December Firmware Threat Report

Below the Surface
Subscribe to Eclypsium’s Threat Report

Eclypsium explores the techniques of successful firmware attacks as they apply to stages of a kill chain in this new report designed to help you assess and defend enterprise devices from firmware and hardware threats.

Get an inside look at: 

  • Attacker motivations
  • Key firmware components and their role in attacks
  • Attack vectors against firmware
  • The role firmware plays in persistent attack
  • Real-world examples of firmware threats in the wild


Industry News

  • 63% of organizations surveyed face security breaches due to hardware vulnerabilities  Hardware-level breaches are one of the latest modes of attack by cybercriminals, according to a Forrester report released this month. The majority (63%) of organizations said they experienced at least one data breach in the past year due to a hardware security vulnerability. BIOS attacks can inflict massive damage, the report says, because such attacks are difficult to detect and even more difficult to remove as malicious code can persist through reboots and attempts to reflash the firmware.

  • New ransomware attacks target your NAS devices, backup storage The number of ransomware strains targeting NAS and backup storage devices is growing, with users “unprepared” for the threat, researchers at Kaspersky say. In 2019 a range of new ransomware families have emerged with NAS-exploit capabilities. WannaCry ransomware remains as the most popular form of ransomware with cybercriminals, followed by Phny and GandCrypt. 

  • Merck cyberattack’s $1.3 billion question: was it an act of war? In a world where a keyboard can cause more harm than a gunship, a legal dispute between the drug giant and its insurers could determine who pays for cyber damage. NotPetya’s impact on Merck on the day of the attack and for weeks afterward was devastating, crippling more than 30,000 laptop and desktop computers at the global drugmaker, as well as 7,500 servers. Bloomberg explores the lawsuit now underway that will determine whether Merck’s insurers will pay up. More broadly, as CISOs consider how to right size their security spend, this throws into question how much reliance can be placed on cyberinsurance. 

  • Hardware hacks: The next generation of cybercrime Attackers have and always will go for the low-hanging fruit. As additional layers of protection have been added to the operating system, attackers have begun to look for otherー easier ー ways to disrupt operations. They bypass software and target hardware through the supply chain, insider threats, system updates, firmware updates and hardware errors.

  • Russian police raid NGINX Moscow office  Earlier this month police raided the Moscow offices of NGINX, Inc., a subsidiary of F5 Networks and the company behind the internet’s most popular web server technology, seizing equipment and detaining employees for questioning. Ars Technica has an update, and a look at the potential impact on industry giants which depend on NGINX.

Security Research

  • Researchers use Intel SGX’s voltage-tuning function to breach chip security Three different academic research teams separately found and reported to Intel a vulnerability in its Software Guard Extensions (SGX) security feature that could be abused by an attacker to inject malware and steal encryption keys. What’s significant about this research is it is achievable from software and can be readily weaponized by an adversary with privileged access to access content not accessible by design. Intel urged customers to apply BIOS updates from system manufacturers to thwart this new class of attack techniques exploiting the voltage adjustment feature in several families of its microprocessors.
    • Voltpwn: Researchers from Technische Universität Darmstadt and University of California demonstrated a deviation of control flow during enclave execution.

  • Major vulnerabilities found in popular wireless presentation system F-Secure consultants have discovered multiple exploitable vulnerabilities in Barco’s ClickShare wireless presentation system. Attackers can use the flaws to intercept and manipulate information during presentations, steal passwords and other confidential information, and install backdoors and other malware. F-Secure’s post details a dozen CVEs, and a patch from Barco, however, some fixes require hardware updates.  

  • NVIDIA boot loader Ryan Grachek discovered a vulnerability in the NVIDIA Tegra in which the boot loader does not validate the fields of the boot image, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.

  • BitLeaker: Subverting BitLocker with One Vulnerability Microsoft Windows has used Trusted Platform Modules (TPM) to protect the Volume Master Key (VMK) of their disk encryption software, BitLocker. In this Black Hat Europe presentation, Seunghun Han Jun-Hyeok Park of ETRI, describe a sleep mode vulnerability of both types of TPM that can subvert BitLocker.

  • Siemens PLC Feature Can Be Exploited for Evil – and for Good Researchers at Ruhr University found a method to bypass firmware integrity checks in S7-1200 PLCs. They found that an attacker using the special access feature could bypass the bootloader’s firmware integrity check within a half-second window when the PLC starts up and loads malicious code to wrest control of the PLC’s processes. 

  • POC shows webpage dumping firmware Chrome has the ability to let a site ask to talk to a USB device. In this POC, a web page asks to talk to your Logitech USB dongle and dumps the firmware from the device including encryption keys. By default, Chrome will ask the user if they want to allow the site to talk to their usb device, so it’s not a silent attack, but it’s an interesting example of bridging the web and the firmware level.

Security Advisories

  • Intel NUC Firmware Advisory – Intel is releasing firmware updates to mitigate 5 high severity vulnerabilities in NUC firmware that may allow escalation of privileges.

  • Intel Processor Graphics Advisory. A potential security vulnerability in Intel® Software Guard Extensions (SGX) enabled processors with Intel® Processor Graphics may allow information disclosure.

Additional Reading & Listening:


Firmware Security Training

Looking to build your knowledge and skills in firmware attack prevention and detection? Eclypsium researchers Mickey Shaktov, Jesse Michael and Rick Altherr will lead hands-on training classes in 2020 at CanSecWest in Vancouver BC in March, and again at RingZer0’s InfoSec Training in Las Vegas in August.
Class sizes are limited, and RingZer0 is offering a 25% discount for registrations before year end.

Practical Firmware Implants

In recent years as firmware based attacks are becoming more and more frequent, there is a growing need for understanding the motivation, capabilities and complexities of such attacks. How do they work? How hard is it to create an implant? What are the attackers considerations and thoughts when creating firmware implants?

This is a two day crash course in UEFI development for security practitioners in which we will spend most of our time working hands-on understanding how system firmware works, basic development and coding, firmware implantation strategies, attack and defense tactics and more.

At CanSecWest
March 16-17, 2020
Vancouver, BC

At RingZer0
August 1-2, 2020
Las Vegas, NV

Finding Firmware Implants

Firmware implants have been gaining momentum as an attack vector especially for Advanced Persistent Threats. How do you detect them? What are they capable of? How can you capture them for further study and remove them from a device?

This is firmware forensics and incident response two day course will dive into the tools and techniques used to extract system firmware from a system, unpack the contents, and analyze them for signs of tampering. Hardware Root of Trust systems such as Intel Boot Guard will be explained along with techniques used to subvert them.

At CanSecWest
March 14-15, 2020
Vancouver, BC

At RingZer0
August 3-4, 2020
Las Vegas, NV