April 2021 Firmware Threat Report
April has been a month of awakening. The highest levels of government and some of the most influential tech companies in the industry have made it clear: we have crossed a threshold of threat activity that now demands new policies, solutions, and a call to action. Specifically, those threats take the form of supply chain and device firmware vectors that haven’t received the attention they’ve deserved until now.
Amidst much-increased firmware attack activity, Microsoft released a first-of-its-kind report highlighting a severe lack of visibility and automation in the firmware security space. With over 80% of businesses experiencing a firmware attack in the last two years, business leaders are worried about malware accessing firmware, and the unique impact scenarios this presents. HP released a report entitled Into the Web of Profit highlighting how “potentially more deadly threats come from the emergence of firmware attacks such as Lojax, which is able to situate itself at the deepest operating level – the so-called […] UEFI.”
The NSA, CISA, and the FBI issued a joint report highlighting five CVE’s used by the Russian SVR (aka APT29) during recent supply chain attacks. Of note, more than half of those were firmware vulnerabilities in networking devices from Pulse, Fortinet and Citrix. Eclypsium customers leveraging our connected devices capability are able to discover those same three CVE’s using our platform.
The Biden administration released a set of measures designed to impose costs on Russian actors and organizations responsible for, among other things, the Solarwinds attacks. The US Treasury went as far as sanctioning several Russian cyber companies, including the $1B firmware/exploit powerhouse Positive Technologies. This same organization is also referred to as ENFER in the Atlantic Council’s report on their capabilities, having been linked in this piece by Kim Zetter and in Ryan Naraine’s recent newsletter.
Microsoft will remove Positive Technologies from it’s MAPP program. Given it was only 10 years ago that a Russian spy that used to work at one of the companies just sanctioned by the US Treasury (NeoBit) was spying inside of Microsoft as an employee, this move couldn’t have come soon enough.
Chinese group APT5 was attributed to the ongoing attacks involving a 0-day vulnerability in Pulse Secure devices. If the above wasn’t enough to convince you that device firmware threats have gone mainstream, the actors behind the Accellion FTA device wave of attacks just got their own exposé in VICE magazine.
When it comes to addressing both supply chain and threat actor risks associated with enterprise devices, it all starts with the main thing that’s been lacking: deep, independent (not tied to the vendor) visibility into the firmware and hardware-level vulnerabilities that have been flying under the radar. Newly discovered firmware vulnerabilities often bring about entire new classes of vulnerabilities. The ubiquitous BootHole vulnerability, for example, has led to significant follow-on research resulting in even more ways to bypass Secure Boot. This is why continuous monitoring is the first step in both measuring and registering these risks, let alone mitigating or remediating them. When the headlines say things like “No one saw the SolarWinds attacks coming”… it’s because, in part, no one even had the visibility to detect the vulnerabilities those actors used to gain entry into the supply chain. It’s time to stop flying blind. It’s time to awaken.