2022 managed to kick off with a bang. Under pressure from the United States, the Russian FSB detained 14 people tied to the REvil ransomware operation, seizing $600,000 of computer equipment and 20 luxury cars. This was a remarkable collaborative effort to shore up cyber relations between the two countries as tensions mount along the Ukraine / Russia border.
This otherwise positive development, however, has been subsequently shadowed via alerts coming out of CISA, requesting critical infrastructure to prepare for destructive wiper attacks on US critical infrastructure. This, after (likely) Russian attackers leveraged Ghostwriter wiper malware and content-management supply chain attacks on the Ukrainian government and critical infrastructure, and after hacktivists in Belarus disabled the transportation rail system as a form of leverage in pressuring the government to both release prisoners and prevent Russian troop movements en-route to the Ukraine border. This, as part of a larger campaign called “Scorching Heat” carried out by the BCP (Belarus Cyber Partisans). Interestingly, the wiper malware used is a repurposed version of WhiteBlackCrypt, which was used in 2019 alongside bomb threats to pressure a Russian oligarch into repaying funds he stole from a Russian crypto exchange. The common theme? Actors using destructive wiper malware (and threat of physical harm) to achieve their motives, and wiper malware being used as much for a ‘cause’ as it is for ‘profit’, in motive.
Zooming out, it would appear as though there is much more focus by both attackers and defenders on attacks that have destruction as their primary motive. Last month, we learned of the iloBleed implant that was allegedly used to wipe servers. In the context of destructive attacks, firmware level attacks can pose the greatest risk to an organization, given that the impacts associated with firmware attacks can result in indefinite downtime. Even if the primary OS has been backed up properly, and even if there are spare hard-drives on the shelf, there is little recourse when a device is bricked at the motherboard level. We’ve written about this extensively even in the context of ransomware actors that have begun looking for vulnerabilities in the UEFI of a device, which would allow them to then brick that device as a form of leverage. The UEFI, however, isn’t the only firmware element that can be targeted for such attacks. This month CISA added eight additional known-exploited vulnerabilities to their ever-growing catalog, and one of them is an Intel Active Management Technology (AMT) remote privilege escalation vulnerability that could be used by an attacker to disable a device.
One of the requirements for an attacker to exploit vulnerabilities at the firmware level is often having admin/root access at the primary OS level. While this is readily achievable on any given Sunday by skilled red teamers and attackers alike, it doesn’t help that there’s been a Linux bug present over the last 10 years that reliably allows any attacker to gain root level access on a device. Adding insult to injury, this bug was discovered, written about, and even submitted as early as 2013, calling into question the merits and assumptions of OSS’s implied security through peer-review. Of course, Microsoft is no exception here, and it also had two critical privilege escalation vulnerabilities in this month’s patch on Tuesday, one of which targets Kerberos, again.
When it comes to destructive firmware attack scenarios, it is important to realize that when we read about TTP’s being used for purposes of espionage and persistence, those very same firmware vulnerabilities can be used to also brick a device at the motherboard level, too. That applies to the recent spate of UEFI threats like FinSpy, ESPecter, SlingShot (post exploitation framework tool), ilobleed, and MoonBounce, as well as to established (and freely available) threats like Vector-EDK, LoJax, and TrickBoot.
It isn’t just traditional enterprise/IT devices that are exposed to device-bricking attacks, however. In similar fashion, many of the same vulnerabilities being exploited in VPN devices to gain access, could also be leveraged to disrupt or destroy such devices, causing significant impact to partners and remote workers. Whether it’s a new exploit for the same vulnerability that CISA says is being actively exploited in the wild, or a quarter of a million devices with exploitable UPnP vulnerabilities, or whether it is a list of some 20 odd network devices that can all be readily exploited via open-source tools like this popping up every day; network devices are not immune to destructive attacks.
The reality is that most organizations haven’t yet sized up their device-level attack surface in order to gauge the potential impact to operations, safety, or revenue. As a result, these risks don’t adequately get recorded on the risk register for consideration and budgeting…until they do. And that, sadly, usually happens after an organization has endured a destructive attack.
OEM’s, too, are being more and more proactive in patching firmware in order to reduce the risk of such attacks. Whether it’s Supermicro or Pulse Secure patching for Trickboot vulnerabilities, or it’s pushing out over 150,000 firmware updates in a day, vendors are doing their best to slow the tide. Vendors like Mikrotik and others continue to fight an uphill battle after the source code for the infamous BotengaGo botnet has been made public.
CISA Adds Eight Known Exploited Vulnerabilities to Catalog
“CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”
- 277,000 routers exposed to Eternal Silence attacks via UPnP
- Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- MoonBounce: the dark side of UEFI firmware
- Wiper in Ukraine Used Code Repurposed From WhiteBlackCrypt Ransomware
- FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware
- Microsoft: Data-wiping malware disguised as ransomware targets Ukraine again
- CISA urges US orgs to prepare for data-wiping cyberattacks
- 2022.01.20/APT41 – MoonBounce: the dark side of UEFI firmware. 2 samples are available, the UEFI and the trojan dropper
- Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw
- What We Know and Don’t Know about the Cyberattacks Against Ukraine – (updated)
- Attackers now actively targeting critical SonicWall RCE bug
- BotenaGo strikes again – malware source code uploaded to GitHub
- Kentucky hospital reports network outage, care delays amid cyberattack
- DHS says U.S. on “heightened alert” for Russian cyberattack
- Manually Exploiting CVE 2017–5689 (recently added to CISA’s Actively Exploited Vulns)
US OMB Releases Zero Trust Strategy for Federal Agencies
“The Office of Management and Budget on Wednesday released a federal strategy to move the U.S. government toward mature zero trust architectures.”
- 11th Gen Intel Core Processor Security White Paper
- UK government security center, i100 publish NMAP scripts for vulnerability scanning
- What enterprises should learn from Merck’s $1.4 billion insurance lawsuit
Juniper Networks Releases Security Updates for Multiple Products
“Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.”
- Juniper Networks Releases Security Updates for Multiple Products | CISA
- Cisco Releases Security Updates for Multiple Products | CISA
- LVFS Activity Going Wild Ahead Of New Security Disclosure Requiring Firmware Update
- Alert (TA14-353A) Targeted Destructive Malware
- Two Dozen UEFI Vulnerabilities Impact Millions of Devices From Major Vendors
Looking At The New “Critical” Security Firmware Update Hitting Systems – Delivers New Intel Microcode
“Earlier this week the Linux Vendor Firmware Service began surging with activity following many new system firmware files being uploaded for what appears to be a ‘high severity upcoming security issue’ but currently undisclosed.”
- New Intel Microcode
- Inside a PBX – Discovering a Firmware Backdoor
- Most Reliable PC Hardware of 2021
- The S3CUREC4M Project: Vulnerability Research in Modern IP Video Surveillance Technologies
- Identifying Malware By Sniffing Its EM Signature
- A Pick and Place machine from Alibaba market loaded with malware
Binary Ninja > 3.0 The Next Chapter
“We’re excited to announce Binary Ninja 3.0 is live today! In fact, this release is so chock full of good stuff that five of the top nine all-time most up-voted features are shipping in this release!”
- RKVST SBOM HUB
- RootMy.TV 2.0
- You Suck at Cybersecurity
- In The Wild – Community Discovery of ITW Exploits of Vulns
- NIST 800-53 Control Mappings
- NCC NMAP Scripts for vuln detection
- Japan CERT YARA Rules APT release
- ZBug Alert A service for alertings of high-impact and 0day vulnerabilities
- Insomni’hack is a security conference and hacking contest
- Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats
- Reducing the Significant Risk of Known Exploited Vulnerabilities
- Bootkit Samples Repo
- Network Device Exploits “Kek”
Last week’s revelation of the MoonBounce UEFI implant in the wild continues an ongoing trend of attacks on firmware (see a few recent examples like iLOBleed in HPE servers, Meris botnet in Mikrotik routers and the FinPSy UEFI bookit in Windows systems… the list grows continually.) Firmware security is complicated by multiple unique implementations and obscure hardware configuration details. Worse yet, vulnerabilities below the operating system (VBOS, as CISA calls them) are increasingly common and invisible to most security tools. This presents an attack surface that undermines normal defenses and keeps organizations from being alerted to the threat until it’s far too late.
Over the past two years, firmware threats have gone from being the secret weapons of nation-state threat actors to everyday, commoditized threats used in some of the most widespread malware, ransomware, and attack campaigns in the world. Yet, many organizations are still in the earliest phases of building out their firmware security strategy, which can leave a gap for attackers.
And while implementing a strategy can take time, there are some highly tactical and practical steps that all organizations can and should be taking today. As a case in point, organizations should ensure that their IR and recovery teams have the tools to check the firmware integrity of any device directly impacted by malware or other threat.