May Firmware Threat Report
Sometimes it takes a thunderstorm before seeing positive outcomes and real change: Cyber May Flowers, if you will.
The SolarWinds and related supply chain attacks put our government through the crucible of painful incident response and restoration efforts. The events also became a watershed moment, one in which cyber risk to national security fully materialized. In response to this broader supply chain threat, President Biden signed a complex and broad Executive Order that was 18 pages long and included over 70 actionable directives. In a sense, this EO not only helps protect the supply chain but directly leverages its dynamics to improve software security across the board. It will require developers that sell to the USG to create SBOM (software bill of materials) for all critical software. This, in turn, raises the tide even for companies that do not sell directly to the USG because their downstream customers who do will need to account for their upstream providers via SBOM level provenance/verification.
For Eclypsium’s part, we were glad to see that the five criteria listed as what shall define ‘critical software’ are a 1:1 mapping to firmware overall. After all, firmware is simply software that is stored differently (on hardware versus on disk). It is critical to the entire rest of the stack above as a dependency and hugely impactful to every aspect of computing when attacked. It is the root of trust, and it operates at the highest level of privilege. Therefore, we expect that calls for SBOM level verification will extend to FBOM (firmware bill of materials).
Another positive development is the fantastic work CISA has been doing to quantify, analyze, and expose the risk that BtOS (Below the Operating System) threats pose to critical infrastructure and enterprises alike. They presented a pair of talks at this year’s RSA Conference that confirm firmware’s worst offender status regarding high-impact threats like those targeting the UEFI (Trickboot, MosaicRegressor, LoJax, VectorEDK, etc.)
Much has been written about the Colonial Pipeline attack. Still, the number one takeaway made evident to both threat actors and critical infrastructure organizations is that operations can be disrupted whether or not malware targets OT systems directly. Devices like the ones that form the fictional ‘air gap’ between IT and OT are themselves increasingly being targeted, with tremendous impact potential as a result. Indeed both Darkside affiliates and UNC2447 have been targeting SonicWall CVE’s to gain initial access into victim networks, and CISCO’s ASAs have been vulnerable to DoS attacks. Meanwhile, the NCSC updated the list of CVE’s that Russia’s SVR is actively using and now includes five such critical device CVE’s in the list.
The best Cyber May Flower we saved for last. Eclypsium just announced new product functionality that directly addresses these kinds of device-level threats by allowing our customers to discover, analyze and assess the risk for both critical appliances and other ‘agentless’ types of connected devices. This functionality further expands our unique visibility into those devices giving organizations the ability to register and manage down the associated risks. No more flying blind; it’s time to take back security control of these devices and get ahead of the attackers that continue to exploit them. Hats off to our customers who continue to make us better by requesting new capabilities and helping us blossom into one of the 15 hottest solutions at RSAC.
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
“Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT”
- Colonial Pipeline Attacks Put Darkside Ransomware Under Scrutiny
- VPN Hacks Are a Slow-Motion Disaster
- Hacking campaign targets FileZen file-sharing network appliances
- Initial analysis of PasswordState supply chain attack backdoor code
- At least 24 agencies run Pulse Secure software. How many were hacked is an open question
- Broken trust: Lessons from Sunburst – Atlantic Council
- Pulse Secure VPN zero-day used to hack government organizations and defense firms
- Apple’s ransomware mess is the future of online extortion
- QNAP warns of AgeLocker ransomware attacks on NAS devices
- Millions at risk of hacking from old routers – BBC News
- U.S. Intelligence Agencies Warn About 5G Network Weaknesses
- IOTW: University of California Schools Hit with Accellion FTA Attack
- CISA Identifies SUPERNOVA Malware During Incident Response
DHS announces program to mitigate vulnerabilities below the operating system
“For years, security personnel have been content to largely ignore the horrors lying beneath the surface of the OS, seeing firmware-based attacks as exotic and high-end.”
- Executive Order on Improving the Nation’s Cybersecurity | The White House
- QNAP released a security update in October last year after learning about the vulnerability and responding slowly six months later.
- The Biden Administration’s Impending Executive Order on Software Security
- Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs
- Biden Order To Require New Cybersecurity Standards In Response To SolarWinds Attack
- Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders | CISA
Further TTPs associated with SVR cyber actors
“The group will look to rapidly exploit recently released public vulnerabilities which are likely to enable initial access to their targets.”
- Two attacks disclosed against AMD’s SEV virtual machine protection system
- New Spectre vulnerabilities discovered on Intel and AMD processors
- Nvidia Warns on High-Severity Bugs in GPU Driver, vGPU Software
- F5 BIG-IP Found Vulnerable to Kerberos KDC Spoofing Vulnerability
- Cisco Releases Security Updates for Multiple Products
- SA44784 – 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4
- Qualcomm vulnerability impacts nearly 40% of all mobile phones
- Cisco Releases Security Updates for Multiple Products | CISA
- Cisco Security Advisory: Cisco Small Business 100, 300, and 500 Series Wireless Access Points Vulnerabilities
- Further TTPs associated with SVR cyber actors – NCSC
- Critical Cisco SD-WAN, HyperFlex Bugs Threaten Corporate Networks
- Cisco Security Advisory: Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products
- Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services VPN Denial of Service Vulnerabilities
Comparison of security-related technologies from both 11th Gen Intel Core vPro mobile processors and AMD Ryzen PRO 4000 series mobile processors
“Based on IOActive research, we conclude that AMD offers no corresponding technologies in the Below the OS, Platform Update, Advanced Threat Protection, or Crypto Extension categories, while Intel offers features in all of these categories.”
- Hackers turn Comcast voice remotes into eavesdropping tool
- SolarWinds: Illuminating the Hidden Patterns That Advance the Story
- TBONE: for public release on 2021-04-28
- Exploiting Undocumented Hardware Blocks in the LPC55S69
- I See Dead µops: Leaking Secrets via Intel/AMD Micro-Op Caches
- Dell patches vulnerable driver in a decade of IT products, computers and laptops
- FragAttacks (fragmentation and aggregation attacks) on WiFi devices
- D-Link Router CVE-2021-27342 Timing Side-Channel Attack Vulnerability Writeup
- An Introduction to Hardware Hacking
What Is Firmware Malware and How Can You Prevent Infections?
“Firmware malware is an increasing threat to your device’s security. Learn more about firmware malware and how it spreads.”
- 4 Innovative Ways Cyberattackers Hunt for Security Bugs
- 3 ways to prevent firmware attacks without replacing systems
- SLSA: Supply-chain Levels for Software Artifacts, Proposal
- A Curated list of IoT Security Resources
What Auditors Need to Know When Evaluating Firmware Compliance
Recent updates to NIST 800-53 and other compliance standards emphasize that controls must extend down to firmware and hardware. To keep pace with widespread attacks and new standards, organizations must incorporate firmware security into risk management and compliance processes and address blind spots that have given attackers a new foothold. But what does this mean, and what should you be looking for?
Eclypsium’s VP of Federal Technology, John Loucaides will discuss:
- What is firmware, and why is it important?
- Why firmware and hardware security is being called out in compliance frameworks
- What questions to ask when conducting your audit
- Evidence of compliance that can be produced
- How Eclypsium is helping businesses collect this evidence
A New Approach to Protecting Network and Unmanaged Devices
Enterprise IT and security teams today must navigate the risk of a constantly evolving landscape of networking equipment, connected devices, and personal-use employee devices in remote work environments. Many of these devices simply can’t be managed using traditional security tools, with recent studies estimating that up to 90% of enterprise devices can’t support a traditional security agent.
What’s a security team to do? Maybe it’s time for a new approach to protecting network appliances and other ‘unmanaged” appliances. In this webinar, Ed Amoroso, Founder and CEO of TAG Cyber and Scott Scheferman, Principal Cyber Strategist at Eclypsium will discuss:
- Why VPNs and networking infrastructure are targeted for attack
- Who is behind these attacks and what they hope to gain
- What kinds of vulnerabilities – such as unpatched firmware – attackers are seeking
- How certain types of critical devices are targeted by ransomware actors in a way that leverages the concept of supply chain dynamics.
- Why traditional security tools may leave you blind to this threat
- How you can get ahead of attackers with a new distributed approach to network device discovery and analysis that provides agentless visibility into all corners of an enterprise
*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Eclypsium. Read the original post at: https://eclypsium.com/2021/05/26/may-firmware-threat-report-2021/