February Firmware Threat Report

Unsigned firmware in peripheral devices remains a highly overlooked aspect of cybersecurity. Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk to firmware attacks that can disrupt operations and more.

READ THE RESEARCH >

Listen to Eclypsium’s Principal Researcher, Jesse Michael and Principal Engineer, Rick Altherr answer questions about their new research.

LISTEN HERE >

INDUSTRY PERSPECTIVE

  • In April 2019, it was discovered that there is a Kaspersky UEFI bootloader, signed by Microsoft, which will load additional unsigned code components that could be used to bypass Secure Boot. On February 11, Microsoft published an update (KB4524244) to revoke Kaspersky bootloader. The update, however, unexpectedly caused issues with some systems. Microsoft removed the update on February 14 due to these problems. More info here
  • CISA Warns ‘Critical Industries’ Following a Cyberattack on Gas Pipeline Facility The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a ransomware advisory “to all industries operating critical infrastructures.” CISA is investigating a cyberattack that impacted the pipeline operations network of a natural gas compression facility. CISA’s list of mitigative measures and threat actor techniques is here.  
  • Living off another land: Ransomware borrows vulnerable driver to remove security software Ransomware attacks deemed RobbinHood show the real danger of insecure drivers. In this case, the attackers used the “driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.” The signed driver, part of a now-deprecated software package, has a known vulnerability (CVE-2018-19320). 

FIRMWARE SECURITY RESEARCH

  • Five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) can allow remote attackers to completely take over devices  without any user interaction. CDP is implemented in virtually all Cisco products including switches, routers, IP phones and cameras. The CERT Coordination Center has also issued an advisory.
  • Escaping the Chrome Sandbox with RIDL This Google Project Zero post looks at the impact of RIDL and similar hardware vulnerabilities when used from a compromised renderer. Chrome’s IPC mechanism Mojo is based on secrets for message routing. Leaking these secrets allows attackers to send messages to privileged interfaces and perform actions that the renderer shouldn’t be allowed to do. 

FIRMWARE SECURITY ADVISORIES

  • According to an Intel firmware security advisory (INTEL-SA-00307) the Intel Converged Security and Management Engine (CSME) is subject to firmware vulnerabilities, which if exploited, allows local threat actors to launch escalation of privilege, denial of service, and information disclosure attacks. Tracked as CVE-2019-14598, the vulnerability has been awarded a CVSS base score of 8.2, which deems the issue critical. Intel has released a firmware update to mitigate the vulnerability. Also, this month Intel updated a security advisory (INTEL-SA-00213) related to the original CSME CVE-2019-0090. To read about two particularly tricky bugs click here and here
  • KB4494174 firmware secures Windows 10 PCs The Microarchitectural Data Sampling (MDS) vulnerability in Intel CPUs is still an issue for the industry. “Both Microsoft and Intel have been releasing regular OS and firmware updates to fix the problem that exposes on-premises and cloud-based Windows 10 machines to cyber attacks.” This particular update package includes the micro-code update. 
  • A vulnerability in the firmware of the Cisco UCS C-Series Rack Servers could allow an attacker to bypass UEFI Secure Boot validation checks and load a compromised software image on an affected device. “The vulnerability is due to improper validation of the server firmware upgrade images. An attacker could exploit this vulnerability by installing a server firmware version that would allow the attacker to disable UEFI Secure Boot.”

TOOLS

ADDITIONAL READING & LISTENING

  • Hear Eclypsium’s John Loucaides speak on Paul’s Security Weekly about how hackers are using firmware implants and backdoors to compromise enterprise security with attacks that are stealthy and persistent. 

FIRMWARE SECURITY WEBINARS

  • Rick Alther, Principal Engineer and Jesse Michael, Principal Researcher, discuss their latest research, Perilous Peripherals: Unsigned firmware in WiFi adapters, USB hubs, trackpads, laptop cameras and network interface cards. LISTEN HERE >

UPCOMING ECLYPSIUM TRAINING

March 3, 2020

Join Eclypsium on March 3 for Anatomy of a Firmware Attack. In this webinar, Eclypsium explores the techniques of successful firmware attacks as they apply to stages of a kill chain. This webinar is designed to help you assess and defend enterprise devices from firmware and hardware threats. REGISTER NOW >

March 14-16, 2020

During the upcoming hands-on training at CanSecWest 2020 Eclypsium’s Jesse Michael, Mickey Shkatov and Rick Altherr will teach you all about firmware implants, how they are made, how they work, and how to detect and defend against them. Participants will walk away with a UEFI and BIOS foundation to build on, an understanding of how to build a firmware implant and lastly, how to search and detect firmware implants. 

1. Mar 14-15 Practical Firmware Implants. REGISTER NOW >

2. Mar 16-17 Finding Firmware Implants. REGISTER NOW >