Among the tricks and treats you had, emerges a new Below the Surface to make you glad. So keep on reading to hear what we think, feel free to relax and pour yourself a drink. (We like fernet personally.) Without further adieu, all rhyming aside, we’ll now dive into the report and discuss where threat actors hide.
October was full of tricks and treats this year, and we’re not just talking about Halloween. Perhaps the spookiest thing we learned this month was the reports on FinSpy, but perhaps the real nightmares come from the fact that the ESPecter UEFI bootkit backdoor that has been in Windows devices since 2012. Boo!
On this day in history: Indestructible, badass rootkit BadBIOS: Is this tech world’s Loch Ness Monster? Allegations of a stealthy firmware rootkit caused a stir after researcher Dragos Ruiu announced that his lab systems had been infected via USB stick and communicating over multiple wireless protocols. While details and samples were thin, all of the activity was plausible enough, and researchers have continued to discover firmware attacks (albeit less advanced than the BadBIOS claims) ever since.
On May 25, 2021, “diego033″ posted on exploit[.]in seeking suppliers of various forms of network accesses, including Citrix, RDP, VPN, and bots”

New UEFI bootkit used to backdoor Windows devices since 2012
“Interestingly, we traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes.”
- UEFI threats moving to the ESP: Introducing ESPecter bootkit
- FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
- Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices
- Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
- Researchers compile list of vulnerabilities abused by ransomware gangs
- Acer Was Hacked Again, Losing Personal Data of Millions | Digital Trends
- North Korean state hackers start targeting the IT supply chain
- IoT Hacking and Rickrolling My High School District

Federal cyber agencies call zero trust ‘new normal’ of security, partnering to implement
“Not just for externally-facing traffic, but really taking the concept of untrusted networks as seriously as possible and encrypting traffic within federal environments, by only addressing things like encrypted DNS and the like.”
- White House Announces 7 TMF Awards with Big Focus on Zero Trust
- Hardware Bolsters Medical Device Security
- Senate Committee Passes Major FISMA Changes—Including a New Definition of ‘Major Incident’
- Firmware is included in the first cybersecurity roadmap for the State of California
- Research finds consumer-grade IoT devices showing up… on corporate networks

SonicWall Issues Patches for a New Critical Flaw in SMA 100 Series Devices
“Tracked as CVE-2021-20034, the arbitrary file deletion flaw is rated 9.1 out of a maximum of 10 on the CVSS scoring system”
- NETGEAR R7800 net-cgi Out-Of-Bounds Write Remote Code Execution Vulnerability
- Cisco ATA19X Privilege Escalation and RCE
- Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260)

How Your Printer Is Like Swiss Cheese
“Follow these best practices to avoid the security holes created by these often-overlooked, but ubiquitous, devices.”
- Automated vulnerability hunting in SMM using Brick | Assaf Carlsbad
- Virtual desktop security isn’t all it’s cracked up to be
- I put a WiFi router into a phone charger (Final Post)

A security expert’s guide to the top-exploited vulnerabilities
“The biggest and baddest ransomware groups love an easy vulnerability.”
- NIST: Detecting and Responding to Ransomware and Other Destructive Events
- SBOM: Good Intentions, Bad Analogies, and Ugly Outcomes
- CISO Forum Panel: Navigating SBOMs and Supply Chain Security Transparency | SecurityWeek.Com
- Hardwear.io – Hardware Security Conference and Training – NL 2021
- ESPecter — Indicators of Compromise
- UEFI threats moving to the ESP: Introducing ESPecter bootkit – AlienVault IOCs
- OST2 Architecture 2001: x86-64 OS Internals Trailer
- CISO Forum Panel: Navigating SBOMs and Supply Chain Security Transparency
- Modifying the Acorn CLE-215+ FPGA into a PCILeech DMA attack device
- efiXplorer – IDA Plugin For UEFI Firmware Analysis And Reverse Engineering Automation


Everyone Gets a Rootkit – Eclypsium
In a connected, digitally transformed age, the term “no good deed goes unpunished” could perhaps be rephrased as ”no good feature goes unexploited”. The protocol called Advanced Configuration and Power Interface (ACPI) was introduced In the early 2000s when it became apparent that the energy consumption of billions of rapidly proliferating computing devices was a significant and increasing drain on national and regional energy supplies. ACPI was designed to efficiently manage energy consumption in PCs, along with several additional well-meaning use cases. As laptop usage and portable computing became universal demands, ACPI became a de-facto standard for nearly all systems. With the advent of Windows 8 the protocol evolved to include an object called the Windows Platform Binary Table (WPBT) and has since been included in every single Windows OS shipped since 2012. In June 2021, Eclypsium researchers discovered significant flaws in WPBT. These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables. These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI and WPBT. Security professionals need to identify, verify and fortify the firmware used in their Windows systems.
Ransomware and Extortion Defense for Industry & Government | RED Summit 2021
Titaniam’s RED Summit is the place to go for Ransomware and Extortion Defense Information, i.e. Education, Demonstrations, Simulations, and Expert Guidance. Keynotes for RED Summit 2021 are Sumedh Thakar, CEO, Qualys and Jim Reavis, Founder, Cloud Security Alliance. In addition, our speaker lineup includes notable CISOs, Security Leaders and Industry Veterans.