July Firmware Threat Report

Below the Surface Eclypsium Threat Report July 2021
Subscribe to Eclypsium’s Threat Report

Check out Scott’s hot-take video for this month’s Threat Report.

July came in hot. Really hot. Not more than a few hundred miles from our Portland, OR headquarters, the Bootleg fire continues to burn as the nation’s largest wildfire and the 3rd largest in Oregon’s history. Panning out, there’s an equally massive firestorm of threat actors exploiting device firmware. Chinese state-sponsored actors and ransomware both took center stage, as did a nightmare of critical vulnerabilities in Microsoft products indicative of their SSDLC challenges of late.

Halfway through the year, it is apparent that Chinese and Russian state-sponsored actors, as well as criminal actors, are nearly all targeting the same critical vulnerabilities in externally facing devices. At a minimum, these include three CVE’s which CISA reports are actively being targeted by Russian SVR and Chinese APT40 actors:

CVE-2020-5902 (F5 Bip-IP)
CVE-2019-19781 (Citrix ADC)
CVE-2019-11510 (Pulse Secure VPN)

The recent attacks against Microsoft Exchange Servers have been attributed to Chinese APT31 and APT40 groups. APT31 also leverages SOHO routers to hide C2 traffic, taking a tip from Russian SVR state actors and criminal actors like the TrickBot group that continue to rely on MikroTik routers for their infrastructure. 

Speaking of TrickBot, they are back in full force. Having fully adapted and recruited new talent, they are targeting a new array of victims at a blistering cadence and deploying CobaltStrike, among other new tricks. Criminal actors targeting these VPN devices exploit them and then create or steal VPN creds that later get sold to RaaS and state actors alike.

Hacking these devices isn’t just for nation-states and crime gangs. This curious pair of hackers decided to poke around at their own Aruba devices and ended up finding an abundance of CVE’s, several of which, when chained, yielded full remote code execution. It is a testament to just how many critical software flaws this class of devices has and how readily they can be exploited.  After all, if two curious hackers can do it, imagine what nation-states and crime groups can (and do) do.

Speaking of poking around, one of our own Eclypsium researchers has been hard at work enumerating a particular device class exposed to the Internet that is commonly attacked. The initial results pretty much tell the whole story of why attackers target them. In one case, half of the devices exposed to the Internet are running 3+-year-old firmware that is End of Service (EoL) and vulnerable, and up to 95% of the devices have at least one critical vulnerability. Expect to read more about this in a future research blog we’ll be eager to publish.

Perhaps this is why we needed an Executive Order to address such fundamental flaws in the critical software and supply chains that power our infrastructure. What software could be more critical than the device operating systems and firmware running on them? Ironically, that’s the reason these devices never get updated; they are so critical no one wants to bring them down long enough to do an update: precisely what our adversaries have learned to rely on as their primary strategy of late. In the context of defining what “critical software” is in the Executive Order, firmware is critical by every criterion the order lays out and essential in the creation, execution, and operation of the “Zero Trust architectures” the order draws upon as a framework.

Eclypsium customers will be happy to know that the often-attacked and outrageously vulnerable devices we’ve highlighted above are covered in our platform capability. Everything from VPN devices to Routers and even Accellion FTA devices whose recent attack campaign is still underway. If it’s a critical device, our mission is to ensure you can defend it!

We look forward to seeing you virtually or in-person at the Black Hat and DEF CON conferences in Las Vegas next month, where both Mickey and Jesse will be presenting the “rest of the story” on the incredible BIOSDisconnect set of vulnerabilities they have discovered! In the meantime, you can catch @transhackersim on the PSW show discussing this and more, or, get his hot-take on this month’s report.

Threats in the Wild

The Pentagon Tried to Take Down These Hackers. They’re Back.

“U.S. Cyber Command and Microsoft, among others, launched operations on the eve of the election meant to hobble a Russian-speaking hacking group. But it’s rising again.”

Read More >

Industry News

Chinese government lays out new vulnerability disclosure rules

“The Chinese government has published new regulation on Tuesday laying out stricter rules for vulnerability disclosure procedures inside the country’s borders.”

Read More >

Security Advisories

Urgent Security Notice: Critical Risk To Unpatched End-Of-Life SRA & SMA 8.X Remote Access Devices

“Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack.”

Read More >

Security Research

Chained vulnerabilities in Aruba Networks firmware allowed remote code execution on routers

“Multiple vulnerabilities in routers from Aruba Networks allowed attackers to conduct a series of malicious activities including remote code execution (RCE), security researchers have found.”

Read More >

Tools and Education

Security Weekly – The BIOS Disconnect

“Eclypsium researchers identified vulnerabilities affecting the BIOSConnect feature within Dell Client BIOS. ”

Read More >

Webinars and Events

Firmware Fiascos and the Supply Chain’s Weakest Link

The firmware supply chain supports virtually every aspect of modern-day organizations. While the firmware layer is often overlooked, it’s increasingly under fire from both financially motivated hackers and determined nation-states. A firmware attack in the supply chain ensures that the attacker’s code is the first to run and has the highest privileges from the moment a device turns on.

Commercial and government organizations alike are left wondering how they can trust vendor tools and checks when the vendor itself (or one of its upstream component providers) may be compromised in the supply chain? Presented by Eclypsium’s Director of Product Marketing, Michael Thelander, and VP of Federal Technology, John Loucaides

Join us>

Webinars and Events

The Mark of Zero: The Role of Firmware in Zero Trust Strategies

A few years ago, a casual Google search on the term “Zero Trust” would have returned hundreds of thousands of hits. Search for the same term today, and you’ll get about 4 billion hits. But can a Zero Trust security strategy be effective without accounting for the needs of firmware security? What does it even mean to apply Zero Trust principles to something as difficult to assess and secure as firmware? And who owns this initiative, the vulnerability management team? The CIO’s team?  In this webinar, John Loucaides, Eclypsium VP of R&D, and Michael Thelander, Director of Product Marketing, will discuss the four pillars of Zero Trust security as it relates to firmware. They’ll then describe how to identify, verify, and fortify the firmware underneath every organization’s current technology stack.

Join us>

Webinars and Events

High-Stakes Updates | BIOS RCE OMG WTF BBQ

With attacks moving below the operating system and computer firmware vulnerability discovery on the rise, the need to keep current platforms updated becomes important and new technology is developed to help defend against such threats. Major computer manufacturers are adding capabilities to make it easier to update BIOS.

Eclypsium’s @HackingThings and @JesseMichael identified multiple vulnerabilities in Dell’s BiosConnect feature used for remote update and recovery of the operating system. These vulnerabilities are easy to exploit by an adversary in the right position, and are not prevented by protective technologies such as Secured Core PCs, BitLocker, BootGuard, and BIOS Guard.

Join us and together we will explore the new attack surfaces introduced by these UEFI firmware update mechanisms — including a full walk-through of multiple vulnerability findings and the methods we used to create fully working exploits that gain remote code execution within the laptop BIOS and their effects on the operating system.

Join us>