May Firmware Threat Report

Subscribe to Eclypsium’s Threat Report

It’s About Time!

On the heels of RSA comes this month’s Below the Surface Threat Report. Our theme this month is “Time”. In the context of cyber warfare, cyber criminal attacks, and long-running espionage campaigns, it is time that serves as the ultimate advantage (or disadvantage) over an adversary. Both sides of the struggle are in a race. The blue team races to thwart the attacker’s objectives and their potential impacts to the mission, safety, uptime or revenue. The adversary on the other hand, has a bear on their back: eternally working to outpace the blue team’s next generation security stack; one that has become integrated, automated, and expanded via XDR. One that is better and faster at detecting and then interrupting an active attack. Both sides are in a race, and this race plays out across more than just the notional kill chain activities, but also in the realms of research, development, cooperation, software, firmware and hardware vulnerabilities, and in the human domains of endurance, focus, distraction, determination and persistence. Yet, how do we actively identify, baseline, and measure metrics related to time? With our playbooks? With our patching cadence for CISA’s KEVs or our CD (Coordinated Disclosure) timelines? It’s about how fast we can develop solutions vs. how fast cyber criminals develop malware, tooling, infrastructure and novel evasions.

One of the greatest myths in cyber security is that the adversary is more “sophisticated” or “advanced” than we are. They aren’t. They are simply quicker than our defenses. So it’s remarkable how little we focus on time itself, while the adversary continues to simply outpace us, instead of outsmarting us.

Real-World Examples

Why does the Iranian-backed Phosphorus group leverage spear-phishing to ascertain or influence the geo-location of targets they want kid-napped? Because it is the fastest way to organize that campaign and funnel on-the-ground resources to their targets. Put another way, it’s the quickest way to manifest kinetic/physical world objectives.

Why has the Conti core group of developers focused on low-level tactics to target the UEFI via BIOS write-enable vulnerabilities, or via the all-too-common and vulnerable Intel ME pathway? Because they know they can buy back precious time, and persist longer, by dipping underneath the entire rest of the security stack above. The adversary can out-pace, but they can ‘buy back’ time, too.

Why are newly-disclosed vulnerabilities targeted within hours of being disclosed? Why are there entire infrastructures already stood up to take advantage of these disclosures the moment they surface? Because both criminals and APTs know that the time advantage they have over blue team’s ability to assess, mitigate or patch is eternally in their favor, and that defenders are fixated more on efficacy and observables (of detection/blocking, etc.) than they are on speed and anticipation, respectively.

Why are attackers likely to take advantage of a new vulnerability in coreboot that allows for arbitrary code execution in SMM (System Management Mode)? Perhaps because researchers (ours, in fact) unveiled similar issues in 2017, including SMM not coming with write-protection enabled, giving attackers the greatest time advantage possible once exploited for persistence.

Why do adversaries leverage diversion, DDoS, and other tactics that lend to the ‘fog of war’ during an intrusion, or just prior to exfiltration? Obviously to divert resources but also to degrade confidence in the ability to make decisions quickly as a defender. Those delayed decisions buy back time. One of the greatest DFIR lessons during WannaCry, in both IT and OT environments alike, was that defenders did not have the tooling needed to identify devices, know who owned them, what their function/criticality was, whether they were vulnerable, etc. In essence, the device-level problem space was not captured by the victim orgs, and therefore both the automated worming elements as well as the hands-on keyboard activities of the threat actors (in certain target environments) were able to outpace defenders’ ability to identify, contain and eradicate the threat.

Look no further than PRC-backed hacking activity over the last two and half years as outlined in this CISA advisory. In it, we learn that these state actors are leveraging RouterSploit and RouterScan [T1595.002] to exploit no less than eight RCE (Remote Code Execution) vulnerabilities on six device manufacturers, four authentication bypass vulnerabilities on four vendors’ devices, as well as privilege escalation, injection and XML-related vulnerabilities on a total of ten popular manufacturers’ devices. 

VendorCVEVulnerability Type
CiscoCVE-2018-0171Remote Code Execution
CVE-2019-15271RCE
CVE-2019-1652RCE
CitrixCVE-2019-19781RCE
DrayTekCVE-2020-8515RCE
D-LinkCVE-2019-16920RCE
FortinetCVE-2018-13382Authentication Bypass
MikroTikCVE-2018-14847Authentication Bypass
NetgearCVE-2017-6862RCE
PulseCVE-2019-11510Authentication Bypass
CVE-2021-22893RCE
QNAPCVE-2019-7192Privilege Elevation
CVE-2019-7193Remote Inject
CVE-2019-7194XML Routing Detour Attack
CVE-2019-7195XML Routing Detour Attack
ZyxelCVE-2020-29583Authentication Bypass

Top network device CVEs exploited by PRC state-sponsored cyber actors via CISA

This in turn allows them to quickly gain access to credentials inside the organization via classic RADIUS and other AAA (Authentication, Authorization, and Accounting) services, and from there, double back to attack an even larger set of devices in order to configure them to do network boundary bridging [T1599], mirror [T1020.001], and exfiltrate traffic out of the victim environment. If this sounds like the same kind of network penetration testing we used to do in the late 90’s and early 2000’s…that’s because it is. Why? Because it is still the most efficient and quickest way to get into an organization, and get data out of it. Why does quickness matter? Because this set of APTs knows that device-level integrity monitoring, log-monitoring, and configuration management moves at a slower pace than what is needed to achieve attacker objectives. It’s not that organizations aren’t doing those things, it’s that they don’t have the tooling, resources, or discipline to continuously improve the cadence at which they monitor these controls. Yet, when many read the CISA advisory above, they may not be giving enough credence to statements like this, mentioned in the first two recommended mitigations:

  1. Keep systems and products updated and patched as soon as possible after patches are released [D3-SU] . Consider leveraging a centralized patch management system to automate and expedite the process.
  2. Immediately remove or isolate suspected compromised devices from the network. 

And while the subsequent twelve mitigations are of paramount importance, try giving them a read and simply appending “as fast as possible” to the end of each. Indeed “Sooner is better than perfect” applies to every one of them. How might you baseline, in time-based metrics, your organization’s ability to execute each of them, such that you can show that over time, your organization is getting faster at being able to do each? Focus on getting faster at making decisions that matter in time enough to matter, ahead of those impacts that stand to cause your organization the greatest harm.

As you read through the stories, advisories, and research below, take a moment to reflect on not whether your organization is prepared for them, but rather, how quickly those preparations, mitigations, patches, playbooks, and device management are being carried out.

If a picture is worth a thousand words, this video might be worth a million. In just sixty seconds, an attacker goes from the results of a simple SHODAN scan, to exploiting an RCE on an Internet-facing VPN appliance, and gaining root and a reverse shell from a Windows host on the internal network.

Threats in the Wild

Conti Targets Critical Firmware

“In late February of this year, an unknown individual began leaking internal information and communications from the notorious Conti ransomware organization. These leaks appear to confirm the long-suspected connections between Conti and the Russian FSB, and provide key insight into the development of new threats and techniques. Notably, these leaked chats exposed a new front in the ongoing evolution of firmware-based attacks. In addition to classical attacks that target UEFI/BIOS directly, attackers are now targeting the Intel Management Engine (ME) or Intel Converged Security Management Engine (CSME)” – Eclypsium Research

Read More >

Industry News

2022 Data Breach Investigations Report

“82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse. 13% increase in Ransomware breaches—more than in the last 5 years combined. 62% of incidents in the System Intrusion pattern involved threat actors compromising.”

Read More >

Security Advisories

Weak Security Controls and Practices Routinely Exploited for Initial Access

“Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.”

Read More >

Security Research

A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys

“Hertzbleed attack targets power-conservation feature found on virtually all modern CPUs.”

Read More >

Tools and Education

Known Exploited Vulnerabilities Catalog

“Although not bound by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT) governments and private industry can significantly strengthen their security and resilience posture by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well. CISA strongly recommends all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan.”

Read More >

Executive Summary: Conti Opens A New Front In The Fight For Firmware

Recently leaked communications from within the notorious Conti ransomware group have exposed a new strategy to exploit firmware and gain complete control over a system. Unlike previous threats that directly target weaknesses in UEFI/BIOS, attackers are now attempting to go through a figurative side door by exploiting weaknesses in the Intel Management Engine, a critical part of the chipset with direct access to the same chip housing the code that boots a computer. To add fuel to the fire, many organizations do not update the chipset firmware with the same regularity that they do for other software. As a result, this shift to targeting out-of-date chipset firmware is a major development in the evolution of firmware threats that greatly expands the number of devices that are susceptible to a firmware attack.

Read The Executive Summary Here >

Read the Full Conti Research Report Here >