April has been a month of awakening. The highest levels of government and some of the most influential tech companies in the industry have made it clear: we have crossed a threshold of threat activity that now demands new policies, solutions, and a call to action. Specifically, those threats take the form of supply chain and device firmware vectors that haven’t received the attention they’ve deserved until now.
Amidst much-increased firmware attack activity, Microsoft released a first-of-its-kind report highlighting a severe lack of visibility and automation in the firmware security space. With over 80% of businesses experiencing a firmware attack in the last two years, business leaders are worried about malware accessing firmware, and the unique impact scenarios this presents. HP released a report entitled Into the Web of Profit highlighting how “potentially more deadly threats come from the emergence of firmware attacks such as Lojax, which is able to situate itself at the deepest operating level – the so-called […] UEFI.”
The NSA, CISA, and the FBI issued a joint report highlighting five CVE’s used by the Russian SVR (aka APT29) during recent supply chain attacks. Of note, more than half of those were firmware vulnerabilities in networking devices from Pulse, Fortinet and Citrix. Eclypsium customers leveraging our connected devices capability are able to discover those same three CVE’s using our platform.
The Biden administration released a set of measures designed to impose costs on Russian actors and organizations responsible for, among other things, the Solarwinds attacks. The US Treasury went as far as sanctioning several Russian cyber companies, including the $1B firmware/exploit powerhouse Positive Technologies. This same organization is also referred to as ENFER in the Atlantic Council’s report on their capabilities, having been linked in this piece by Kim Zetter and in Ryan Naraine’s recent newsletter.
Microsoft will remove Positive Technologies from it’s MAPP program. Given it was only 10 years ago that a Russian spy that used to work at one of the companies just sanctioned by the US Treasury (NeoBit) was spying inside of Microsoft as an employee, this move couldn’t have come soon enough.
Chinese group APT5 was attributed to the ongoing attacks involving a 0-day vulnerability in Pulse Secure devices. If the above wasn’t enough to convince you that device firmware threats have gone mainstream, the actors behind the Accellion FTA device wave of attacks just got their own exposé in VICE magazine.
When it comes to addressing both supply chain and threat actor risks associated with enterprise devices, it all starts with the main thing that’s been lacking: deep, independent (not tied to the vendor) visibility into the firmware and hardware-level vulnerabilities that have been flying under the radar. Newly discovered firmware vulnerabilities often bring about entire new classes of vulnerabilities. The ubiquitous BootHole vulnerability, for example, has led to significant follow-on research resulting in even more ways to bypass Secure Boot. This is why continuous monitoring is the first step in both measuring and registering these risks, let alone mitigating or remediating them. When the headlines say things like “No one saw the SolarWinds attacks coming”… it’s because, in part, no one even had the visibility to detect the vulnerabilities those actors used to gain entry into the supply chain. It’s time to stop flying blind. It’s time to awaken.
China-linked hackers used VPN flaw to target U.S. defense industry -researchers
“At least two groups of China-linked hackers have spent months using a previously undisclosed vulnerability in American virtual private networking devices to spy on the U.S. defense industry …”
- Russian SVR Targets U.S. and Allied Networks
- Meet the Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever
- How a VPN vulnerability allowed ransomware to disrupt two manufacturing plants
- FBI: APTs Actively Exploiting Fortinet VPN Security Holes
- Hackers Are Targeting U.S. Banks, And Hardware May Give Them An Open Door
- High-Tech Heist: Chinese Government, IT Vendors, and the Threat to US Banks
- Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack
- FS-ISAC Report Finds Cybercriminals and Nation-State Actors are Converging, Increasing Cross-Border and Supply Chain Attacks
- A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack
HP “Into the Web of Profit” Report
“There has been a steady upwards trajectory in the severity, openness and variety of Nation State cyber activities over the past twenty years.”
- Supply chain risk: Addressing a multitude of single points of failure
- FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government
- Intel 2020 Product Security Report
- 80% of Global Enterprises Report Firmware Cyberattacks
- Should firms be more worried about firmware cyber-attacks?
- 100 Million More IoT Devices Are Exposed—and They Won’t Be the Last
New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems
“[T]wo new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre.”
- SA44784 – 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability (CVE-2021-22893)
- NSA report on Russian SVR Exploiting 3 CVE’s that are Device Firmware Vulns (and 2 others)
- CISA: Patch These Three Fortinet Bugs Now to Avoid Compromise
- D-Link DIR-802 Command Injection Vulnerability [CVE-2021-29379] – SystemTek
- Mitigating ICT Supply Chain Risks with Qualified Bidder and Manufacturer Lists
- Tenda Technology Tenda’s G1 and G3 routers Command Injection Vulnerability
- SonicWall Email Security Appliances Critical Vulnerabilities
- Multiple Vulnerabilities in OpenSSL Affecting Cisco Products (April Update)
- In The Wild: SonicWall Email Security Zero-Day Vulnerabilities
New Security Signals study shows firmware attacks on the rise
“83% of all businesses have experienced a firmware attack in the past two years.”
- Adventures From UEFI Land: the Hunt For the S3 Boot Script
- New NAME:WRECK DNS vulnerabilities impacts millions of devices
- CISA: Cost of a Cyber Incident: Systematic Review and Cross-Validation
- Hunting bootkits on a local network and building your own test bench
- Using memory encryption in web applications to help reduce the risk of Spectre attacks
- Intel Study: Transparency and Security Assurance Drive Preference
- The Role of Transparency and SecurityAssurance in Driving TechnologyDecision-Making
- AMD Discloses a Spectre-Like Vulnerability in Zen 3 CPUs
- Secure IoT Firmware For Cortex-M Processors
- A Large-Scale Analysis of IoT Firmware Version Distribution in the Wild
- How bad is the M1 Mac’s SSD failure problem?
- Trigger (Rowhammer) bit flips on TRR-enabled DDR4 SDRAM through Firefox
- Report: The Rise Of Global Cybersecurity Venture Funding
Don’t Let the Fox Watch the Henhouse: Securing Firmware
“This makes firmware a single point of failure that, when compromised, can allow attackers to evade security controls at those higher layers and silently persist on a device.”
- ICT SCRM Task Force: Vendor Supply Chain Risk Management (SCRM) Template
- First Workshop on DRAM Security (DRAMSec) June 17, 2021 Co-located with ISCA
- A FREE comprehensive reverse engineering course covering x86, x64, 32-bit ARM & 64-bit ARM architectures
- Ghidra analyzer for UEFI firmware
A recent Microsoft study says 83% of all businesses have experienced a firmware attack in the past two years. The NIST National Vulnerability Database has shown more than a five-fold increase in firmware vulnerabilities in the last four years. How real is the threat to enterprise devices in Q2? Are organizations taking the right approaches to address it?
In this quarterly device security threat briefing, Yuriy Bulygin, CEO of Eclypsium, and Scott Scheferman, Principal Cyber Strategist discuss the latest news in firmware and hardware security – from the Microsoft report to the most recent attacks in the wild – and what security leaders can do to defend their organizations.
- How real is the threat of firmware attacks?
- What do recent attacks tell us about who is at risk?
- What devices and vulnerabilities are attackers targeting now?
- Are APTs and ransomware attackers converging?
- What kinds of attacks can we expect going forward?
- Why is it so difficult to get visibility into the device attack surface?
- What measures are enterprises taking to protect themselves?
- How can we close the gap on device security?