May Firmware Threat Report

Below the Surface May 2021 Threat Report
Subscribe to Eclypsium’s Threat Report

Sometimes it takes a thunderstorm before seeing positive outcomes and real change: Cyber May Flowers, if you will.

The SolarWinds and related supply chain attacks put our government through the crucible of painful incident response and restoration efforts. The events also became a watershed moment, one in which cyber risk to national security fully materialized. In response to this broader supply chain threat, President Biden signed a complex and broad Executive Order that was 18 pages long and included over 70 actionable directives. In a sense, this EO not only helps protect the supply chain but directly leverages its dynamics to improve software security across the board. It will require developers that sell to the USG to create SBOM (software bill of materials) for all critical software. This, in turn, raises the tide even for companies that do not sell directly to the USG because their downstream customers who do will need to account for their upstream providers via SBOM level provenance/verification. 

For Eclypsium’s part, we were glad to see that the five criteria listed as what shall define ‘critical software’ are a 1:1 mapping to firmware overall. After all, firmware is simply software that is stored differently (on hardware versus on disk). It is critical to the entire rest of the stack above as a dependency and hugely impactful to every aspect of computing when attacked. It is the root of trust, and it operates at the highest level of privilege. Therefore, we expect that calls for SBOM level verification will extend to FBOM (firmware bill of materials).

Another positive development is the fantastic work CISA has been doing to quantify, analyze, and expose the risk that BtOS (Below the Operating System) threats pose to critical infrastructure and enterprises alike. They presented a pair of talks at this year’s RSA Conference that confirm firmware’s worst offender status regarding high-impact threats like those targeting the UEFI (Trickboot, MosaicRegressor, LoJax, VectorEDK, etc.)

Much has been written about the Colonial Pipeline attack. Still, the number one takeaway made evident to both threat actors and critical infrastructure organizations is that operations can be disrupted whether or not malware targets OT systems directly. Devices like the ones that form the fictional ‘air gap’ between IT and OT are themselves increasingly being targeted, with tremendous impact potential as a result. Indeed both Darkside affiliates and UNC2447 have been targeting SonicWall CVE’s to gain initial access into victim networks, and CISCO’s ASAs have been vulnerable to DoS attacks. Meanwhile, the NCSC updated the list of CVE’s that Russia’s SVR is actively using and now includes five such critical device CVE’s in the list.

The best Cyber May Flower we saved for last. Eclypsium just announced new product functionality that directly addresses these kinds of device-level threats by allowing our customers to discover, analyze and assess the risk for both critical appliances and other ‘agentless’ types of connected devices. This functionality further expands our unique visibility into those devices giving organizations the ability to register and manage down the associated risks. No more flying blind; it’s time to take back security control of these devices and get ahead of the attackers that continue to exploit them. Hats off to our customers who continue to make us better by requesting new capabilities and helping us blossom into one of the 15 hottest solutions at RSAC. 

Threats in the Wild

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

“Mandiant has observed an aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by other vendors as SOMBRAT”

Read More >

Industry News

DHS announces program to mitigate vulnerabilities below the operating system

“For years, security personnel have been content to largely ignore the horrors lying beneath the surface of the OS, seeing firmware-based attacks as exotic and high-end.”

Read More >

Security Advisories

Further TTPs associated with SVR cyber actors

“The group will look to rapidly exploit recently released public vulnerabilities which are likely to enable initial access to their targets.”

Read More >

Security Research

Comparison of security-related technologies from both 11th Gen Intel Core vPro mobile processors and AMD Ryzen PRO 4000 series mobile processors

“Based on IOActive research, we conclude that AMD offers no corresponding technologies in the Below the OS, Platform Update, Advanced Threat Protection, or Crypto Extension categories, while Intel offers features in all of these categories.”

Read More >

Tools and Education

What Is Firmware Malware and How Can You Prevent Infections?

“Firmware malware is an increasing threat to your device’s security. Learn more about firmware malware and how it spreads.”

Read More >

Webinars and Events

What Auditors Need to Know When Evaluating Firmware Compliance

Recent updates to NIST 800-53 and other compliance standards emphasize that controls must extend down to firmware and hardware. To keep pace with widespread attacks and new standards, organizations must incorporate firmware security into risk management and compliance processes and address blind spots that have given attackers a new foothold. But what does this mean, and what should you be looking for?

Eclypsium’s VP of Federal Technology, John Loucaides will discuss:

  • What is firmware, and why is it important?
  • Why firmware and hardware security is being called out in compliance frameworks
  • What questions to ask when conducting your audit
  • Evidence of compliance that can be produced
  • How Eclypsium is helping businesses collect this evidence

Join us>

Webinars and Events

A New Approach to Protecting Network and Unmanaged Devices

Enterprise IT and security teams today must navigate the risk of a constantly evolving landscape of networking equipment, connected devices, and personal-use employee devices in remote work environments. Many of these devices simply can’t be managed using traditional security tools, with recent studies estimating that up to 90% of enterprise devices can’t support a traditional security agent. 

What’s a security team to do?  Maybe it’s time for a new approach to protecting network appliances and other ‘unmanaged” appliances.  In this webinar, Ed Amoroso, Founder and CEO of TAG Cyber and Scott Scheferman, Principal Cyber Strategist at Eclypsium will discuss:

  • Why VPNs and networking infrastructure are targeted for attack
  • Who is behind these attacks and what they hope to gain
  • What kinds of vulnerabilities – such as unpatched firmware – attackers are seeking
  • How certain types of critical devices are targeted by ransomware actors in a way that leverages the concept of supply chain dynamics.
  • Why traditional security tools may leave you blind to this threat
  • How you can get ahead of attackers with a new distributed approach to network device discovery and analysis that provides agentless visibility into all corners of an enterprise

Join us>