Beware the Ides of March. On the heels of the ongoing SUNBURST supply chain campaign, several other impactful campaigns came into full light this month. While the Halfnium MS Exchange attacks dominated headlines, there were other equally disturbing supply chain revelations like the damaging Accellion FTA device extortion campaign. This was carried out by the Russian TA505 (aka ‘CLOP’ group), who set aside their own ransomware in favor of a much more direct technique: targeting the firmware of hundreds of devices to exfiltrate files and extort victims.
Never down for the count, the TrickBot group raised eyebrows with yet another massive campaign, with CISA releasing an alert making direct mention of TrickBot’s UEFI-targeting TrickBoot module. This alert coincided with an eye-opening report from Switzerland that ties the recent SolarWinds activity to a host of potential criminal actors, ranging from TrickBot, to EvilCorp, to TA505/CLOP. Shared infrastructure and tactics across these groups further illustrates the convergent trend between APT and criminal actor activity.
The initial #Boothole GRUB2 vulnerability has led to follow-on research, discovery of eight more CVE’s, and mitigations focused around new functionality that reduces the size of revocation lists via “Secure Boot Advanced Targeting” or SBAT. This is a new feature in the shim allowing for revocation of entire generations of grub that are found to be vulnerable as a group instead of each one individually. Organizations continue working hard to identify and patch these critical vulns that allow attackers to bypass Secure Boot on both Windows and Linux devices.
Actors targeting firmware abound in March, from Keksec leveraging Citrix Netscaler RCE’s to Fbot targeting transportation device firmware, to crypto-miners hitting storage devices, and researchers cracking into 150,000 security cameras. The hardware threat landscape is also developing, with working POC exploits for Spectre leaked in an exploit pack, along with researchers demonstrating a browser-memory Spectre-based POC. Bad guys can even launch side-channel attacks against Intel CPU’s while leveraging machine learning to de-noise traces and leak bits.
Last but not least, F5’s Big-IP devices are back in the news again with 21 new CVEs making them vulnerable to an exploit-chain resulting in full RCE (remote code execution) based on the latest CVE-2021-22986. Exploit attempts are already in the wild, so patch these device firmware vulns soonest. Nearly all of the Fortune 50 run F5 devices and so do governments and ISPs. RCE POC is here. Video demonstration here.
And March isn’t even over.
Critical F5 BIG-IP Flaw Now Under Active Attack
“Researchers are reporting mass scanning for – and in-the-wild exploitation of – a critical-severity flaw in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure.”
- SilverFish Group Threat Actor Report – Tying Trickbot to TA505, SolarWinds, and other actor/campaign activity (TLP:WHITE version)
- New Chinese ICS Threat Activity Group: VANADINITE exploits Citrix ADC, SD-WAN, Gateway, and WANOP Device Firmware Bugs
- CISA TrickBot Malware Advisory – (Includes Reference to Eclypsium Co-lead “TrickBoot” UEFI-Targeting Discovery and Research)
- The Accellion FTA Firmware Breach Keeps Getting Worse—and More Expensive
- February 2021’s Most Wanted Malware: Trickbot Takes Over Following Emotet Shutdown
- Hackers Breach Thousands of Security Cameras via Firmware, Exposing Tesla, Jails, Hospitals
- NurseryCam hacked, company shuts down IoT camera service
- Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack
- Keksec group is actively exploiting Citrix NetScaler firmware RCE (CVE-2019-19781)
- Crypto-Miner Campaign Targets Unpatched QNAP NAS Devices
- Researchers Unearth Links Between SunCrypt and QNAPCrypt Ransomware
- Two ransomware strains target VMware’s ESXI hypervisor
- First Fully Weaponized Spectre Exploit Discovered Online | The Record by Recorded Future
- Global Accellion FTA firmware data breaches linked to Clop ransomware gang
- Fbot is now riding the traffic and transportation smart devices
- Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel Attacks
- Critical Firmware Security Hole Can Knock Smart Meters Offline
- IC3 2020 Internet Crime Report
- Global 5 O&G Company a victim of Accellion FTA Firmware Extortion Attacks
Intel Supports Biden Administration Order on Supply Chains
“Today’s Executive Order can help reinforce the urgency of the work started in Congress with the bipartisan Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Act.”
- AMD and Microsoft Secured-Core Server
- Lattice Semiconductor Updates Solutions Stack With MVision 2.0 And Sentry 2.0
Multiple Vulnerabilities in GNU GRUB
“It was discovered that multiple vulnerabilities existed in GNU GRUB, that could potentially lead to the ability to bypass UEFI Secure Boot restrictions …”
- A security update for grub2 is now available for Red Hat Enterprise Linux 7.6 Extended Update Support.
- Cisco Releases Several Security Updates
- Netgear R7800 RCE #1, Netgear R7800 RCE #2, Netgear R7800 RCE #3
- Critical authentication bypass flaw affects the entire Logix device product line
- F5 Big IP – ASM arbitrary code execution stack-based buffer overflow
- F5 K02566623: Overview of F5 vulnerabilities (March 2021)
- Exploitable remotely/low skill level to exploit Vendor: GE Equipment: UR Family
- SonicWall Releases Second Set of February Firmware Patches
- Full List of all 117 GRUB patches
- This Netgear SOHO switch has 15 – count ’em! – vulns, which means you need to upgrade the firmware… now
- Cisco Warns of Critical Auth-Bypass Security Flaw
- Line 6 updates firmware behind Relay G10 wireless systems to prevent potential fire risk
- ELECTRICITY GRID CYBERSECURITY – DOE Needs to Ensure Its Plans Fully Address Risks to Distribution Systems (w/ reference to firewall firmware exploitation example)
- CISA Warns of Critical Security Flaws in GE Power Management Device Firmware
Lord of the Ring(s): Side Channel Attacks on the
CPU On-Chip Ring Interconnect Are Practical
“We introduce the first microarchitectural side channel attacks that leverage contention on the CPU ring interconnect …”
- A Spectre proof-of-concept for a Spectre-proof web
- Research spotlight: Hardware and embedded systems
- NCC Group’s 2020 Annual Research Report
- BIG IP Device Chainable RCE Research Updates: K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | AttackerKB
- Details on SBAT Development
- DD-WRT and Router Vulnerabilities
- Fuzzing Hardware Like Software
- An Interesting Feature in the Samsung DSP Driver
A Red Team Guide for a Hardware Penetration Test
“Using security risks from the Modern Open Web Application Security Project to help hack hardware.”
- 11 Ways to Prevent Hardware & Firmware Hacks
- Spectre vulnerability POC on Github
- Fuzzing Grub: Part 1
- Writing a Custom Bootloader
APT & Criminal Attackers Converge Below the Surface
Both criminal and Advanced Persistent Threat actors have been leveraging each other’s techniques, tactics, and procedures (TTP’s) for quite some time. Yet, as we look upon the 2021 threat landscape, there are two alarming trends that are rapidly unfolding, and for which organizations are not yet prepared: 1) the convergence of nation-state and criminal focus on the advantages of targeting firmware, and 2) the impacts and advantages to attackers associated with supply chain campaigns. 2020 saw both the alarming discovery of TrickBoot (criminal ransomware group’s UEFI-targeting module) as well as the SUNBURST and Accellion supply chain campaigns that continue to unfold. Now that those TTP’s have been burned, and those actors need to adapt, what do we need to anticipate and prepare for, ahead of this firmware convergence in the threat landscape? Finally, we’ll lean in to anticipate what comes next, if 2020’s activity has been an indicator of what is to come.