July came in hot. Really hot. Not more than a few hundred miles from our Portland, OR headquarters, the Bootleg fire continues to burn as the nation’s largest wildfire and the 3rd largest in Oregon’s history. Panning out, there’s an equally massive firestorm of threat actors exploiting device firmware. Chinese state-sponsored actors and ransomware both took center stage, as did a nightmare of critical vulnerabilities in Microsoft products indicative of their SSDLC challenges of late.
Halfway through the year, it is apparent that Chinese and Russian state-sponsored actors, as well as criminal actors, are nearly all targeting the same critical vulnerabilities in externally facing devices. At a minimum, these include three CVE’s which CISA reports are actively being targeted by Russian SVR and Chinese APT40 actors:
CVE-2020-5902 (F5 Bip-IP)
CVE-2019-19781 (Citrix ADC)
CVE-2019-11510 (Pulse Secure VPN)
The recent attacks against Microsoft Exchange Servers have been attributed to Chinese APT31 and APT40 groups. APT31 also leverages SOHO routers to hide C2 traffic, taking a tip from Russian SVR state actors and criminal actors like the TrickBot group that continue to rely on MikroTik routers for their infrastructure.
Speaking of TrickBot, they are back in full force. Having fully adapted and recruited new talent, they are targeting a new array of victims at a blistering cadence and deploying CobaltStrike, among other new tricks. Criminal actors targeting these VPN devices exploit them and then create or steal VPN creds that later get sold to RaaS and state actors alike.
Hacking these devices isn’t just for nation-states and crime gangs. This curious pair of hackers decided to poke around at their own Aruba devices and ended up finding an abundance of CVE’s, several of which, when chained, yielded full remote code execution. It is a testament to just how many critical software flaws this class of devices has and how readily they can be exploited. After all, if two curious hackers can do it, imagine what nation-states and crime groups can (and do) do.
Speaking of poking around, one of our own Eclypsium researchers has been hard at work enumerating a particular device class exposed to the Internet that is commonly attacked. The initial results pretty much tell the whole story of why attackers target them. In one case, half of the devices exposed to the Internet are running 3+-year-old firmware that is End of Service (EoL) and vulnerable, and up to 95% of the devices have at least one critical vulnerability. Expect to read more about this in a future research blog we’ll be eager to publish.
Perhaps this is why we needed an Executive Order to address such fundamental flaws in the critical software and supply chains that power our infrastructure. What software could be more critical than the device operating systems and firmware running on them? Ironically, that’s the reason these devices never get updated; they are so critical no one wants to bring them down long enough to do an update: precisely what our adversaries have learned to rely on as their primary strategy of late. In the context of defining what “critical software” is in the Executive Order, firmware is critical by every criterion the order lays out and essential in the creation, execution, and operation of the “Zero Trust architectures” the order draws upon as a framework.
Eclypsium customers will be happy to know that the often-attacked and outrageously vulnerable devices we’ve highlighted above are covered in our platform capability. Everything from VPN devices to Routers and even Accellion FTA devices whose recent attack campaign is still underway. If it’s a critical device, our mission is to ensure you can defend it!
We look forward to seeing you virtually or in-person at the Black Hat and DEF CON conferences in Las Vegas next month, where both Mickey and Jesse will be presenting the “rest of the story” on the incredible BIOSDisconnect set of vulnerabilities they have discovered! In the meantime, you can catch @transhackersim on the PSW show discussing this and more, or, get his hot-take on this month’s report.
The Pentagon Tried to Take Down These Hackers. They’re Back.
“U.S. Cyber Command and Microsoft, among others, launched operations on the eve of the election meant to hobble a Russian-speaking hacking group. But it’s rising again.”
- The National Guard Just Simulated A Cyberattack That Brought Down Utilities Nationwide
- APT31 modus operandi attack campaign targeting France
- Chinese hacking group APT31 uses mesh of home routers to disguise attacks
- Fortinet’s security appliances hit by remote code execution vulnerability
- The Ghosts of Mirai
- Use of Initial Access Brokers by Ransomware Groups
- Cisco ASA Bug Now Actively Exploited as PoC Drops
- Malware blamed for remotely wiping WD My Book Live users’ disks
- Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments
- Cisco ASA vulnerability actively exploited after exploit released
- Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets
- Another day, another WD security flaw
- Catalog of Supply Chain Compromises
- Criminals are mailing altered Ledger devices to steal cryptocurrency
- The Accellion data breach continues to get messier
- REvil-ution – A Persistent Ransomware Operation
- Cisco BPA, WSA Bugs Allow Remote Cyberattacks
- The Pentagon Tried to Take Down These Hackers. They’re Back
- Microsoft and ISPs did door-to-door router replacements to stop Trickbot malware
Chinese government lays out new vulnerability disclosure rules
“The Chinese government has published new regulation on Tuesday laying out stricter rules for vulnerability disclosure procedures inside the country’s borders.”
- Got Bitcoin, Will Buy Intel: U.S. Government Offers Cryptocurrency Bounty In Radical New Approach To Fighting Cybercrime
- UK.gov’s Huawei watchdog says firm made ‘no overall improvement’ on firmware security but won’t say why
- House Hearing on “Stopping Digital Thieves: the Growing Threat of Ransomware”
Urgent Security Notice: Critical Risk To Unpatched End-Of-Life SRA & SMA 8.X Remote Access Devices
“Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack.”
- Chinese State-Sponsored Cyber Operations: Observed TTPs | CISA
- Fortinet Releases Security Updates for FortiManager and FortiAnalyzer
- Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Interface Cross-Site Scripting Vulnerabilities
- Netgear Authentication Bypass Allows Router Takeover
- Red Hat Security Advisory 2021-2566-01 (Firmware Update)
- Urgent Security Notice: Critical Risk to Unpatched End-of-Life SRA & SMA 8.x Remote Access Devices | SonicWall
- Full Disclosure: SEC Consult SA-20210714-0 :: Critical vulnerabilities in Schneider Electric EVlink Charging Stations
- Analyzing SonicWall’s Unsuccessful Fix for CVE-2020-5135
- Cisco Security Advisory: Cisco IOS and IOS XE Software Bidirectional Forwarding Detection Denial of Service Vulnerability
- Cisco Releases Security Updates | CISA
- HelloKitty ransomware is targeting vulnerable SonicWall devices
- Intel BSSA DFT Advisory (NTEL-SA-00525)
- Aruba Product Security Advisory ID: ARUBA-PSA-2021-007
- D-Link issues beta hotfix for multiple flaws in DIR-3040 routers
Chained vulnerabilities in Aruba Networks firmware allowed remote code execution on routers
“Multiple vulnerabilities in routers from Aruba Networks allowed attackers to conduct a series of malicious activities including remote code execution (RCE), security researchers have found.”
- The Unpatchable Silicon: A Full Break of the Bitstream Encryption of
- Xilinx 7-Series FPGAs
- Aruba in Chains: Chaining Vulnerabilities for Fun and Profit
- NFC Flaws Let Researchers Hack ATMs by Waving a Phone
- Realtek WiFi Firmware and a Fully 8051-based Keylogger Using RealWOW Technology
- Dumping and Extracting the SpaceX StarLink User Terminal Firmware
- The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs
- Juniper Remote code execution vulnerability when EAP Authentication is configured. (CVE-2021-0276)
- HP patches vulnerable driver lurking in printers for 16 years
Security Weekly – The BIOS Disconnect
“Eclypsium researchers identified vulnerabilities affecting the BIOSConnect feature within Dell Client BIOS. ”
- RomBuster – A Router Exploitation Tool That Allows To Disclosure Network Router Admin Password
- Significant Historical Cyber-Intrusion Campaigns Targeting ICS via CISA
- Ransomware Payment Tracker
- Shamoon tactical recommendations updated 21 July 2021
- Tech details / methods for X86 microcode reading
- chip-red-pill/udbgInstr (Processor, EFI, x86 instruction tools)
The firmware supply chain supports virtually every aspect of modern-day organizations. While the firmware layer is often overlooked, it’s increasingly under fire from both financially motivated hackers and determined nation-states. A firmware attack in the supply chain ensures that the attacker’s code is the first to run and has the highest privileges from the moment a device turns on.
Commercial and government organizations alike are left wondering how they can trust vendor tools and checks when the vendor itself (or one of its upstream component providers) may be compromised in the supply chain? Presented by Eclypsium’s Director of Product Marketing, Michael Thelander, and VP of Federal Technology, John Loucaides
A few years ago, a casual Google search on the term “Zero Trust” would have returned hundreds of thousands of hits. Search for the same term today, and you’ll get about 4 billion hits. But can a Zero Trust security strategy be effective without accounting for the needs of firmware security? What does it even mean to apply Zero Trust principles to something as difficult to assess and secure as firmware? And who owns this initiative, the vulnerability management team? The CIO’s team? In this webinar, John Loucaides, Eclypsium VP of R&D, and Michael Thelander, Director of Product Marketing, will discuss the four pillars of Zero Trust security as it relates to firmware. They’ll then describe how to identify, verify, and fortify the firmware underneath every organization’s current technology stack.
With attacks moving below the operating system and computer firmware vulnerability discovery on the rise, the need to keep current platforms updated becomes important and new technology is developed to help defend against such threats. Major computer manufacturers are adding capabilities to make it easier to update BIOS.
Eclypsium’s @HackingThings and @JesseMichael identified multiple vulnerabilities in Dell’s BiosConnect feature used for remote update and recovery of the operating system. These vulnerabilities are easy to exploit by an adversary in the right position, and are not prevented by protective technologies such as Secured Core PCs, BitLocker, BootGuard, and BIOS Guard.
Join us and together we will explore the new attack surfaces introduced by these UEFI firmware update mechanisms — including a full walk-through of multiple vulnerability findings and the methods we used to create fully working exploits that gain remote code execution within the laptop BIOS and their effects on the operating system.