April Firmware Threat Report

A disciplined process of firmware updates is an essential element of good cybersecurity hygiene but can be challenging for many enterprises. With the help of industry experts, Eclypsium has developed a new white paper that provides IT and security leaders with insights into firmware update management and guidance on best practices. Read our new report – Enterprise Best Practices for Firmware Updates and join us for a live webinar on April 7th.

INDUSTRY PERSPECTIVE

  • There’s Now COVID-19 Malware That Will Wipe Your PC and Rewrite Your MBR —  At least five malware variants have been identified. The most advanced, however, were two variants that rewrote the Master Boot Record (MBR). The first of the variants makes system unusable by modifying the MBR. For details read the report from SonicWall. The second variant’s primary function was to steal passwords from an infected host and then mimic ransomware to mask its real purpose. Read more about this strain here.
  • Rootkit in the Cloud: Hacker Group Breaches AWS Servers — Attackers used a rootkit to remotely gain access to AWS Windows and Linux servers allowing them the ability to retrieve sensitive corporate data. The article points out that it was “not an AWS problem per se. It represents a method of piggybacking C2 traffic on a legitimate traffic in a way that can bypass many, if not most, firewalls.” To read the full technical report, Cloud Snooper Attack Bypasses Firewall Security Measures, go here.
  • HPE Warns Firmware Bug Will Brick Some SSDs Starting in October This Year — Hewlett Packard Enterprise (HPE) issued a security advisory warning customers about a bug in the firmware of some SAS SSDs (Serial-Attached SCSI solid-state drives) that will fail after reaching 40,000 hours of operation. To read the HPE advisory go here
  • A Mysterious Hacker Group is Eavesdropping on Corporate Email and FTP Traffic —Researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-W routers and VPN gateways typically deployed on enterprise networks. Read the report from DrayTek here. (CVE-2020-8515)
  • Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign —  “Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide.” APT41 is using firmware based vulnerabilities in their campaign, which allows them to compromise Cisco routers via CVE-2019-1652.
  • New Android Malware Strain Sneaks Cookies from Facebook — Kaspersky Lab researchers have linked Cookiethief malware with widespread Trojans including Sivu, Triada, and Ztorg. This type of malware, they say, is planted in the device firmware before it’s purchased. Attackers can also leverage vulnerabilities in the operating system to put the malware in system folders, where it can download different applications onto the system. This is how programs like Cookiethief and Youzicheng can land on a target device.
  • FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS —FIN7 hackers are mailing USB drives via USPS to numerous businesses where they target employees in human resources, IT, or executive management departments.These malicious USB devices sometimes include “gifts” like teddy bears or gift cards. Drives are then configured to emulate keystrokes that launch a PowerShell command to retrieve malware from a server controlled by the attacker, which then diverts the USB device contacts to domains or IP‌ addresses in Russia.
  • Hackers are Hijacking Router to Push Malware-Laden Covid-19 Apps  — Hackers have begun targeting home and small office routers with presumably weak passwords to change the DNS settings and redirect users to malicious websites masquerading as legitimate resources for Covid-19. Read more about research from Bitdefender here
  • Rare BadUSB Attack Detected in the Wild Against US Hospitality Provider —  A USB thumb drive (BadUSB) functions as a keyboard when connected to a computer, where it emulates keypresses to launch various automated attacks.” Once they plugged the BadUSB into a test workstation, the BadUSB triggered a series of automated keypresses that launched a PowerShell command.This Powershell command downloaded a bulkier PowerShell script from an internet site and then installed malware on the test machine — a JScript-based bot.” Read the full report here
  • Zyxel Flaw Powers New Mirai IoT Botnet Strain —  Named Mukashi, the botnet takes advantage of a vulnerability (CVE-2020-9054) in Zyxel NAS devices running firmware version 5.21 that allows remote attackers to execute code. According to researchers at Palo Alto Networks, “cyber criminals are actively attempting to exploit the attack in the wild.” 
  • Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware — The Secured-code PCs can defend against malware that leverages vulnerable kernel drivers in live-off-the-land attacks highlighted in recent Screwed Drivers research by Eclypsium.
  • Securing the stack – A 2020 Imperative — Steve Orrin, CTO at Intel Federal, provides guidance for government agencies protecting their data and systems from firmware hacks. 
  • Proof of Concept Released for kr00k Wi-Fi Vulnerability — kr00k has been estimated to have had an impact on well over 1 billion Wi-Fi capable devices, including some from Apple, Amazon, Google, Samsung and Xiaomi. Device owners are urged to be sure that their devices have been updated to the latest operating system and firmware releases.
  • Update your Lenovo ThinkPad X1 Carbon BIOS or be prepared to wait 6 hours for a full charge — Six hours is a little long to full charge, but there is an easy fix. You need to launch the included Lenovo Vantage software and run the system updates to download and install the latest Thunderbolt 3 and BIOS drivers for the laptop. After a system restart, recharging from empty to full capacity will take about 1.5 hours only. For the full take on the ThinkPad X1 Carbon, see the review here.

FIRMWARE SECURITY RESEARCH

FIRMWARE SECURITY ADVISORIES

  • Millions of Routers Running OpenWRT Vulnerable to Attack — The open source operating system for Linux is vulnerable via its package manager, which could allow attackers to compromise the embedded and networking devices running it. (CVE-2020-7982)
  • High-Severity Flaws Plague Intel Graphics Drivers — Intel has issued security patches for six high-severity vulnerabilities in its Windows graphics drivers which, if exploited, could enable escalation of privilege, denial of service (DoS) and information disclosure.
  • TRRespass (CVE-2020-10255) — Any Rowhammer or derivative attacks, such as the new TRRespass technique, require that an attacker be able to locally execute malicious code against the targeted system.  The recommendations for IT teams is to follow good security practices including keeping firmware up to date and gaining insight into your hardware and firmware attack surfaces.
  • Critical Netgear Bug Impacts Flagship Nighthawk Router — Outdated firmware impacts many Nighthawk routers and other Netgear routers and modems. Netgear is urging customers to visit its online support page and search by device model for the most recent firmware to update and patch your devices.

TOOLS

ADDITIONAL READING & LISTENING

ECLYPSIUM WEBINARS

Enterprise Best Practices for Firmware Updates — Does your organization have a disciplined process for firmware updates? It’s essential for device integrity, but a challenge for most companies. Learn the steps security and IT leaders can take to build a safe and reliable firmware update process in this webinar featuring Eclypsium’s VP R&D, John Loucaides, and CISO, Steve Mancini. April 7, 2020 at 10:00 A.M. PDT. REGISTER>

Detecting & Defeating Persistent Attacks — System firmware and dozens of other components that contain millions of lines of firmware are vulnerable to attacks that have capabilities which persist and survive operating system reinstalls and even hard drive replacements. These attacks can go unnoticed by traditional security and can provide access to high-value targets allowing the highest of privilege. Moreover, cleaning a system’s firmware means re-flashing it, an operation not quickly done nor guaranteed. In this webinar, Eclypsium’s VP Product, Ron Talwalkar and Principal Researcher, Jesse Michael, will discuss persistent attacks, what are the vulnerabilities and techniques that lead to these attacks and how the Eclypsium solution can help defend against these types of threats. April 16, 2020 at 10:00 A.M PDT. REGISTER>

Anatomy of a Firmware Attack — Attacks against the hardware and firmware of a device stand as some of the highest impact threats facing modern organizations. With insight into the anatomy of firmware attacks and how they work, organizations can make informed decisions to better defend their data and assets. Listen to this recorded webinar with John Loucaides, VP R&D and Ron Talwalkar, VP Product as they discuss this critical topic.  LISTEN>