This month’s top story in the threat landscape boils down to one word: TrickBoot. Put simply: the most prominent and dangerous criminal malware apparatus behind the TrickBot toolset (yes, the same campaigns that lead to the destructive Ryuk and Conti ransomware that’s netted the group over $150m in the last few years) now has a new capability aimed at firmware reconnaissance on any Intel host that is impacted by TrickBot. Our analysis is that there are hundreds of thousands of such infected hosts on any given Sunday.
Collaborative research between Vitali Kremez of Advanced Intelligence and Eclypsium’s Jesse Michael and Scott Scheferman discovered the following: the authors, known for their ability to develop and expand the codebase functionality of the toolset, have, for now, targeted the same vulnerability that LoJax had, reusing portions of an open-source project that allows an attacker to “read and write everything” at the firmware level. Our research shows that the code for this new TrickBoot module is one line away from being able to erase/corrupt the UEFI and brick a device.
We estimate there are millions of devices vulnerable out there already, there are hundreds of thousands of active TrickBot infections on any given day spread across the critical infrastructure, health, finance, and telecom industries already. This same toolset (TrickBot) has been reported to have been used by other “vetted customers” of the same group, North Korea being one of them. Last month we covered MosaicRegressor where after five whole years of the shared Vector-EDK UEFI code being publicly available, only one instance of its use in a campaign has ever been discovered. A month later, and now we are looking at a crimeware powerhouse with a massive distribution system (Emotet), resilient infrastructure, and the ability for TrickBot actors to perform automated reconnaissance in any target environment for firmware that can be bricked, or implanted with a persistence module or other payloads.
Join AdvIntel and Eclypsium for a live webinar exploring the implications of Trickbot’s foray into firmware on December 9, 2020.
THREATS IN THE WILD
- Ars Technica – One of the Internet’s most aggressive threats could take UEFI malware mainstream
- Wired – The Internet’s Most Notorious Botnet Has an Alarming New Trick
- CSO Online – TrickBot gets new UEFI attack capability that makes recovery incredibly hard
- Hackers Are Targeting US Think Tanks
- The Threat Actor “pumpedkicks” shared a list of 49,577 IPs vulnerable to Fortinet SSL VPN CVE-2018-13379
- Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices
- Dell announces new protections for its PC and server supply chain
- What are the biggest hardware security threats?
- System Management Mode deep dive: How SMM isolation hardens the platform
- Building A More Resilient ICT Supply Chain: Lessons Learned During The Covid-19 Pandemic
- Anchoring Trust: A Hardware Secure Boot Story
- Four myths about the cloud: The geopolitics of cloud computing
- Updated Security Bulletin: AMI Baseboard Management Controller (BMC) Firmware Vulnerabilities in NVIDIA DGX-1, DGX-2, and DGX A100 Servers (now includes hard-coded creds)
- Multiple remote vulnerabilities in Synology Router Manager Firmware
- Zyxel UTM and VPN series of gateways impacted by vulnerability
- Hackers can use just-fixed Intel bugs to install malicious firmware on PCs
- PLATYPUS: Software-based Power Side-Channel Attacks on x86
- Whitepaper about internals of Intel CSME technology
- NAT Slipstreaming: A New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service by Exploiting Bugs in NAT/Firewall Device Firmware OS
- Vulnerabilities of Machine Learning Infrastructure – by Sergey Gordeychik
- Bugs in Critical Infrastructure Gear Allow Sophisticated Cyberattacks
- The Perfect Weapon, Hidden in Plain Sight: A Study on How the Espressif Wi-Fi and BLE Chips and Modules can be Weaponized for Espionage, Disruption, and Destruction
- New Platypus attack can steal data from Intel CPUs
- New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service
- Nvidia Warns Windows Gamers of GeForce NOW Flaw
- Flaw allowed iPhone hacking remotely through wi-fi
- Sleep Attack: Intel Bootguard vulnerability waking from S3
- Challenge completed! Successfully sniffed the BitLocker key from the SPI bus, and decrypted the drive.