May Firmware Threat Report

Sometimes it takes a thunderstorm before seeing positive outcomes and real change: Cyber May Flowers, if you will.

The SolarWinds and related supply chain attacks put our government through the crucible of painful incident response and restoration efforts. The events also became a watershed moment, one in which cyber risk to national security fully materialized. In response to this broader supply chain threat, President Biden signed a complex and broad Executive Order that was 18 pages long and included over 70 actionable directives. In a sense, this EO not only helps protect the supply chain but directly leverages its dynamics to improve software security across the board. It will require developers that sell to the USG to create SBOM (software bill of materials) for all critical software. This, in turn, raises the tide even for companies that do not sell directly to the USG because their downstream customers who do will need to account for their upstream providers via SBOM level provenance/verification. 

For Eclypsium’s part, we were glad to see that the five criteria listed as what shall define ‘critical software’ are a 1:1 mapping to firmware overall. After all, firmware is simply software that is stored differently (on hardware versus on disk). It is critical to the entire rest of the stack above as a dependency and hugely impactful to every aspect of computing when attacked. It is the root of trust, and it operates at the highest level of privilege. Therefore, we expect that calls for SBOM level verification will extend to FBOM (firmware bill of materials).

Another positive development is the fantastic work CISA has been doing to quantify, analyze, and expose the risk that BtOS (Below the Operating System) threats pose to critical infrastructure and enterprises alike. They presented a pair of talks at this year’s RSA Conference that confirm firmware’s worst offender status regarding high-impact threats like those targeting the UEFI (Trickboot, MosaicRegressor, LoJax, VectorEDK, etc.)

Much has been written about the Colonial Pipeline attack. Still, the number one takeaway made evident to both threat actors and critical infrastructure organizations is that operations can be disrupted whether or not malware targets OT systems directly. Devices like the ones that form the fictional ‘air gap’ between IT and OT are themselves increasingly being targeted, with tremendous impact potential as a result. Indeed both Darkside affiliates and UNC2447 have been targeting SonicWall CVE’s to gain initial access into victim networks, and CISCO’s ASAs have been vulnerable to DoS attacks. Meanwhile, the NCSC updated the list of CVE’s that Russia’s SVR is actively using and now includes five such critical device CVE’s in the list.

The best Cyber May Flower we saved for last. Eclypsium just announced new product functionality that directly addresses these kinds of device-level threats by allowing our customers to discover, analyze and assess the risk for both critical appliances and other ‘agentless’ types of connected devices. This functionality further expands our unique visibility into those devices giving organizations the ability to register and manage down the associated risks. No more flying blind; it’s time to take back security control of these devices and get ahead of the attackers that continue to exploit them. Hats off to our customers who continue to make us better by requesting new capabilities and helping us blossom into one of the 15 hottest solutions at RSAC. 

• Colonial Pipeline Attacks Put Darkside Ransomware Under Scrutiny
• VPN Hacks Are a Slow-Motion Disaster
• Hacking campaign targets FileZen file-sharing network appliances 
• Initial analysis of PasswordState supply chain attack backdoor code
• At least 24 agencies run Pulse Secure software. How many were hacked is an open question
• Broken trust: Lessons from Sunburst – Atlantic Council
• Pulse Secure VPN zero-day used to hack government organizations and defense firms
• Apple’s ransomware mess is the future of online extortion
• QNAP warns of AgeLocker ransomware attacks on NAS devices
• Millions at risk of hacking from old routers – BBC News
• U.S. Intelligence Agencies Warn About 5G Network Weaknesses
• IOTW: University of California Schools Hit with Accellion FTA Attack
• CISA Identifies SUPERNOVA Malware During Incident Response

• Executive Order on Improving the Nation’s Cybersecurity | The White House
• QNAP released a security update in October last year after learning about the vulnerability and responding slowly six months later.
• The Biden Administration’s Impending Executive Order on Software Security
• Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs
• Biden Order To Require New Cybersecurity Standards In Response To SolarWinds Attack
• Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders | CISA

• Two attacks disclosed against AMD’s SEV virtual machine protection system
• New Spectre vulnerabilities discovered on Intel and AMD processors
• Nvidia Warns on High-Severity Bugs in GPU Driver, vGPU Software
• F5 BIG-IP Found Vulnerable to Kerberos KDC Spoofing Vulnerability
• Cisco Releases Security Updates for Multiple Products
• SA44784 – 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4
• Qualcomm vulnerability impacts nearly 40% of all mobile phones
• Cisco Releases Security Updates for Multiple Products   | CISA
• Cisco Security Advisory: Cisco Small Business 100, 300, and 500 Series Wireless Access Points Vulnerabilities
• Further TTPs associated with SVR cyber actors – NCSC
• Critical Cisco SD-WAN, HyperFlex Bugs Threaten Corporate Networks
• Cisco Security Advisory: Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products
• Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services VPN Denial of Service Vulnerabilities

• Hackers turn Comcast voice remotes into eavesdropping tool
• SolarWinds: Illuminating the Hidden Patterns That Advance the Story
• TBONE: for public release on 2021-04-28
• Exploiting Undocumented Hardware Blocks in the LPC55S69
• I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches
• Dell patches vulnerable driver in a decade of IT products, computers and laptops
• FragAttacks (fragmentation and aggregation attacks) on WiFi devices
• D-Link Router CVE-2021-27342 Timing Side-Channel Attack Vulnerability Writeup
• An Introduction to Hardware Hacking

• 4 Innovative Ways Cyberattackers Hunt for Security Bugs
• 3 ways to prevent firmware attacks without replacing systems
• SLSA: Supply-chain Levels for Software Artifacts, Proposal
• A Curated list of IoT Security Resources