September Firmware Threat Report

Below the Surface September 2021
Subscribe to Eclypsium’s Threat Report

Shaken, and stirred. That’s how a lot of us feel after so much news this month centered around a common theme, that once distilled, looks like this: Spies continue to target devices at their lowest layers in order to best position themselves for the longest persistence and best access to data. There are a lot more cyber spy outfits than many realize. It might be Q Cyber (aka NSO Group) embedding into WhatsApp, or even into the Apple device’s firmware you are holding in your hand right now (did you update this week?) Or it might be Hacking Team (aka Memento Labs, and still actively targeting reporters’ phones in the US, Morocco, and Ethiopia). Perhaps it is Vupen (now “Zerodium”) selling low-level zero-day exploits to governments, or it might be Mollitiam Industries in Spain, helping soldiers in Colombia intercept calls. Whether it’s an exploited vulnerability or whether it’s via a supply chain attack, or whether it’s trojan software, embedding at the device level is the name of the game, and even more so these last five years:

  • November 2016 – Firmware authors for major Chinese phone manufacturers embed backdoor
  • December 2016 –  Malware found in the firmware of 26 different Android smartphones
  • July 2017  – Triada banking trojan firmware found on Android smartphones
  • March 2018 – Even more Triada malware found in 42 different models
  • May 2018 – Cosiloon trojan found in the firmware of 141 Android cellphones
  • January 2019 –  Pre-installed malware discovered on Alcatel smartphone.
  • June 2019 – Unremovable malware found on 20K Android phones in Germany
  • January 2020 – Preinstalled malware on Assurance Wireless (Virgin Mobile) phones in U.S.
  • September 2021 – Pushbutton phones in Russia backdoored with spy software
  • September 2021 – GriftHorse campaign infects tens of millions globally on Android phones

And this brings us to FinSpy, the discovery of a capability that took researchers 8 months to unpack, resulting in a 300-page report documenting a complex, (truly) sophisticated, and powerful new spy campaign. A spy company called Gamma in Munich, Germany, which had already been raided by prosecutors after selling low-level spyware to the Turkish government had a new trick: embedding itself on Windows, Linux, and Mac devices at the MBR, and in some cases, at the UEFI/boot level. In operation for years, this capability has allowed customers of Gamma (aka FinPhisher) to spy indefinitely on their targets by persisting at such a low level, hardly anything could detect it. These new bookits that target UEFI boot loaders and the legacy MBR boot mechanism serve to remind us just how powerful and desirable these low-level tactics are.

Indeed this is one reason why Microsoft is putting so much emphasis on new technologies in Windows 11. Everything from Secured-Core, to TPM and all else in between, including new Defender capabilities. Yet, as this new Eclpysium research and quick video demonstration clearly show, all it takes is one click to go from a spearphishing email to a bootkit level implant. This, even on a new Secured-Core PC with every OS-level security control possibly related to firmware enabled; and that’s if you are lucky enough to even have a TPM in your device. As this study shows, less than half of 30 million Windows devices found in 60,000 organizations are even capable of enabling this feature. In fact, pretty much every Windows OS for the last decade or so is vulnerable to precisely this style of attack.

So what can you do to thwart a “FinSpy Who Hacked Me” style attack? Enable Secure Boot to ensure only signed bootloaders can run. Even better? Make sure your devices that have this feature enabled, aren’t vulnerable to myriad vulnerabilities in the boot process, such as BootHole. Patch the devices that are vulnerable. Even better than that? Be able to detect an attack like this when it happens by continuously monitoring the integrity of all UEFI components with Eclypsium.

Way too much trust is being placed in our devices and the integrity of the firmware that allows the operating system, and every single application and security control running on it, to function.

We know it. James Bond knows it. And you know it too.

Threats in the Wild

FinSpy: unseen findings

“Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit.”

Read More >

Industry News

AMD disclosed details of previously fixed vulnerability

“As part of checking the vulnerability, he was able to download several gigabytes of confidential data from an AMD-based machine – while he did not have administrator rights.”

Read More >

Security Advisories

Critical Cisco Bugs Allow Code Execution on Wireless, SD-WAN

“Unauthenticated cyberattackers can also wreak havoc on networking device configurations.”

Read More >

Security Research

Researchers Found a Vulnerability in All Windows PCs Since 2012

“Researchers at Eclypsium have found a flaw in Microsoft’s WPBT firmware, allowing attackers to install rootkits in the device’s OS.”

Read More >

Tools and Education

NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs

“Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. ”

Read More >

Webinars and Events

The Mark of Zero: The Role of Firmware in Zero Trust Strategies

A few years ago, a casual Google search on the term “zero trust” would have returned hundreds of thousands of hits. Search for the same term today, and you’ll get about 4 billion hits — that’s “billion” with a “B.” It’s possible that no other cybersecurity approach has matured so fast and received such widespread adoption in such a short time.

But can a Zero Trust security strategy be effective without accounting for the needs of firmware security? What does it even mean to apply Zero Trust principles to something as difficult to assess and secure as firmware? And who owns this initiative, the vulnerability management team? The CIO’s team?

In this webinar, John Loucaides, Eclypsium VP of R&D, and Michael Thelander, Director of Product Marketing, will discuss the four pillars of Zero Trust security:

  1. Default deny
  2. Contextual authentication
  3. Granular control
  4. Dynamic response

They will tie each of these pillars to the unique security requirements of firmware across the modern enterprise.

John and Michael will discuss how firmware is under fire by commercially motivated and nation-state attackers today and reveal the gap between modern infosec tools and firmware-based exploits. Then they’ll outline an approach to identify, verify, and fortify the firmware underneath every organization’s current technology stack–sustainably and cost-effectively.

Join us >