March Firmware Threat Report

Below the Surface April 2021 Threat Report
Subscribe to Eclypsium’s Threat Report

Beware the Ides of March. On the heels of the ongoing SUNBURST supply chain campaign, several other impactful campaigns came into full light this month. While the Halfnium MS Exchange attacks dominated headlines, there were other equally disturbing supply chain revelations like the damaging Accellion FTA device extortion campaign. This was carried out by the Russian TA505 (aka ‘CLOP’ group), who set aside their own ransomware in favor of a much more direct technique: targeting the firmware of hundreds of devices to exfiltrate files and extort victims. 

Never down for the count, the TrickBot group raised eyebrows with yet another massive campaign, with CISA releasing an alert making direct mention of TrickBot’s UEFI-targeting TrickBoot module. This alert coincided with an eye-opening report from Switzerland that ties the recent SolarWinds activity to a host of potential criminal actors, ranging from TrickBot, to EvilCorp, to TA505/CLOP. Shared infrastructure and tactics across these groups further illustrates the convergent trend between APT and criminal actor activity. 

The initial #Boothole GRUB2 vulnerability has led to follow-on research, discovery of eight more CVE’s, and mitigations focused around new functionality that reduces the size of revocation lists via “Secure Boot Advanced Targeting” or SBAT. This is a new feature in the shim allowing for revocation of entire generations of grub that are found to be vulnerable as a group instead of each one individually. Organizations continue working hard to identify and patch these critical vulns that allow attackers to bypass Secure Boot on both Windows and Linux devices.

Actors targeting firmware abound in March, from Keksec leveraging Citrix Netscaler RCE’s to Fbot targeting transportation device firmware, to crypto-miners hitting storage devices, and researchers cracking into 150,000 security cameras. The hardware threat landscape is also developing, with working POC exploits for Spectre leaked in an exploit pack, along with researchers demonstrating a browser-memory Spectre-based POC. Bad guys can even launch side-channel attacks against Intel CPU’s while leveraging machine learning to de-noise traces and leak bits. 

Last but not least, F5’s Big-IP devices are back in the news again with 21 new CVEs making them vulnerable to an exploit-chain resulting in full RCE (remote code execution) based on the latest CVE-2021-22986. Exploit attempts are already in the wild, so patch these device firmware vulns soonest. Nearly all of the Fortune 50 run F5 devices and so do governments and ISPs. RCE POC is here. Video demonstration here.

And March isn’t even over.

Threats in the Wild

Critical F5 BIG-IP Flaw Now Under Active Attack

“Researchers are reporting mass scanning for – and in-the-wild exploitation of – a critical-severity flaw in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure.”

Read More >

Industry News

Intel Supports Biden Administration Order on Supply Chains

“Today’s Executive Order can help reinforce the urgency of the work started in Congress with the bipartisan Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Act.”

Read More >

Security Advisories

Multiple Vulnerabilities in GNU GRUB

“It was discovered that multiple vulnerabilities existed in GNU GRUB, that could potentially lead to the ability to bypass UEFI Secure Boot restrictions …”

Read More >

Security Research

Lord of the Ring(s): Side Channel Attacks on the
CPU On-Chip Ring Interconnect Are Practical

“We introduce the first microarchitectural side channel attacks that leverage contention on the CPU ring interconnect …”

Read More >

Tools and Education

A Red Team Guide for a Hardware Penetration Test

“Using security risks from the Modern Open Web Application Security Project to help hack hardware.”

Read More >

Webinars and Events
APT and Criminal Attackers Converge Below the Surface

APT & Criminal Attackers Converge Below the Surface

Both criminal and Advanced Persistent Threat actors have been leveraging each other’s techniques, tactics, and procedures (TTP’s) for quite some time. Yet, as we look upon the 2021 threat landscape, there are two alarming trends that are rapidly unfolding, and for which organizations are not yet prepared: 1) the convergence of nation-state and criminal focus on the advantages of targeting firmware, and 2) the impacts and advantages to attackers associated with supply chain campaigns. 2020 saw both the alarming discovery of TrickBoot (criminal ransomware group’s UEFI-targeting module) as well as the SUNBURST and Accellion supply chain campaigns that continue to unfold. Now that those TTP’s have been burned, and those actors need to adapt, what do we need to anticipate and prepare for, ahead of this firmware convergence in the threat landscape? Finally, we’ll lean in to anticipate what comes next, if 2020’s activity has been an indicator of what is to come. 

Join us>