November Firmware Threat Report

On November 18th, earthlings experienced the longest duration Lunar eclipse in a stretch of over 1000 years. The moon was covered by Earth’s umbral shadow for over six hours. The next time a lunar eclipse will endure this long will be the year 2669. Here at Eclypsium, the eclipse serves as a reminder that we need to constantly examine those things that lurk in the shadows, even when the shadow is our own.

Last month we focused on an alarming yet predictable rise in UEFI level bootkits – with new threats like ESPecter and FinSpy emerging. ESPector is noteworthy as it can bypass signature checking and hides in the system partition. Meanwhile, FinSpy is a revamped VectorEDK bootkit from HackingTeam that has recently resurfaced in the wild as an improved version.While these developments may not be surprising given both are based on much earlier code going back seven years or more, they still both have very low detection rates. As this astute blogger alludes to, and as we here at Eclypsium often exclaim: Don’t be surprised when we find more campaigns, and a diversity of threat actors ranging from APT to criminal, that are using such TTPs to great effect. Let’s take a look at two threat actors types that might well be doing so, by simply focusing on the ‘why’. Asking the ‘why’ question is at the core of anticipating future threat scenarios.

Table of Contents

Threats in the Wild
Industry News
Security Advisories
Security Research
Tools & Education
Noteworthy Content

First, let’s look at Trickbot: Already known to target the UEFI via their TrickBoot module, Trickbot has returned with a vengeance this month in terms of their ability to distribute broadly and quickly via a restored partnership with the revamped Emotet apparatus. Thus returns the Emotet-Trickbot-Ryuk(Conti) distribution and execution triad, and with it, their ability to broadly distribute Trickbot to nearly any industry or vertical in the world. What better way to maintain their previously hard-fought persistence (via prior Fortinet or other VPN device vulns) than by leveraging these readily available and well-documented bootkit methods? Especially when on any given Sunday, there is always a way to escalate privileges on Windows. From there, anyone can have a bootkit.

Next, we can look at recent Iran-based threat activity targeting IT infrastructure which has increased from nearly zero last year to over 1500 attacks this year. These actors may have been taking note of recent supply chain and third party trust/privilege abuse tactics employed in the Solarwinds (and subsequent) campaigns. In general, they thrive on three elements in particular:

Leveraging third party admin-level accounts to perform their operations
Persistence via stealthy TTPs
Capacity and continued desire for disruptive or destructive capabilities

When viewed in this light, it might be reasonable to anticipate the same actors turning to UEFI bootkits (easily deployed with the above-referenced admin level credentials) or worse, UEFI level destruction that could destroy the device indefinitely, making back-up procedures much less effective in many cyber-physical scenarios. As Microsoft is keen to point out: “…the adoption of ransomware aided the Iranian hackers’ efforts in espionage, disruption and destruction, and to support physical operations.”

Alas, whether we’re talking about Trickbot’s Trickboot or the Iran-based DEV-0228 activities of late, it’s good to know you can fight back against these and other types of low-level bootkits.

Ultimately it comes down to taking it to the adversary and outpacing them in those areas where they currently hold an advantage. Things like patching firmware, and network devices. But also those areas we often forget to address as ever-so-busy cyber warriors. David Spark recently interviewed Linked-In’s CISO Geoff Belknap (@geoffbelknap) and Eclypsium’s Strategist, Scott Scheferman (@transhackerism), to discuss the four A’s of cyber leadership. Taken together, these have the power to turn the tables against the modern adversary.

We’ll let you listen and enjoy, but for now, one of those A’s is “Anticipation”.

Corporate Loader “Emotet”: History of “X” Project Return for Ransomware

“AdvIntel deep-dives into the contemporary threat landscape illustrating how Emotet’s return might re-shift the ransomware ecosystem.“

Alan Paller, Cyber Security Industry Titan and SANS Institute Founder, Passes Away

“Mr. Paller was a pioneer in the cybersecurity industry, championing the need for greater education and knowledge for practitioners. His combination of passion, intellect, and ethical rigor was instrumental in bringing more skilled people into the profession.”

Microsoft Warns of New Security Flaw Affecting Surface Pro 3 Devices

“Microsoft has published a new advisory warning of a security bypass vulnerability affecting Surface Pro 3 convertible laptops”

How we searched for a connection between Mēris and Glupteba, and gained control over 45 thousand MikroTik devices

“A week ago, it became known about a record DDoS attack on Yandex with an impressive value of 21.8 million RPS.”

SamuelTulach/SecureFakePkg: Simple EFI runtime driver to Fake Secure Boot

“SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it’s running with secure boot enabled. In other words, it fakes secure boot status.”

DEFENSE IN DEPTH: HOW DO WE TURN THE TABLES AGAINST THE ADVERSARIES?

If we’re going to turn the tables against our adversaries, everything from our attitude to our action needs to change to a format where attacks and breaches are not normalized, and we know the what and how to respond to it quickly. Listen in as Eclypsium’s Principle Strategist, Scott Scheferman, Linked-In’s CISO Geoff Belknap, and David Spark discuss these challenges further.