May Firmware Threat Report

Subscribe to Eclypsium’s Threat Report

Part two of Eclypsium’s series on best practices for firmware updates focuses on the tools and techniques used by the enterprise IT teams tasked with implementing update processes. This paper provides a high-level comparison across multiple vendors and technologies to help IT and security teams understand the differences between some of the tools and techniques being used today. READ >


  •  Chinese Hacking Group “APT41” Is Using a New Speculoos Backdoor — APT41 has exploited, yet again, CVE-2019-19781. This time APT41 uses a new malware backdoor, Speculoos, to laterally move in corporate networks as the group targets devices that have access to a large number of systems. Speculoos also enables APT41 to modify network traffic, which then opens the door to the possibility of additional payload injection or man-in-the-middle attacks. This malware is hard to detect on Citrix appliances, and it will persist. These devices most likely aren’t inspected regularly or at all. Organizations with a complete hardware inventory can proactively identify and protect devices from threats hidden within.
  • There’s Now COVID-19 Malware That Will Wipe Your PC and Rewrite Your MBR — At least five malware strains are identified, some already distributed in the wild. The two most advanced samples rewrite Master Boot Loader (MBR). One of the rewriters infects a computer and then goes through two infection stages. Phase one, users see a window pop up that they can’t close because the malware has also disabled the Windows Task Manager. While users focus on the window that pops up, attackers quietly rewrite the MBR. Read the report from SonicWall. Researchers also discovered a second version, but this time, the malware kept the MBR-rewriting capabilities but replaced the data wiping feature with a functional screen-locker. 
  • Mootbot Botnet Targets Fiber Routers with Dual Zero-Days — According to malware analysts, the Moobot botnet first appeared in March 2020. The cybercriminals behind Moobot expanded their original targets by going after fiber routers that are vulnerable to two zero-day exploits. The first zero-day is a “remote code-execution bug with a public proof-of-concept (PoC) exploit.” According to researchers, to successfully compromise a target router, it must be “paired with a second vulnerability.” No details are provided on this second zero-day, but users of fiber-based routers are recommended to inspect regularly and update their device firmware.
  • Previously Undetected VictoryGate Botnet Already Infected 35,000 Devices — Researchers have recently discovered a botnet called VictoryGate, which is mostly observed in the Latin American region. The main activity of the botnet is mining cryptocurrency. The only way to spread VictoryGate is through removable devices — in this case, a USB drive. The drive will appear normal to the victims, but when they attempt to open a file the script launches both the intended file and the initial module of the botnet, which achieves persistence at the next reboot. Recently, Eclypsium provided a webinar on the topic of Detecting and Defeating Persistent Attacks.
  • Dark Nexus, A New IoT Botnet That Targets A Broad Range of Devices — This botnet advances by using exploits against a broad range of IoT devices, including routers from Dasan Zhone, Dlink, and ASUS. According to Bitdefender, “the way some of its modules were developed makes it significantly more potent and robust” than other botnets. Read the white paper by Bitdefender that provides details about how Dark_Nexus works. 


  • Uncovering OpenWRT Remote Code Execution (CVE-2020-7982) — Open-source router software OpenWRT could enable attackers to insert malicious software onto routers in place of legitimate firmware updates. OpenWRT provides a freely available package as an alternative to the firmware that comes installed on their devices (routers, laptops, desktop PCs). Researcher Guido Vranken walks readers through his workflow for uncovering OpenWRT’s remote code execution vulnerability. Additional information can be found in the security advisory from OpenWRT Project.  
  • The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs — Xilinx’s field-programmable gate arrays (FPGA) are attackable by the new Starbleed vulnerability. Researchers introduced the attacks that broke the bitstream encryption and circumvented protections, resulting in the total loss of confidentiality and authenticity. Earlier this year, Eclypsium demonstrated how direct memory access (DMA) attacks bypass firmware secure boot on modern enterprise laptops — highlighting one potential way to use compromised bitstream on vulnerable FPGAs.
  • Cisco IP Phone Harbors Critical RCE Flaw — Earlier this month, Cisco released 10 security advisories addressing critical and high-severity flaws. The first critical flaw is in the webserver of its IP phones. The exploit code for the vulnerability (CVE-2020-3161) was posted on GitHub, which led to Cisco issuing patches in its recent advisory. Organizations need a way to reassure themselves of the health and integrity of different types of devices within the enterprise IT environment. endpoint and network devices.
  • VMware gives its vCenter Server a Common Vulnerability Scoring System (CVSS) rating of 10 for a sensitive information disclosure vulnerability in the server’s VMware Directory Service (vmdir) (CVE-2020-3952). 
  • The Intel Converged Security and Management Engine IOMMU Hardware Issue — Intel recently issued a whitepaper focusing on CVE-2019-0090, a vulnerability in the Intel Converged Security Management Engine (CSME), which was first disclosed in May of 2019. The paper helps explain how the CSME and Input Output Memory Management Unit (IOMMU) can be exploited, while also providing other educational pointers for addressing CVE-2019-0090. 
  • V0LTpwn: Attacking x86 Processor Integrity from Software — Interesting research from Technische Universität Darmstadt, Germany, and the University of California, Irvine. The researchers introduced V0LTpwn, “novel hardware oriented but a software-controlled attack,” that threatens the integrity of computation in virtually any execution mode x86 processors. The researchers claim that “V0LTpwn is the first software-controlled fault injection attack for the x86 platform.” Using targeted “undervolting” from malicious software, this technique changes the “computational results and affects the processor execution in victim software at run time.”  


  • Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking — Details of a novel attack method named Thunderspy, which takes advantage of vulnerabilities related to Thunderbolt protocol security, were published by researchers from the Netherlands. For the vulnerabilities details, read the full report. Thunderspy is essentially an evil maid attack requiring only a few minutes of access to an unattended computer. Evil maid attacks aren’t new, but it demonstrates how easily it is to by pass”security levels.” The researcher unscrewed the bottom of a laptop to gain access to the Thunderbolt controller and then attached an SPI programmer device and rewrites the firmware of the chip. This type of attack leaves no trace of intrusion and takes only a few minutes. Eclypsium has demonstrated how easily an evil maid attack can be carried out – in less than five-minutes by physically accessing a Windows machine. View our demonstration here
  • DHS CISA and FBI Share List of Top 10 Most Exploited Vulnerabilities — The alert was issued to assist both private and public-sector organizations with the prioritization of patching known vulnerabilities exploited by sophisticated foreign cyber actors between 2016 and 2019. The alert also looks at the commonly exploited vulnerabilities so far in 2020. Unfortunately for Citrix, its virtual private network (VPN) appliances and Pulse Secure VPN servers are at the top of the list.
  • Three Firmware Blind Spots Impacting Security — “Recognizing firmware as an asset in your organization’s threat model and establishing the security objectives towards confidentiality, integrity, and availability (CIA) is a good first step.” Additionally, the author, Maggie Jauregui, Security Researcher at Intel Corp., points to updating firmware and platform misconfigurations as other ways that can impact device security. System firmware and dozens of other components contain millions of lines of firmware that can be vulnerable to attacks. Eclypsium recently completed a report that gives IT and security professionals insights into firmware update management and guidance on best practices.
  • Cybersecurity Prevention Can Save Your Company $682K — A recent report from the Ponemon Institute surveyed more than 600 IT and IT security professionals. The report identifies that most organizations focus on detection, containment, recovery, and remediation, and that 82% of attack costs go toward these areas. Prevention is lower on the list. “Zero-day attacks, where vulnerabilities in software or firmware are exploited by hackers before they are commonly known or a patch is available, cost, on average, $1.2 million. If prevented, it could save the organization $1.1 million.” Learn how to assess your risks and prevent future threats in our primer on Assessing Enterprise Firmware Security Risks in 2020


  • NGA, NRO Managing Cyber Risk Through More Data-Driven, Collaborative Approaches — The intelligence community is putting a particular emphasis on reducing threats to the technology supply chain. In February, the National Counterintelligence and Security Center issued its 2020-2022 initiative, which lists minimizing the threats to the supply chain as one of the objectives. For supply chain risk management (SCRM), a full-spectrum approach is necessary — an approach that spans the evaluation and acquisition of new hardware and firmware and continues to ensure the integrity of devices throughout the technology lifecycle.
  • Protecting Device Integrity in the Supply Chain — Weak links in the technology supply chain allow for a device to be compromised. A vulnerability in any of the numerous hardware components within a device lets cyber criminals modify the firmware and insert a malicious implant. Learn how to improve the integrity of your device supply chain in a panel discussion with Richard M. (Dickie) George, Senior Advisor for Cyber Security at the Johns Hopkins University Applied Physics Lab; Dr. Edward Amoroso, CEO of research and advisory firm TAG Cyber; Andrew Regenscheid, Lead for Hardware-Rooted Security in the Computer Security Division at the National Institute of Standards and Technology (NIST); and Dr. Yuriy Bulygin, CEO and founder of Eclypsium. WATCH >
  • ISE Fireside Webinar: Mitigating Device Security in Data Centers, Remote Use & Supply Chains — Lacking visibility into firmware and hardware attack surfaces leaves enterprises at risk of device failures, ransomware, and data breaches. Listen to Yuriy Bulygin Founder & CEO Eclypsium, Robert Mims Director Security The Southern Company, Mario Chiok Fellow, and Executive Cyber Security Advisor Schlumberger International, and moderator Marci McCarthy CEO and President of T.E.N. discuss this issue. WATCH
  • Danny Palmer, senior reporter for ZDNet, discusses a hacking campaign that has been exploiting unpatched Linux servers for almost a decade. VIEW >
  • Detecting & Defeating Firmware Persistent Attacks — System firmware and dozens of other components that contain millions of lines of firmware are vulnerable to attacks that have the capability to persist. Most enterprises are missing the visibility and the device integrity needed for a comprehensive device protection plan. LISTEN >
  • Enterprise Best Practices for Firmware Updates — Does your organization have a disciplined process for firmware updates? It’s essential for device integrity, but a challenge for most companies. Eclypsium’s VP R&D John Loucaides and CISO Steve Mancini discuss the steps security and IT leaders can take to build a safe and reliable firmware update process. LISTEN >