August Firmware Threat Report

Below the Surface August 2021
Subscribe to Eclypsium’s Threat Report

Check out Scott’s hot-take video for this month’s Threat Report.

What can we learn from a threat actor when it comes to protecting our missions and organizations from ransomware threats? A threat-informed defensive strategy is all the rage lately. MITRE ATT&CK has been fully adopted by many organizations. Threat intelligence solutions are in their heyday. Red team exercises are focusing heavily on “APT replay” style of engagements. The whole concept has even been automated via Breach Attack Simulation (BAS) platforms. The list goes on.

And yet, as an industry and as defenders, here we are, still reading the same headlines and advisories. Why is this?

How can it be that CISA puts out a concise list of things every organization can (indeed, must!) do in order to thwart ransomware attacks, and yet very few organizations have taken action on them? Let alone ensure they are maintained continuously? 

How can it be that even when the threat actors themselves agree to an interview, provide actual recommendations and expose what they rely on to get the job done, that we still don’t implement the countermeasures needed to protect ourselves? At the very least, both CISA and LockBit actors recommend updating all software regularly. Lockbit further acknowledges that externally facing services like RDP and exploitable VPNs be patched. This sounds a lot like this section of CISA’s latest recommendations for preventing data breaches related to ransomware:

Mitigate internet-facing vulnerabilities and misconfigurations:

  1. Employ best practices for use of Remote Desktop Protocol (RDP) and other remote desktop services.
  2. Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices. 
  3. Update software, including operating systems, applications, and firmware, in a timely manner. Prioritize timely patching of critical vulnerabilities and vulnerabilities on internet-facing servers
  4. Ensure that devices are properly configured and security features are enabled
  5. Disable or block inbound and outbound Server Message Block (SMB)

Notice how CISA’s recommendation to update firmware vulnerabilities compliments one of LockBit’s insights about their attack philosophy: 

“A lot of noise around the attack is bad. A silent attack no one knew about is good for the company’s (victim’s) reputation, and our income.”

After all, there is no more silent, persistent, stealthy, and evasive position for an attacker to hide on than a device’s firmware – below the operating system and all of the security controls within it. Indeed throughout this year’s scourge of Microsoft Exchange related attacks affecting tens of thousands of devices worldwide, CISA has consistently included firmware updates in their recommendations, and in their 48-hour emergency response directives:

Software Updates – All software installed on the server (including the operating system and server firmware) must have security and cumulative updates deployed within 48 hours of update availability.

Why 48 hours? It’s because these days the time from when a vulnerability is disclosed to when an exploit is developed for it can come down to just days, sometimes even less. 

An example from this month would be how quickly the Realtek SDK vulnerabilities resulted in active attacks in the wild just days after their disclosure. Speaking of SDK’s, up to 83,000,000 devices with cameras in them have firmware running remotely exploitable code care of ThroughTek’s Kalay SDK. Baby cameras serving as attack nodes on home networks…the same remote networks that our foe LockBit says has greatly benefited their ability to compromise enterprise networks resulting from the COVID workforce transition.

It’s important to realize that just because there isn’t a known exploit (yet) for a given vulnerability, doesn’t mean it doesn’t exist (and isn’t being used). It also doesn’t mean that on any given day, an attacker can’t compare the vulnerable firmware to the now-patched firmware, and quickly devise a working exploit by doing so. Such was the case for this red teamer that cracked into a Sophos UTM appliance via RCE as root. 

The take-away here? Patch, patch, patch your firmware, whether or not there are ‘known’ exploits. And yet, countless organizations will fail to do just that. Why give up this obvious advantage to attackers, who today, have ready access to firmware vectors and purpose-built malware designed to exploit them

Speaking of purpose-built malware, CISA just released five more MARs (Malware Analysis Reports) tied to the latest Pulse Secure VPN threat campaigns hitting in the wild. Each brings specific functionality ranging from a C2 backdoor, a local credentials logger, a credentials dumper, the ability to intercept MFA tokens, and two web shells. Combined with the RCE vulns to begin with, and the prior list of 13 other Pulse Secure-related malware samples, the only question left to answer is what can’t these nation-state and criminal actors do once they’ve compromised the device firmware? Again the take-away: patch. But note that if you are too late in patching, a compromised Pulse device allows the attacker to persist even through the new patch cycle.

We hear many practitioners say that patching firmware is too hard. It’s too error-prone, it’s too complex, it’s not automated enough. All true. But in order for any of us to follow our own advice and “Patch, patch, patch our firmware,” we need to automate some of that process. Eclypsium focuses significant R&D on that effort in order to make firmware vulnerability and patch management, actually manageable. For tips on what you can do today — with or without Eclypsium — go here.  For those organizations pursuing Zero Trust as their north star strategy, here are three simple things that can be done to minimize enterprise and mission risk via the concept of verification.

At the end of the day, there is only one way to mitigate firmware and device-level risks, and that remains, action! Speaking of which, here’s what our Principal Strategist, Scott Scheferman, has to say about this month’s threat report when it comes to taking action! Let’s roll!

Threats in the Wild

CISA Releases Five Pulse Secure-Related MARs

“As part of CISA’s ongoing response to Pulse Secure compromises, CISA has analyzed five malware samples related to exploited Pulse Secure devices.”

Read More >

Industry News

Biden Directs Agencies to Develop Cybersecurity Standards for Critical Infrastructure

“Though voluntary, officials said the new step could be a prelude to a push for cybersecurity mandates.”

Read More >

Security Advisories

Zero-Day Flaw Found in Fortinet’s FortiWeb WAF Technology

“Researchers at Rapid7 today disclosed a critical zero-day vulnerability in Fortinet’s FortiWeb Web application firewall …”

Read More >

Security Research

High Stakes Updates: BIOS RCE OMG WTF BBQ – DEFCON 29

“Our research has identified multiple vulnerabilities in Dell’s BiosConnect feature used for remote update and recovery of the operating system.”

Read More >

Tools and Education

Security Weekly – The BIOS Disconnect

“DEF CON presentation and Proof Of Concept exploit code. ”

Read More >

Webinars and Events

Firmware Fiascos and the Supply Chain’s Weakest Link

Digital extortionists have learned how to continue to up the stakes by multiplying their leverage and reducing the time window of negotiation. Join Rick McElroy, Principal Cyber Security Strategist at VMware Carbon Black, and Scott Scheferman, Office of the CTO at Eclypsium as we explore where they are headed, and ask the hard questions about what it will take to get ahead of them. We will discuss:

  • What is the future of digital extortion campaigns?
  • What is the nature and magnitude of impacts associated with these?
  • Where and how does firmware and device trust come into play here?
  • How do organizations that have fully migrated to 3rd party cloud infrastructure and SaaS services, proactively mitigate risks in this new future?
  • What can present-day research and attacker campaigns teach us about what is next to come?
  • What is the next ‘North Star’ for us to aspire to? Is it still Zero Trust?

Together, Rick and Scott bring a combined 50 years of industry experience – the majority of which has been spent on the front lines of military, commercial, education, and federal spaces. They will harness a discussion that aims to “call it like they see it”, discern whether we are on the right path, and ask the hard questions about what it will take for us to get there, collectively, as an industry that might be in dire need of a wake-up call as we head into this great unknown together.

Join us >

Webinars and Events

What Auditors Need to Know When Evaluating Firmware Compliance

Recent updates to NIST 800-53 and other compliance standards emphasize that controls must extend down to firmware and hardware. To keep pace with widespread attacks and new standards, organizations must incorporate firmware security into risk management and compliance processes and address blind spots that have given attackers a new foothold. But what does this mean, and what should you be looking for?

In a follow-on to his popular ISACA presentation, Eclypsium’s John Loucaides will delve deeper into the questions auditors should ask, and the tools that are available to implement controls and verify due diligence within an organization.

Eclypsium’s VP of Federal Technology, John Loucaides will discuss:

  • What is firmware, and why is it important?
  • Why firmware and hardware security is being called out in compliance frameworks
  • What questions to ask when conducting your audit
  • Evidence of compliance that can be produced
  • How Eclypsium is helping businesses collect this evidence

Join us >