Thunderbolt Flaw Exposes PCs in Physical Access Hacking | Avast

Björn Ruytenbe, a Dutch security researcher at Eindhoven University of Technology, revealed details this week of a new attack he discovered that exploits a vulnerability in the common Intel Thunderbolt port found in millions of PCs around the world. The attack, called Thunderspy, takes less than 5 minutes to perform, but it must be executed in person, for the hacker needs physical access to the target laptop. This kind of attack is called by researchers an “evil maid attack.” 

“All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” Ruytenbe told Wired. The attack can be successful even when the laptop is sleeping or locked, and the flaw cannot be patched with any software update. Changing the security settings of the Thunderbolt port does not make a difference either as the attack deactivates those settings. The only protection from Thunderspy is to turn off one’s laptop when it’s not in use or disable the Thunderbolt port. As for eradicating the flaw entirely, Ruytenbe sees only one solution. “Basically they will have to do a silicon redesign,” he said. 

“This is a vulnerability that in order to be exploited needs physical access to the computer,” commented Avast Security Evangelist Luis Corrons. “Fingerprint scanning, passwords, and even hard drive encryption is useless in this particular case. Disabling the Thunderbolt port from the BIOS will close the door to this attack. This is something all users should be doing when they leave their computers in places where other people could have access, such as hotel rooms.”

FBI warns of Chinese hackers stealing COVID-19 research

The FBI and CISA issued a public service announcement this week to warn U.S. research facilities that hacking groups affiliated with the People’s Republic of China (PRC) have been observed trying to illicitly attain unpublicized information related to COVID-19 vaccines, treatments, and testing. The PSA asserts that the theft of this information could jeopardize the efficacy and efficiency of the treatment options being developed. Recommendations provided by the agencies to block the hacking include patching all systems for critical vulnerabilities and proceeding with the knowledge that press attention on a research organization will most likely lead to increased interest from other entities.

This week’s stat

$10 million

The amount that scammers were able to steal using business email compromise scams on Norfund, Norway’s state investment fund. 

US government urges populace to update and patch

Citing that foreign cybercriminals tend to exploit publicly known – and often dated – software vulnerabilities, U.S. government agencies released an alert this week listing out the most common software flaws that are routinely exploited, all of which are patchable. The alert admonishes all IT professionals to place a priority on timely patching, particularly for the vulnerabilities it lists, which cover the ten most exploited flaws within the years 2016-2019, as well as 2020’s top exploits. Patching these vulnerabilities will protect users from the most common threats, but best practice would be for users to get in the habit of applying all software patches as soon as they are made available for their systems. 

Magellan Health hit with ransomware

Fortune 500 company Magellan Health sent a notification to affected individuals this week about a ransomware attack to the company’s servers that occurred on April 11, 2020. Attackers breached Magellan’s systems with a phishing email impersonating a client on April 6, the notification states. An investigation revealed that a subset of data was stolen from a Magellan corporate server containing Magellan employee data, which includes names, addresses, tax details, Social Security numbers, and, in some cases, usernames and passwords. Magellan Health informed victims that it is continuing to work with the FBI to investigate the attack, and that it has since bolstered its security protocols. 

This week’s quote

“In terms of infection vector, we expect to see scam emails and infected pirated applications to be the main delivery mechanisms for targeting consumers with ransomware,” said Avast researcher Jakub Kroustek, speaking about the future of ransomware on the third anniversary of the WannaCry attack. Read more about it here.

Zoom and other video conference platforms spoofed

Researchers have noted dozens of malicious Zoom-related domains being registered over the past three weeks, and hundreds of others that they deemed “suspicious.” A new report described in The Verge states that hackers have been registering domains posing as URLs for Zoom, Microsoft Teams, and Google Meet since the COVID crisis began. The malicious URLs are most likely meant to trick users into downloading malware or inadvertently sharing personal information. The same cyber report also warned about phishing emails that pose as the World Health Organization (WHO), soliciting donations to be sent to several known compromised bitcoin wallets. For more information, see the WHO cybersecurity page

Merkel cites evidence that Russia hacked German parliament

German federal prosecutors have issued an arrest warrant for Dmitriy Badin, an alleged officer of Russia’s military intelligence who is also wanted by U.S. authorities. New evidence has emerged that incriminates him in the hacking of German parliament in 2015. “I can honestly say this pains me,” said German Chancellor Angela Merkel. “On the one hand, I work every day for a better relationship with Russia, and when you see on the other hand that there is such hard evidence that Russian forces are involved in acting this way, this is an area of tension.” The Kremlin denies any involvement with the hack. More on this story at The Associated Press

This week’s ‘must-read’ on The Avast Blog

Worried about being your parents’ or grandparents’ tech support from afar? Learn more here about how to support them without seeing them. 


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.


*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/thunderbolt-flaw-exposes-pcs-in-physical-access-hacking-avast