Cyber Security Headlines: Baseboard software vulnerabilities, threat group stole COVID funds, AI generated code

Vulnerabilities found in popular baseboard software

Researchers at Eclypsium Research disclosed three vulnerabilities in the MegaRAC Baseboard Management Controller software from American Megatrends. These BMCs operate their own firmware, memory and networking stack within a server, offering admins remote access to manage them. Many server OEMs use this baseboard software, including AMD, Dell, ARM, Asus, HPE, Huawei, Lenovo, and, Qualcomm. Access to exploit the vulnerabilities varies, from prior access to at least a low-privilege account to remote access, ultimately used to deploy malware or ransomware, and cause physical damage to servers. No word if threat actors actively target the vulnerabilities. 

(The Record)

Chinese threat group stole COVID-19 relief funds

According to information from the Secret Service, the Chinese-linked APT41 stole at least $20 million in COVID relief benefits. These came in the form of Small Business Administration loans and unemployment insurance funds across over a dozen states. The Secret Service also said it maintains over 1,000 ongoing investigations in criminal actors defrauding public benefits programs. It’s unclear how many of these investigations link back to foreign threat groups, but NBC News’ sources say other investigations point to state-backed actors. Security researchers say APT41, aka Wicked Panda, generally focuses on gathering personally identifiable information for cyber espionage. 

(NBC News)

The question of AI generated code

The popular coding Q&A site Stack Overflow temporarily banned users from sharing responses generated by OpenAI’s ChatGPT. The mods said the chatbot makes it easy to flood the site with responses that have a high rate of being incorrect, despite looking correct at first glance. Given that the site operates with volunteer moderators, the ban serves to reduce the volume to keep human review possible. Stack Overflow will make a final ruling on ChatGPT usage after consulting with its community. 

(The Verge)

Twitter leaks emails on Hunter Biden laptop decision

Journalist Matt Taibbi published a tweet thread detailing how Twitter’s Trust and Safety team determined to temporarily block a 2020 New York Post story involving the contents of Hunter Biden’s laptop ahead of the US Presidential election. Twitter provided emails to Taibbi, which showed the team debating whether to restrict links to the story under its hacked materials policy. Emails show concern from some Trust and Safety staff that the story details appeared consistent with recent Russian influence operations. The emails do not show CEO Jack Dorsey involved in the decision. He subsequently reversed the block. Taibbi said he did not see evidence of “any government involvement in the laptop story.” The emails largely agree with recent statements on the decision from Twitter’s former head of Trust and Safety Yoel Roth.  

(CNN)

Thanks to today’s episode sponsor, PlexTrac

The Plextrac platform is your offensive security team’s secret weapon. Build better reports in half the time, centralize your data, maximize your reusable content, and become more efficient and effective. PlexTrac clients report a “5X ROI in 1 year,” a “30% increase in efficiency,” have “cut their reporting cycle by 65%,” and experienced a “18 to 22% time savings per engagement.” 

Check out PlexTrac.com/CISOSeries to learn how PlexTrac can help your team deliver results.

Case dismissed against Huawei CFO

U.S. District Judge Ann Donnelly in Brooklyn dismissed an indictment against Huawei CFO Meng Wanzhou (wan-jo), which alleged her of crimes related to misleading banks about Huawei’s relationship with a company operating in Iran. Canadian authorities arrested Meng in December 2018 and she remained under house arrest during the case. Meng reached an agreement with US prosecutors last year for the case to be dismissed four years after her initial arrest, acknowledging she made false statements about Huawei’s Iran business. The case was dismissed with prejudice, so it cannot be brought again. Meng flew home to Shenzhen following the dismissal. 

(Reuters)

FreeBSD fixes ping flaw

The ping utility remains a staple among the networking toolkit. It uses the internet control message protocol to let an admin check if a computer remains online. Reply packets from networked computers contain IPv4 packet headers which typically contain 20 bytes in total that includes a device’s IP address. The FreeBSD version of ping allocated fixed-size buffers on the stack where the IP header would reside. But since the header can contain any value that can exceed 20 bytes, it triggers a stack buffer overflow inside ping for larger headers. This remains rare but FreeBSD issued a security advisory stating “it may be possible for a malicious host to trigger remote code execution in ping.” Risk of exploitation remains limited. The latest versions of FreeBSD 12 and 13 fix the issue. 

(Naked Security)

Hospital complex suspends operations after ransomware

France’s health ministry announced the Hospital Centre of Versailles suspended medical operation after a ransomware attack over the weekend, transferring at least six patients. More transfers will occur in what is described as a “total reorganization of the hospital.” The center contains two hospitals and a retirement home, all currently without working computer systems. While critical medical care machines remained operational, the shutdown of the system’s internal network mean staff could not adequately monitor patients. French police named LockBit as the party behind the attack, with the group posting staff and patient data on its leak site.

(The Record)

OpenSSF adds new members

The Open Source Security Foundation operates under the Linux Foundation, bringing together various projects around software supply chain security. It announced new members across a wide swath of the industry, now bringing its total members to over 100. New members include Docker, HackerOne, Qualys, ControlPlane, and AMD Xilinx. OpenSSF announced the new members as it hosts OpenSSF Day Japan at the Open Source Summit in Yokohama. 

(Dark Reading)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.