they’d face as high-profile staff of a Formula 1 team. George Russell driving for Williams Racing.
Image: Williams Racing
“We got a new CEO, so we did an education campaign with his personal assistant to remind her she’s going to be a target and we have actually seen an increase in spam emails going to her,” Hackland explains. All Williams employees go through phishing training to understand how cyber criminals could try to breach the network via email. But the sheer number of cyberattacks means that it hasn’t always been possible to protect the network from attacks – and Williams found itself the victim of a ransomware attack a few years back. The attack in 2014 started on a Friday morning and was quickly spotted by the cybersecurity team. Much of the network was protected from falling victim to the attack. But if the attack had started a few hours later, it’s likely that nobody would have noticed until the following week. “If this had happened at 6pm, it could have spent all weekend encrypting all of our data and when we come in on Monday, we would have been in massive trouble. It was lucky, it was a Friday morning and we noticed that behavior fairly early in the process,” Hackland explains. The ransomware attack got into the network after a member of staff unintentionally visited a compromised website. “They had downloaded a tech spec sheet for their washing machine. They did nothing wrong. They went to a trusted website downloaded a file and had no idea that this ransomware was running in the background,” says Hackland. At the time of the incident in 2014, cybersecurity procedures weren’t as mature as they were today – and in this case, the affected files couldn’t be recovered. But it served as a wake-up call for ensuring that networks and employees were as protected against cyberattacks as possible. Now, Williams Racing has benefited from a partnership with cybersecurity company Acronis for a number of years, helping to keep endpoints and staff – and drivers George Russell and Nicolas Latifi – secure, whether they’re at the headquarters in Grove, Oxfordshire, or at racing circuits around the world. The partnership means Williams use Acronis for endpoint protection as well as backups for keeping data secure, no matter where the user is, be they working remotely, at the factory or at a race circuit. “Motorsport teams, even at the top of the industry, are facing major challenges dealing with ever-expanding amounts of data – managing, archiving, sharing, and protecting it from cyberattacks,” says Ronan McCurtin, VP for Europe, Turkey and Israel at Acronis. With more races than ever before, Formula 1 teams are being pushed to the limit both on the track and off it. The high-profile nature of the sport and the cutting-edge technology behind it means all Formula 1 teams are tempting targets for cyber criminals and hackers.  Unfortunately, just like the Formula 1 teams they are chasing, malicious hackers are always looking for ways to improve. But unlike an F1 race, there’s no finish line in the cyber-arms race.  MORE ON CYBERSECURITY More