June Firmware Threat Report

Not just one, but four. That’s how many vulnerabilities Eclypsium researchers discovered in Dell’s BIOSConnect feature. Taken together, this chain of vulnerabilities has a CVSS score of 8.3 (High) because it allows a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level. As readers of this report will know, that is the absolute worst-case scenario, enabling any well-positioned attacker to take over the device’s boot process and completely subvert the OS and any of its related security controls. Tens of millions of Dell consumer and enterprise-grade devices, even ones protected by Secure Boot and Secure-core technology, are vulnerable. In fact, in this case, not even Bitlocker serves as a mitigating control to protect the OS/files from a compromised UEFI attack scenario.

After two decades of industry awareness around TLS implementation vulnerabilities, we still find these “no-excuse” flaws at this critical UEFI layer of device trust and integrity; the very foundation upon which the rest of modern computing sits.

For attackers like those behind the SolarWinds attacks (or even just a red-teamer with moderate skills), these vulnerabilities present an ideal pretext for an overall strategy of blending in with legitimate processes, abusing (certificate) trust, and evading detection for as long as possible. Here, attackers can spend less than $100 to provision their own certificate from any of the certificate authorities that are trusted by the UEFI update process, and are then able to send arbitrary malicious executables to the UEFI, which blindly executes them. Don’t have $100? Ok, just grab a certificate from GitHub: Sadly there are plenty of them there (that shouldn’t be) whose CA is trusted by this process.

All in, even with SecureBoot enabled, on a Secure-Core PC, a skilled red-teamer or attacker can implant (or even brick) an affected device at the motherboard/UEFI level; and do so without having to first obtain a privileged position at the OS level. This contrasts with other recent campaigns targeting the UEFI like LoJax, MossaicRegressor, and TrickBot’s TrickBoot. Worse, from there they can disable any OS-level controls they want to, and enjoy an entire UEFI network stack that is never logged by the OS kernel, providing indefinite persistence, C2, exfiltration, and powerful control…all from a position the victim is unlikely to ever discover. That is unless they can monitor firmware integrity as Eclypsium’s platform readily does.

How’s that for a giant June bug! If you want to learn more, here is the link to our blog, here is the link to Dell’s DSA, and the link to our webinar on mitigation. Want to learn even more? We’ll see you at DEF CON where we’ll be presenting further updates and insights related to this research.

Still want more firmware and device bugs? Check the links below to find flaws in VPN devices from Zyxel, Sophos, SonicWall, Pulse Secure, Fortinet, and a South Korean VPN maker that shall remain nameless (note that these are all being exploited in the wild as you read this). These VPN-related attacks have risen 20x in some cases – hard to even fathom.

More still? Bugs from Nvidia, HPE, CISCO, Apple, and others await you below.

• Zyxel says a threat actor is targeting its enterprise firewall and VPN devices
• SonicWall Left a VPN Flaw Partially Unpatched Amidst 0-Day Attacks
• South Korea’s Nuclear Research agency hacked using VPN flaw
• Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices
• APT hacked a US municipal government via an unpatched Fortinet VPN
• New Iranian Threat Actor Using Ransomware, Wipers, CVE’s in Destructive Attacks
• Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
• UC Berkeley confirms data breach, becomes latest victim of Accellion cyber-attack
• Arm and Qualcomm GPU firmware zero-days quietly patched
• Ahem, Huawei, your USB LTE stick has a vuln. I SAID AHEM, Huawei, are you listening?
• Hackers Breached Colonial Pipeline Using Compromised VPN Password
• Latvian National Charged for Alleged Role in Transnational Cybercrime TrickBot Organization
• NSW Health confirms data breached due to Accellion vulnerability 
• After DOJ arrest of Latvian Trickbot coder, experts highlight public-private efforts to tackle cybercrime
• Pulse Secure VPN hacking also hit transportation, telecom firms, FireEye says
• Hackers are exploiting a Sophos firewall zero-day
• JBS Ransomware Attack Started in March
• Critical entities targeted in suspected Chinese cyber spying
• Police Bust Major Accellion FTA / Ransomware Gang Cl0p
• Clop ransomware (infamous for Accellion FTA device attacks) is back in business after recent arrests

• U.S. Suffers Over 7 Ransomware Attacks An Hour. It’s Now A National Security Risk
• Chip shortages lead to more counterfeit chips and devices
• U.S. SEC seeks information from SolarWinds clients in cyber breach probe
• Lexmark Printers Open to Arbitrary Code-Execution Zero-Day
• Turn the Tables: Supply Chain Defense Needs Some Offense, Fortinet Says

• Bugs in NVIDIA’s Jetson Chipset Opens Door to DoS Attacks, Data Theft
• List of Equipment and Services Covered By Section 2 of The Secure Networks Act
• Accellion, Inc File Transfer Appliance (FTA) Security Assessment 
• APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity
• CVE-2021-22909- Digging into a Ubiquiti Firmware Update bug
• HPE fixes critical zero-day vulnerability disclosed in December
• FBI Warns of Ongoing Exploitation of Fortinet Vulnerabilities by APT Actors
• Cisco Security Advisory: Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021
• Pulse Secure Integrity Checker Tool (ICT) and the PCS factory reset functionality can both be subverted
• Cisco Smart Switches Riddled with Severe Security Holes
• DSA-2021-103: Dell PowerEdge Server Security Update for BIOS Vulnerabilities
• Cisco Security Advisory: Cisco SD-WAN Solution Privilege Escalation Vulnerability

• M1 security vulnerability ‘baked into chip,’ but it doesn’t matter
• This weird memory chip vulnerability is even worse than we realised
• CVE-2021-21551: Learning Through Exploitation
• Detecting UEFI Bootkits in the Wild (Part 1)

• DHS CISA Strategy to Fix Vulnerabilities Below the OS – Among Worst Offenders
• HPE iLO5 Firmware Security – Go Home Cryptoprocessor, You’re Drunk!
• Printer Exploitation Toolkit – The tool that made dumpster diving obsolete.
• The State of Healthcare Cybersecurity: VMware Security Business Unit Explores the Surge in Cyber Threats
• CISA Releases Best Practices for Mapping to MITRE ATT&CK®
• Building reliable SMM backdoor for UEFI based platforms (2015, soon to be updated)
• Preview of updated SMM backdoor use-cases via same author
• Updated Hyber-V backdoor project
• Introducing SLSA, an End-to-End Framework for Supply Chain Integrity
• NSA Funds Development, Release of D3FEND