October Firmware Threat Report

Among the tricks and treats you had, emerges a new Below the Surface to make you glad. So keep on reading to hear what we think, feel free to relax and pour yourself a drink. (We like fernet personally.) Without further adieu, all rhyming aside, we’ll now dive into the report and discuss where threat actors hide.

October was full of tricks and treats this year, and we’re not just talking about Halloween. Perhaps the spookiest thing we learned this month was the reports on FinSpy, but perhaps the real nightmares come from the fact that the ESPecter UEFI bootkit backdoor that has been in Windows devices since 2012. Boo!

Table of Contents

Threats in the Wild
Industry News
Security Advisories
Security Research
Tools & Education
Noteworthy Content

On this day in history: Indestructible, badass rootkit BadBIOS: Is this tech world’s Loch Ness Monster? Allegations of a stealthy firmware rootkit caused a stir after researcher Dragos Ruiu announced that his lab systems had been infected via USB stick and communicating over multiple wireless protocols. While details and samples were thin, all of the activity was plausible enough, and researchers have continued to discover firmware attacks (albeit less advanced than the BadBIOS claims) ever since.

On May 25, 2021, “diego033″ posted on exploit[.]in seeking suppliers of various forms of network accesses, including Citrix, RDP, VPN, and bots”

New UEFI bootkit used to backdoor Windows devices since 2012

“Interestingly, we traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes.”

Federal cyber agencies call zero trust ‘new normal’ of security, partnering to implement

“Not just for externally-facing traffic, but really taking the concept of untrusted networks as seriously as possible and encrypting traffic within federal environments, by only addressing things like encrypted DNS and the like.”

SonicWall Issues Patches for a New Critical Flaw in SMA 100 Series Devices

“Tracked as CVE-2021-20034, the arbitrary file deletion flaw is rated 9.1 out of a maximum of 10 on the CVSS scoring system”

How Your Printer Is Like Swiss Cheese

“Follow these best practices to avoid the security holes created by these often-overlooked, but ubiquitous, devices.”

A security expert’s guide to the top-exploited vulnerabilities

“The biggest and baddest ransomware groups love an easy vulnerability.”

Everyone Gets a Rootkit – Eclypsium

In a connected, digitally transformed age, the term “no good deed goes unpunished” could perhaps be rephrased as ”no good feature goes unexploited”. The protocol called Advanced Configuration and Power Interface (ACPI) was introduced In the early 2000s when it became apparent that the energy consumption of billions of rapidly proliferating computing devices was a significant and increasing drain on national and regional energy supplies. ACPI was designed to efficiently manage energy consumption in PCs, along with several additional well-meaning use cases. As laptop usage and portable computing became universal demands, ACPI became a de-facto standard for nearly all systems. With the advent of Windows 8 the protocol evolved to include an object called the Windows Platform Binary Table (WPBT) and has since been included in every single Windows OS shipped since 2012. In June 2021, Eclypsium researchers discovered significant flaws in WPBT. These flaws make every Windows system vulnerable to easily-crafted attacks that install fraudulent vendor-specific tables. These tables can be exploited by attackers with direct physical access, with remote access, or through manufacturer supply chains. More importantly, these motherboard-level flaws can obviate initiatives like Secured-core because of the ubiquitous usage of ACPI and WPBT. Security professionals need to identify, verify and fortify the firmware used in their Windows systems.