April Firmware Threat Report

Below the Surface April 2021 Threat Report
Subscribe to Eclypsium’s Threat Report

April has been a month of awakening. The highest levels of government and some of the most influential tech companies in the industry have made it clear: we have crossed a threshold of threat activity that now demands new policies, solutions, and a call to action. Specifically, those threats take the form of supply chain and device firmware vectors that haven’t received the attention they’ve deserved until now. 

Amidst much-increased firmware attack activity, Microsoft released a first-of-its-kind report highlighting a severe lack of visibility and automation in the firmware security space. With over 80% of businesses experiencing a firmware attack in the last two years, business leaders are worried about malware accessing firmware, and the unique impact scenarios this presents. HP released a report entitled Into the Web of Profit highlighting how “potentially more deadly threats come from the emergence of firmware attacks such as Lojax, which is able to situate itself at the deepest operating level – the so-called […] UEFI.”

The NSA, CISA, and the FBI issued a joint report highlighting five CVE’s used by the Russian SVR (aka APT29) during recent supply chain attacks. Of note, more than half of those were firmware vulnerabilities in networking devices from Pulse, Fortinet and Citrix. Eclypsium customers leveraging our connected devices capability are able to discover those same three CVE’s using our platform. 

The Biden administration released a set of measures designed to impose costs on Russian actors and organizations responsible for, among other things, the Solarwinds attacks. The US Treasury went as far as sanctioning several Russian cyber companies, including the $1B firmware/exploit powerhouse Positive Technologies. This same organization is also referred to as ENFER in the Atlantic Council’s report on their capabilities, having been linked in this piece by Kim Zetter and in Ryan Naraine’s recent newsletter

Microsoft will remove Positive Technologies from it’s MAPP program. Given it was only 10 years ago that a Russian spy that used to work at one of the companies just sanctioned by the US Treasury (NeoBit) was spying inside of Microsoft as an employee, this move couldn’t have come soon enough.

Chinese group APT5 was attributed to the ongoing attacks involving a 0-day vulnerability in Pulse Secure devices. If the above wasn’t enough to convince you that device firmware threats have gone mainstream, the actors behind the Accellion FTA device wave of attacks just got their own exposé in VICE magazine. 

When it comes to addressing both supply chain and threat actor risks associated with enterprise devices, it all starts with the main thing that’s been lacking: deep, independent (not tied to the vendor) visibility into the firmware and hardware-level vulnerabilities that have been flying under the radar. Newly discovered firmware vulnerabilities often bring about entire new classes of vulnerabilities. The ubiquitous BootHole vulnerability, for example, has led to significant follow-on research resulting in even more ways to bypass Secure Boot. This is why continuous monitoring is the first step in both measuring and registering these risks, let alone mitigating or remediating them. When the headlines say things like “No one saw the SolarWinds attacks coming”… it’s because, in part, no one even had the visibility to detect the vulnerabilities those actors used to gain entry into the supply chain. It’s time to stop flying blind. It’s time to awaken.

Threats in the Wild

China-linked hackers used VPN flaw to target U.S. defense industry -researchers

“At least two groups of China-linked hackers have spent months using a previously undisclosed vulnerability in American virtual private networking devices to spy on the U.S. defense industry …”

Read More >

Industry News

HP “Into the Web of Profit” Report

“There has been a steady upwards trajectory in the severity, openness and variety of Nation State cyber activities over the past twenty years.”

Read More >

Security Advisories

New Bugs Could Let Hackers Bypass Spectre Attack Mitigations On Linux Systems

“[T]wo new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre.”

Read More >

Security Research

New Security Signals study shows firmware attacks on the rise

“83% of all businesses have experienced a firmware attack in the past two years.”

Read More >

Tools and Education

Don’t Let the Fox Watch the Henhouse: Securing Firmware

“This makes firmware a single point of failure that, when compromised, can allow attackers to evade security controls at those higher layers and silently persist on a device.”

Read More >

Webinars and Events

Q2 Threat Briefing – New Developments in Device Security

A recent Microsoft study says 83% of all businesses have experienced a firmware attack in the past two years. The NIST National Vulnerability Database has shown more than a five-fold increase in firmware vulnerabilities in the last four years. How real is the threat to enterprise devices in Q2? Are organizations taking the right approaches to address it?

In this quarterly device security threat briefing, Yuriy Bulygin, CEO of Eclypsium, and Scott Scheferman, Principal Cyber Strategist discuss the latest news in firmware and hardware security – from the Microsoft report to the most recent attacks in the wild – and what security leaders can do to defend their organizations.

  • How real is the threat of firmware attacks?
  • What do recent attacks tell us about who is at risk?
  • What devices and vulnerabilities are attackers targeting now?
  • Are APTs and ransomware attackers converging?
  • What kinds of attacks can we expect going forward?
  • Why is it so difficult to get visibility into the device attack surface?
  • What measures are enterprises taking to protect themselves?
  • How can we close the gap on device security?

Join us>