News Items

Swedish researchers have cracked one of the key post-quantum security algorithms. The US National Institute of Standards and Technology (NIST) selected the CRYSTALS-Kyber algorithm last year as part of the standards for encapsulating data as security against quantum computer attacks. Researchers at the KTH Royal Institute of Technology, Stockholm, used a new Artificial Intelligence (AI) algorithm together with side-channel attacks involving the power lines to break the CRYSTALS-Kyber algorithm. NIST chose CRYSTALS-Kyber as a public key encryption and key encapsulation mechanism to be standardized. It is also included in the National Security Agency's (NSA) suite of cryptographic algorithms recommended for national security systems. Therefore, it is essential to analyze the side-channel attack resilience of CRYSTALS-Kyber implementations. The algorithm has already been hardened against direct attacks, but the researchers explored a more sophisticated side-channel attack that uses changes in power consumption to break the code running on an ARM Cortex-M4 CPU. This article continues to discuss researchers successfully breaking the CRYSTALS-Kyber algorithm using a combination of an AI algorithm and side-channel attacks.

eeNews Power reports "AI Power Analysis Breaks Post-quantum Security Algorithm"

Microsoft has released a report detailing the first sighting of a Global Assembly Cache (GAC) implant in the wild. The new malware, called MagicWeb, developed by the Russian nation-state hacking group NOBELIUM, enables an attacker to authenticate under the guise of any user on a targeted network. The SolarWinds supply chain compromise in December 2020 is largely recognized as the most sophisticated nation-state cyberattack in history. Microsoft reports that NOBELIUM remains active, carrying out multiple malicious campaigns against government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks around the US, Europe, and Central Asia. According to Microsoft, nation-state attackers such as NOBELIUM seem to have unlimited financial and technical support from their sponsor, as well as access to advanced hacking techniques, techniques, and procedures (TTPs). NOBELIUM, unlike most malicious actors, changes their methods on nearly every machine they impact. Microsoft's security analysts say this actor highly values their operations, making few mistakes and frequently modifying their tactics to avoid detection. In August 2022, a Microsoft customer was infiltrated by MagicWeb, which NOBELIUM used to maintain persistent access to the compromised customer's environment. After observing unusual authentication requests, the customer contacted Microsoft's Detection and Response Team (DART). DART examined the incident and conducted multiple data-wrangling operations, as well as performed an in-depth data analysis to determine how the threat actor obtained access to the environment, installed the backdoor, and how the backdoor functioned. This article continues to discuss Microsoft's new report on one of NOBELIUM's most novel attacks.

HSToday reports "Microsoft Unravels One of NOBELIUM's Most Novel Cyber Attacks"

During a recent earnings call, Applied Materials, a multi-billion-dollar company that provides technology to the semiconductor industry, stated that a ransomware attack on one of its suppliers would cost them $250 million in the next quarter. The company did not specify which supplier it was referring to, although some industry analysts believe that it was the engineering and technology firm MKS Instruments. Due to a ransomware attack discovered on February 3, MKS Instruments was forced to postpone its own fourth-quarter earnings call. The attack on MKS highlights a concern that many cybersecurity professionals have expressed in recent years. When larger organizations improve their system security, attackers will target smaller, more vulnerable links in the supply chain. Monti Knode of the cyber defense company Horizon3.ai emphasized that more companies, such as MKS Instruments, are publicly acknowledging the effects of cyberattacks. Others, such as the CEO of Approov, Ted Miracco, have stated that the semiconductor supply chain remains one of the most complex and significant areas of the world economy. As observed last year, disruptions in the semiconductor market can have long-lasting effects on everything from vehicle prices to food prices, he said. Therefore, attacks on the semiconductor supply chain call for more attention. This article continues to discuss the semiconductor industry giant Applied Materials revealing that a ransomware attack on one of its suppliers would cost it $250 million.

The Record reports "Semiconductor Industry Giant Says Ransomware Attack on Supplier Will Cost It $250 Million"

A threat actor is targeting telecommunications companies in the Middle East through a cyber espionage campaign similar to those that have targeted such organizations in numerous nations over the past few years. Researchers from SentinelOne who discovered the new campaign identified it as WIP26, a label the company assigns to activity that has not been attributed to a specific threat group. They had observed WIP26 using public cloud infrastructure to distribute malware, store exfiltrated data, and for command-and-control (C2) operations. The security company determined that the threat actor is using the technique to evade detection and make its activity more difficult to detect on compromised networks. The attacks reported by SentinelOne typically began with WhatsApp messages sent to specific persons within target Middle Eastern telecommunications companies. The messages had a link to a Dropbox archive file that contained documents on poverty-related topics relevant to the region. In actuality, it also contained a malware loader. Those tricked into clicking the link had two backdoors installed on their devices. SentinelOne discovered the CMD365 backdoor using a Microsoft 365 Mail client as its C2 and the CMDEmber backdoor using a Google Firebase instance for the same purpose. The security vendor stated that WIP26 used the backdoors to conduct reconnaissance, elevate privileges, and deploy more malware, as well as collect the user's private browsing data, information about high-value devices on the victim's network, and more. This article continues to discuss findings and observations regarding the new WIP26 campaign.

Dark Reading reports "Novel Spy Group Targets Telecoms in 'Precision-Targeted' Cyberattacks"

According to complaints from a growing number of Microsoft customers, Outlook inboxes have been overwhelmed with spam emails for the past nine hours due to malfunctioning email spam filters. Many Outlook users have complained that all messages, even those that would have previously been marked as spam and sent to the junk folder, are now arriving in their inboxes. One user reported receiving 36 spam emails for two consecutive hours. While the current Outlook spam filtering issue appears to be extremely severe and affecting a large number of users, this has been occurring for months, with some users reporting receiving numerous spam emails since November 2021. This article continues to discuss the flooding of Outlook inboxes with spam emails due to broken spam filters.

Bleeping Computer reports "Microsoft Outlook Flooded With Spam Due to Broken Email Filters"

Forty vulnerabilities have been fixed in a number of Fortinet products, including two critical vulnerabilities impacting FortiNAC and FortiWeb. Since cybercriminals like exploiting vulnerabilities in Fortinet enterprise solutions, and a proof-of-concept (PoC) exploit for one of the holes is scheduled to be released soon, administrators are urged to patch as soon as possible. CVE-2022-39952 is an external control of file name or path vulnerability in the webserver of the network access control product FortiNAC. An unauthenticated attacker can exploit this flaw to perform arbitrary writes on a vulnerable system. The issue has been resolved in FortiNAC versions 9.4.1 and above, 9.2.6 and above, 9.1.8 and higher, and 7.2.0 and higher. Horizon3's Attack Team has previously announced that a PoC and blog post describing the attack will be released shortly. This article continues to discuss the fix, potential exploitation, and impact of the vulnerabilities found in various Fortinet products.

Help Net Security reports "Fortinet Plugs Critical Security Hole in FortiNAC, With a PoC Incoming (CVE-2022-39952)"

A coordinated police operation across multiple countries recently led to the dismantling of a criminal network responsible for tens of millions of dollars in business email compromise (BEC) losses. Europol stated that there were five action days that took place between January 2022 and 2023 in France and Israel, leading to eight house searches and eight arrests, including the alleged Israeli gang leader. Europol noted that police also seized electronic equipment and vehicles, $3.4m from Portuguese bank accounts, $1.2m from Hungarian bank accounts, $641,000 from Croatian bank accounts, $427,000 from Spanish bank accounts, and $374,000 in virtual currencies. The group is said to have targeted victims in France. Europol stated that a resulting investigation revealed money mules operating for the gang in Croatia, Portugal, and Hungary. BEC has been the most lucrative form of cybercrime for the past few years, making fraud gangs billions in profits. The wide-ranging operation to track down the Franco-Israeli gang involved the Croatian National Police, the Croatian Anti Money Laundering Office, the French National Police, the French Gendarmerie, the Hungarian Budapest Metropolitan Police, the Israel Police, the Portuguese Judicial Police, and the Spanish National Police.

Infosecurity reports: "Police Bust $41m Email Scam Gang"

The FBI recently released a brief statement about a recent cyber-incident that occurred at one of its highest-profile field offices. The FBI claimed that the incident is now under control. The FBI stated that a malicious incident impacted part of its network used in investigations of images of child sexual exploitation. The FBI is currently working on gaining more information about the incident and does not have any further information at this time. This is not the first time hackers have targeted the bureau. In 2021, an official email address was reportedly compromised and used to spam at least 100,000 recipients.

Infosecurity reports: "FBI 'Contains' Cyber-Incident on its Network"

Healthcare data breaches had the most impact in the second quarter of 2022 compared to previous years, with a 35 percent rise in the number of patient records compromised, according to Crucial Insight's H2 2022 Healthcare Data Breach Report. Based on a review of breach data submitted to the HHS by healthcare organizations, the report discovered that victims of healthcare data breaches had 28.5 million records exposed in the second half of 2022, up from 21.1 million in 2019. Although the number of people affected by data breaches increased, the total number of breaches declined in 2022, resulting in a higher ratio of people affected per breach. In the second half of 2022, each breach affected about 91,028 patients, compared to only 61,246 in the first half of 2022. According to other health Information Technology (IT) vendors, most data breaches stemmed from hacking, which aligns with Crucial Insight's finding that hackers caused about 78 percent of healthcare data breaches. The percentage of hacking incidents rose from 61 percent in 2019 to 79 percent in 2022, while unauthorized access decreased from 27 percent in 2019 to 15 percent in 2022. Although hacking caused more breaches, the report found that unauthorized access exposes more records per breach. This article continues to discuss key findings from Critical Insight's H2 2022 Healthcare Data Breach Report.

HealthITSecurity reports "35% More Patients Impacted by Healthcare Data Breaches in H2 2022"

According to reports, an estimated 14,000 employees at a Liverpool NHS hospital trust have been informed that their data was leaked via email due to human error. Victims received an apology letter from the hospital trust's chief executive James Sumner. Sumner noted that a file containing sensitive payroll information was sent to hundreds of NHS managers and 24 external accounts. The spreadsheet file included a hidden tab that contained staff personal information. Sumner noted that while it was not visible to those receiving the email, it should not have been included in this spreadsheet. The information in this hidden tab included names, addresses, DOBs, NI numbers, gender, ethnicity, and salary. It did not include bank account details. Sumner reported that each of the 24 external recipients have been notified and confirmed the deletion of the file. Human error of this sort is a common cause of data leaks. According to Verizon, the "error" category accounted for 13% of breaches it analyzed last year. It contributed to a massive 82% of breaches that feature the "human element."

Infosecurity reports: "Data Leak Hits Thousands of NHS Workers"

According to the EU Agency for Cybersecurity (ENISA) and the Computer Emergency Response Team for the EU institutions, bodies, and agencies (CERT-EU), several Chinese state-sponsored threat groups have recently been observed targeting businesses and governments in the European Union. The advanced persistent threats (APTS) mentioned include APT27, APT30, APT31, Ke3chang, Gallium, and Mustang Panda. According to ENISA and CERT-EU, these threat actors present significant and ongoing threats to the European Union. Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organizations of strategic relevance. In July 2021, the EU urged Chinese authorities to take action against malicious cyber activities undertaken from their territory and linked to APT31.

Infosecurity reports: "EU Cybersecurity Agency Warns Against Chinese APTs"

Researchers at Abnormal Security have identified two groups who are using executive impersonation to carry out Business Email Compromise (BEC) attacks in at least 13 different languages. The researchers noted that while attacking targets in multiple regions and using multiple languages are not new tactics, in the past, these operations were typically performed by sophisticated groups with large budgets and resources. Due to the rise of automated translation tools such as Google Translate, threat actors can translate emails into any language they need, with greater ease. Abnormal Security has discovered two groups: Midnight Hedgehog, which engages in payment fraud, and Mandarin Capybara, which conducts payroll diversion attacks. The two groups have launched BEC attack campaigns in Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, Spanish, and Swedish. This article continues to discuss the growth in BEC attacks and the launch of BEC campaigns in multiple languages by Midnight Hedgehog and Mandarin Capybara.

SC Media reports "BEC Groups Launch Executive Impersonation Attacks in at Least 13 Languages"

According to researchers at ESET, Chinese-speaking users are being targeted by the FatalRAT malware, which is spread via fake websites of widely-used apps. The FatalRat malware was first discovered in August 2021. It can record keystrokes, change a victim's screen resolution, download and execute files, and steal or delete browser-stored data. The researchers have not yet attributed this campaign to any known hacker group, and the attackers' purpose also remains unclear. The threat actors behind the campaign could be stealing information such as web credentials to sell on underground forums or use in other malicious activities. Most attacks were detected between August 2022 and January 2023, with Taiwan, China, and Hong Kong as the primary targets. Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Burma have also faced a small number of attacks. The malware was spread via phishing websites posing as popular apps, including Google Chrome, Firefox, Telegram, WhatsApp, Signal, and Skype. Some of the websites provided fake Chinese-language versions of software that is unavailable in China, such as Telegram. This article continues to discuss the FatalRAT malware campaign.

The Record reports "Hackers Target Chinese Language Speakers With FatalRat Malware"

Hackers are launching a new malware named Frebniis on Microsoft's Internet Information Services (IIS), stealthily executing commands sent via web requests. Frebniis was found by Symantec's Threat Hunter Team, who revealed that an unidentified threat actor is using it against targets in Taiwan. Microsoft IIS is a web server software that serves as a web server and web app hosting platform for services such as Outlook on the Web for Microsoft Exchange. In the attacks observed by Symantec, hackers exploit an IIS feature called "Failed Request Event Buffering" (FREB), which is responsible for gathering request metadata (i.e., IP address, HTTP headers, and cookies). Its objective is to help server administrators troubleshoot unexpected HTTP status codes or request processing issues. The Frebniis malware injects malicious code into a certain function of a DLL file that controls FREB, allowing an attacker to intercept and monitor all HTTP POST requests sent to the ISS server. When the malware detects specific HTTP requests sent by an attacker, it parses the requests to identify which commands to execute on the server. This article continues to discuss findings regarding the new Frebniis malware.

Bleeping Computer reports "Hackers Backdoor Microsoft IIS Servers With New Frebniis Malware"

Deep Reinforcement Learning (DRL) is a form of Artificial Intelligence (AI) that scientists have taken a significant step toward using to defend computer networks. DRL was effective in preventing adversaries from achieving their goals up to 95 percent of the time when confronted with sophisticated cyberattacks in a rigorous simulation environment. The result suggests a potential role for autonomous AI in proactive cyber defense. Researchers at the Department of Energy's (DOE) Pacific Northwest National Laboratory (PNNL) documented their findings in a research paper and presented them at a workshop on AI for Cybersecurity during the annual meeting of the Association for the Advancement of AI in Washington, DC. The development of a simulation platform for testing multistage attack scenarios involving different types of adversaries was the initial step. The creation of such a dynamic attack-defense simulation environment allows researchers to examine the effectiveness of various AI-based defense strategies in controlled test conditions. Such tools are necessary for assessing the performance of DRL algorithms. The method is becoming an effective decision-support tool for cybersecurity experts. It provides a defense agent that can learn, quickly adapt, and make decisions autonomously. Although other forms of AI are commonly used to detect intrusions or filter spam messages, DRL enhances defenders' ability to orchestrate sequential decision-making plans in their everyday confrontations with attackers. According to the researchers, DRL offers smarter cybersecurity, the ability to detect changes in the cyber landscape earlier, and the chance to take preventative measures against a cyberattack. This article continues to discuss the PNNL scientist's research on DRL for cyber system defense under dynamic adversarial uncertainties.

Pacific Northwest National Laboratory reports "Cybersecurity Defenders Are Expanding Their AI Toolbox"

Security researchers at Avanan, a Check Point company, found that threat actors have been leveraging the online payments system PayPal to send malicious invoices directly to users through the platform. The researchers noted that this is different from others attacks spoofing Paypal as this malicious invoice comes directly from PayPal. The researchers stated that the phishing email seen as part of the malicious campaign warned users that there had been fraud on the account and threatened a fine of $699.99 should the victim not take action. The researchers noted that the body of the email could alert some cautious users that the email was not authentic. First, the grammar and spelling are all over the place. Second, the phone number they list is not related to PayPal. The researchers stated that the general goal of the threat actors is to have victims call the number or follow up for more details. If a victim calls that number, now they have the person's cell phone number and can use it for more attacks. The threat actors will also try to scam the victim while on call with them. According to the researchers, the perks of using PayPal for threat actors are several, including the ability to send many invoices at a time and make them professional-looking. The researchers noted that an email that comes directly from PayPal will pass all SPF, DKIM, and DMARC checks.

Infosecurity reports: "Hackers Leverage PayPal to Send Malicious Invoices"

Security researchers at Picus Security have warned that a growing number of versatile malware variants are capable of performing multiple malicious actions across the cyber-kill chain. Picus Security compiled its Red Report 2023 by analyzing over 500,000 malware samples last year, identifying their tactics, techniques, and procedures (TTPs), and extracting over 5.3 million "actions." The vendor then mapped these actions to MITRE ATT&CK techniques. The researchers found that the average malware variant now leverages 11 TTPs or nine MITRE ATT&CK techniques. One-third (32%) uses more than 20 TTPs, and one in 10 leverages over 30 TTPs. The researchers noted that this "Swiss Army knife" malware can enable attackers to move through networks undetected at great speed, obtain credentials to access critical systems, and encrypt data. The researchers found that 40% of the most prevalent MITRE ATT&CK techniques they identified were used to help with lateral movement. These included tried-and-tested techniques such as Command and Scripting Interpreter and OS Credential Dumping and newer ones such as Remote Services, Remote System Discovery, and WMI. The researchers noted that the most common technique used was Command and Scripting Interpreter, which involves the abuse of legitimate interpreters such as PowerShell, AppleScript, and Unix shells to execute arbitrary commands. The researchers stated that this highlights how hackers favor legitimate existing tools in their attacks rather than custom-developed ones. The second most common technique used was OS Credential Dumping, which attackers use to hijack accounts and move laterally. Third, came Data Encrypted for Impact, which reveals the continued threat posed by ransomware.

Infosecurity reports: "Experts Warn of Surge in Multipurpose Malware"

Internet users have become increasingly fascinated with Artificial Intelligence (AI)-based tools such as ChatGPT and DALL-E, but few have likely considered the security consequences of contributing text or images to such programs. Cybernews researchers have found that Cutout.pro, an AI-based visual design platform headquartered in Hong Kong, exposed user-generated content through an unprotected ElasticSearch instance. With the help of an AI-based Application Programming Interface (API), Cutout.pro's services enable users to alter photos and create images. The functionality allows the integration of the company's services into third-party applications. According to the team, Cutout.pro exposed usernames and images made by customers with the company's tools. The instance also contained information regarding the number of user credits, a virtual in-service currency, as well as links to Amazon S3 buckets containing generated images. The exposed instance had about 22 million log entries that referenced usernames for individual users and business accounts, but this does not mean that the same number of users were exposed, as there were duplicate log entries. This article continues to discuss the exposure of data by the AI media manipulation service Cutout.pro.

Cybernews reports "AI-Based Visual Editing Service Leaks User Images and Customer Data"

According to research conducted by Elevate Security, about 10 percent of the workforce is composed of high-risk users, who are in every department and function of the business. In addition, the study uncovered multiple unexpected findings. For example, contractors are less likely to pose a high risk than employees, and simulated phishing is not a reliable indicator of who poses a high risk for real phishing attacks. This study debunks the idea that many traditional ways to decrease user risk rely on simulated phishing tests as the major determinant for detecting potentially risky individuals. Although they constitute a small portion of the population, high-risk users pose a significant threat to the organization. This article continues to discuss key findings from Elevate Security's research on high-risk users.

Help Net Security reports "High-Risk Users May Be Few, but the Threat They Pose Is Huge"

Two new vulnerabilities affecting Schneider Electric Modicon Programmable Logic Controllers (PLCs) have been reported by security researchers at Forescout. These vulnerabilities could allow authentication bypass and Remote Code Execution (RCE). The vulnerabilities, tracked as CVE-2022-45788 and CVE-2022-45789, are part of a larger set of security vulnerabilities identified by Forescout as OT:ICEFALL. A successful attack using the vulnerabilities could allow an adversary to execute unauthorized code, cause a Denial-of-Service (DoS) condition, or disclose sensitive data. According to the cybersecurity firm, a threat actor can chain the vulnerabilities with known vulnerabilities from other vendors to achieve deep lateral movement in Operational Technology (OT) networks. This movement enables attackers to obtain deep access to Industrial Control Systems (ICS) and cross often-overlooked security perimeters, enabling them to carry out highly granular and covert manipulations and to circumvent functional and safety constraints. A proof-of-concept (PoC) cyber-physical attack revealed that the vulnerabilities could be exploited to evade safety guardrails and cause damage to a movable bridge's infrastructure. This article continues to discuss the new critical security flaws impacting Schneider Electric Modicon PLCs.

THN reports "Researchers Warn of Critical Security Bugs in Schneider Electric Modicon PLCs"

According to Alberto G. Alexander, Ph.D., cyber resilience combines information security, business continuity, and organizational resilience. He has described the components of an effective cyber resilience strategy and highlighted a cyber resilience framework's elements. Adverse cyber events have a negative impact on the availability, integrity, or confidentiality of networked Information Technology (IT) systems and the associated data and services. These incidents could be intentional, such as a cyberattack, or unintentional, like a software update failure. Humans, nature, or a combination of both may also cause adverse cyber events. The purpose of cyber resilience is to sustain the entity's ability to consistently deliver the desired outcome at all times. This requires doing so even when normal distribution systems have failed, such as during a crisis or a security breach. In addition, the idea of cyber resilience encompasses the ability to restore or recover regular delivery methods following such incidents, as well as the ability to continuously update or adapt these delivery mechanisms as risks and threats evolve. In the process of restoring delivery methods, backups and disaster recovery procedures are included. This article continues to discuss the elements of a successful cyber resilience strategy, the components of a cyber resilience framework, and the best cyber practices presented by Dr. Alberto G. Alexander.

Continuity Central reports "Developing a Successful Cyber Resilience Framework"

Group-IB's analysis of an intercepted spear-phishing email provides further insight into the hacking techniques of the Chinese state-sponsored espionage threat actor known as Tonto Team. According to the security firm, a spear-phishing attempt against its own employees in July 2022 was made by the Chinese threat actor that historically targeted South Korea, Japan, Taiwan, and the US but has since expanded operations to include additional Asian and Eastern European nations. The US-China Economic and Security Review Commission's analysis found that Tonto Team is likely a unit of the People's Liberation Army, which in 2017, allegedly hacked multiple South Korean organizations involved in the deployment of an American anti-ballistic missile defense system. In 2021, the cybersecurity company ESET identified it as a participant in the wave of Chinese state-sponsored hackers exploiting vulnerabilities in Microsoft Exchange. During the summer, Malwarebytes discovered that the group was extending its eavesdropping operations against Russian government agencies. No single indicator prompted Group-1B to believe that Tonto Team was behind their phishing attempt, but evidence began to mount. Attached to the phishing email was a document containing metadata that revealed the default language to be "Chinese People's Republic of China." The attachment was a rich text format file created with the Royal Road RTF Weaponizer, a malware tool primarily used by Chinese Advanced Persistent Threat (APT) groups. This article continues to discuss findings regarding the Chinese state-sponsored espionage threat actor Tonto Team.

DataBreachToday reports "Chinese Threat Group Leaks Hacking Secrets in Failed Attack"

Scandinavian airline SAS was hit by a cyberattack yesterday that reportedly downed its website and app and may have leaked customer information for a brief time. Customers were urged to refrain from using the airline's mobile app as they may be served incorrect information. Some users were apparently logged into the wrong accounts and therefore had access to the personal details of other customers. The company's website was also reportedly down for a time. Customers claimed that they were also not able to buy plane tickets yesterday. It's unclear whether all of the reported issues have been resolved because the company has yet to share much information about the cyberattack or what impact the cyberattack has had on its operations. Threat actors also targeted several Scandinavian media companies yesterday, including Swedish TV channel svt. The DDoS attacks were claimed by a group describing itself as "Anonymous Sudan," who said they were retaliating against a recent incident of Quran burning near Turkey's embassy in Stockholm. Experts are claiming that the DDoS attack may be a Russian false-flag campaign designed to continue whipping up hatred towards Sweden in Muslim countries like Turkey.

Infosecurity reports: "SAS App and Website Hit as Attacks Target Swedish Firms"

Intel recently announced patches for dozens of vulnerabilities across its product portfolio, including critical and high-severity issues. The most severe of these flaws is CVE-2021-39296 (CVSS score of 10), which impacts the Integrated Baseboard Management Controller (BMC) and OpenBMC firmware of several Intel platforms. Intel noted that the bug was identified in 2021 in the netipmid (IPMI lan+) interface and could allow an attacker to obtain root access to the BMC, bypassing authentication using crafted IPMI messages. Four other vulnerabilities were addressed in BMC, and OpenBMC firmware, including a high-severity, out-of-bounds read issue that could lead to denial-of-service (DoS). Intel has addressed these bugs with the release of Integrated BMC firmware versions 2.86, 2.09, and 2.78, and OpenBMC firmware versions 0.72, wht-1.01-61, and egs-0.91-179. The company noted that patches were also released for a high-severity privilege escalation defect in Xeon processors with SGX (CVE-2022-33196). Both BIOS and microcode updates that address this issue are now available. Intel also warned of a high-severity escalation of privilege issue (CVE-2022-21216) impacting Atom and Xeon processors and released microcode updates for Xeon to address CVE-2022-33972, an incorrect calculation bug that could lead to information disclosure. Intel also announced updates that resolve high-severity privilege escalation defects in the BIOS firmware and Trusted Execution Technology (TXT) Secure Initialization (SINIT) Authenticated Code Modules (ACM) of some processors. Updates were also released to resolve high-severity flaws in Driver Support Assistant (DSA) software and high and medium severity vulnerabilities in Battery Life Diagnostic Tool, oneAPI Toolkits, System Usage Report (SUR), Server Platform Services (SPS) firmware, and Quartus Prime Pro and Standard edition software. The company noted that various medium-severity vulnerabilities were also resolved in the FPGA SDK for OpenCL Quartus Prime Pro software, Integrated Sensor Solution, Media Software Development Kit (SDK), Trace Analyzer and Collector software, and Xe MAX drivers for Windows. Intel recommends that users update to the latest available firmware and software versions as soon as possible.

SecurityWeek reports: "Dozens of Vulnerabilities Patched in Intel Products"