January Firmware Threat Report – Security Boulevard
2022 got off to a good start. Under US pressure, the Russian FSB arrested 14 people linked to the REvil ransomware operation, seized $600,000 worth of computer equipment and 20 luxury cars. It was a remarkable collaborative effort to cement cyber relations between the two countries as tensions rose along the Ukraine-Russia border.
This otherwise positive development, however, was later overshadowed by alerts from CISA, asking critical infrastructure to prepare for destructive wiper attacks on US critical infrastructure. This, after (likely) Russian attackers exploited Ghostwriter wiper malware and content management supply chain attacks on the Ukrainian government and critical infrastructure, and after hacktivists in Belarus disabled the rail transport system as lever shape pressure the government to release the prisoners and prevent the movement of Russian troops en route to the Ukrainian border. This, as part of a wider campaign called “Scorching Heat” led by the BCP (Belarus Cyber Partisans). Interestingly, the erasure malware used is a repurposed version of WhiteBlackCrypt, which was used in 2019 alongside bomb threats to pressure a Russian oligarch into paying back funds he stole from a Russian crypto exchange. The common theme? Actors use destructive erasing malware (and a threat of physical harm) to achieve their goals, and erasing malware is used as much for a “cause” as for “profit,” in a motive.
Zooming out, it looks like attackers and defenders are focusing much more on attacks that have destruction as the primary motive. Last month, we learned of the iloBleed implant that was allegedly used to clean servers. In the context of destructive attacks, firmware-level attacks can pose the greatest risk to an organization, as the impacts associated with firmware attacks can lead to indefinite downtime. Even if the main operating system has been properly backed up and even if there are spare hard drives on the shelf, there is little recourse when a device is bricked to the motherboard. We’ve written a lot about this, even in the context of ransomware actors who started looking for vulnerabilities in a device’s UEFI, which would then allow them to brick that device as a form of leverage. UEFI, however, is not the only piece of firmware that can be targeted by such attacks. This month, CISA added eight additional known and exploited vulnerabilities to its ever-growing catalog, and one of them is an Intel Active Management Technology (AMT) remote privilege escalation vulnerability that could be used by an attacker to disable a device.
One of the requirements for an attacker to exploit vulnerabilities at the firmware level is often to have administrator/root access at the core operating system level. While this is easily achievable any Sunday by skilled red teams and attackers, it doesn’t help that there has been a Linux bug present for the past 10 years that reliably allows any attacker to get root-level access on a device. Adding insult to injury, this bug was discovered, written and even submitted from 2013, challenging the merits and assumptions of OSS’s implicit security through peer review. Of course, Microsoft is no exception here, and it also had two critical privilege escalation vulnerabilities in this month’s patch on Tuesday, one of which targets Kerberos again.
When it comes to destructive firmware attack scenarios, it’s important to realize that when we read that TTPs are being used for spying and persistence, these same firmware vulnerabilities can also be used to brick a device on the motherboard. This applies to the recent wave of UEFI threats such as FinSpy, ESPecter, SlingShot (post-exploit framework tool), ilobleed and MoonBounce, as well as established (and freely available) threats such as Vector-EDK, LoJax and TrickBoot.
However, it is not just traditional enterprise/IT devices that are vulnerable to device-bricking attacks. Similarly, many of the same vulnerabilities exploited in VPN devices to access them could also be exploited to disrupt or destroy those devices, which would have a significant impact on partners and remote workers. Whether it’s a new feat for the same vulnerability that CISA says is being actively exploited in the wild, or a quarter of a million devices with exploitable UPnP vulnerabilities, or if it’s a list of about 20 weird network devices that can all be easily exploited via open source tools like this popping up every day; network devices are not immune to destructive attacks.
The reality is that most organizations have not yet sized their attack surface at the device level to assess the potential impact on operations, security, or revenue. As a result, these risks are not properly recorded in the risk register for review and budgeting…until they are. And this, unfortunately, usually happens after an organization has suffered a destructive attack.
OEMs are also increasingly proactive in patching firmware to reduce the risk of such attacks. Whether it’s Supermicro or Pulse Secure patches for Trickboot vulnerabilities, or releasing over 150,000 firmware updates in a day, vendors are doing their best to slow the tide. Vendors like Mikrotik and others continue to fight an uphill battle after the source code for the infamous BotengaGo botnet was made public.
CISA adds eight known exploited vulnerabilities to catalog
“CISA has added eight new vulnerabilities to its catalog of known exploited vulnerabilities, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise.
Learn more >
US OMB Releases Zero Trust Strategy for Federal Agencies
“The Office of Management and Budget released a federal strategy on Wednesday to move the US government toward mature zero-trust architectures.”
Learn more >
Juniper Networks Releases Security Updates for Multiple Products
“Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Learn more >
New “Critical” Security Firmware Update Systems Review – Provides New Intel Microcode
“Earlier this week, the Linux vendor’s firmware service began to increase in activity following the upload of numerous new system firmware files for what appears to be a “high-severity upcoming security issue” but currently undisclosed. .”
Learn more >
Binary Ninja > 3.0 The Next Chapter
“We’re thrilled to announce that Binary Ninja 3.0 is live today! In fact, this release is packed with so much good stuff that five of the nine most loved features of all time are shipping in this release!
Learn more >
And the moon bounced off a dumpster fire
The revelation last week of the MoonBounce UEFI implant in the wild continues an ongoing trend of firmware attacks (see some recent examples like iLOBleed in HPE servers, the Meris botnet in Mikrotik routers, and the FinPSy UEFI book in the Windows systems…the list keeps growing.) Firmware security is complicated by multiple unique implementations and obscure hardware configuration details. Worse still, vulnerabilities in the operating system (VBOS, as CISA calls them) are becoming more common and invisible to most security tools. This presents an attack surface that undermines normal defenses and prevents organizations from being alerted to the threat until it is far too late.
If the firmware light is green, the trap is clean
Over the past two years, firmware threats have gone from being the secret weapons of nation-state threat actors to everyday mundane threats used in some of the most popular malware, ransomware and attack campaigns. spread around the world. Yet many organizations are still in the early stages of developing their firmware security strategy, which can leave a void for attackers.
And while implementing a strategy can take time, there are highly tactical and practical steps that all organizations can and should take today. For example, organizations should ensure that their RI and recovery teams have the necessary tools to verify the firmware integrity of any device directly impacted by malware or other threat.
You suck at cybersecurity
Finally, did you know that you suck at cybersecurity? Our amazing creative director decided to have a little fun with this topic…speakers!
Watch now >