Threat Reports

Forward to the Past

Eclypsium Threat Report July 2022 Firmware Forward to the Past

Check our discussion of this between Paul Asadoorian and Scott Scheferman.

DEF CON is celebrating its 30th anniversary this year in Las Vegas. For many of us, it is impossible not to be sentimental about this event and its significance in our lives, both personally and professionally. Between the talks that have been given, or the infinite number of hallway conversations, one thing is for certain: DEF CON has always been a ground-truth source of research, education and inspiration and this year’s DEF CON promises to be no different. Especially when it comes to firmware security, and in particular, bootkits and rootkits.

It was about a decade ago when the research community – including Eclypsium’s own founders and researchers – began to beat the drum of how threat actors could attack and reside at the firmware layer on a device, meaning that the operating system (Windows Vista, Windows 7 etc back then!) could not detect or defend against it. The industry responded, in part, by creating Secure Boot which, as the name suggests, secured the boot process by preventing the loading of UEFI drivers or OS boot loaders that are not signed with an approved digital signature. This was part of the UEFI specification itself and was a heavy lift for hardware and firmware OEMs, including Microsoft, to implement.

It didn’t take long however, for researchers (in this case our own founders!) to find ways to bypass it and in so-doing, highlight systemic and hard-to-fix challenges with the secure boot paradigm. This research resulted in a 2013 talk demonstrating a way to bypass Windows 8 Secure Boot and install a bootkit. Two years later our founders, alongside other researchers, spoke about vulnerabilities in the critical System Management Mode (SMM) and SMI handlers. Five years later, our founders presented research on how Windows features like Credential Guard and Windows 10 Virtualization Based Security (VBS) were bypassable, once again highlighting threat vectors at the foundational layer which Microsoft was then forced to address. Together, one saw sharpened the other’s, while Microsoft made incremental improvements to its OS to address foundational layers of trust and security. More recently this has taken the form of Secured-core PCs – which tie trust to hardware itself – and an overarching Chip-to-Cloud initiative, both promising fundamentally better approaches to the hardware/firmware root of trust challenge. As Microsoft states in their Windows 11 documentation:

“In Windows 11, hardware and software work together to protect the operating system, with virtualization-based security (VBS) and Secure Boot built-in and enabled by default on new CPUs. Even if bad actors get in, they don’t get far. VBS uses hardware virtualization features to create and isolate a secure region of memory from the operating system. This isolated environment hosts multiple security solutions, greatly increasing protection from vulnerabilities in the operating system, and preventing the use of malicious exploits. In combination with device health attestation with cloud services Windows 11 is zero trust ready.”

In spite of the progress together as an industry, we are still faced with fundamentally challenging problems centered around how the OS can both trust the hardware and firmware below it, and how the firmware can be secured from threats coming from the OS. Fast forward to recent years and this becomes even more apparent. Whether it’s a rootkit that can be installed on every Windows device for the last 10 years (including Secured-core PCs), or an industry-wide vulnerability in GRUB2 that allows for bypassing Secure Boot, the challenges persist, despite laudable efforts, once again, to address them.

While we are getting better via this cat and mouse game of researchers pushing OS vendors forward, time may be running out. Nowhere will this be more apparent than at this year’s DEF CON talk by Eclypsium researchers Jesse Michael and Mickey Shkatov. The title says it all: “One Bootloader to Load Them All”. In many ways, we are right back to where we began: a fundamentally difficult challenge that we must solve together while mitigating the risk in the meantime.

Secure Boot and Secured-core PCs are not the only challenges when it comes to firmware. Intel’s microcode has been the subject of much discussion in recent years, and new tools are making it easier for researchers to explore x86 architecture to find vulnerabilities before bad actors do, including this recent microcode decryptor, which some are already leveraging to dive down the rabbit hole.

Finally, research is also pushing the industry forward when it comes to the all-important UEFI. Only three months ago a major OEM was discovered to have critical vulnerabilities in its firmware, allowing attackers to disable secure boot on millions of laptops. Now, researchers have discovered even more exploitable vulnerabilities in the UEFI affecting dozens of models, ones which would allow an attacker to run their code pre-boot and disable critical OS security features. 

Strong research is also underway to explore the soft underbelly of device firmware on VPNs, load balancers, firewalls and other externally-facing devices. In this area, the bad actors seem to be well ahead of both researchers and OEMs. Eclypsium’s Nate Warfield is looking to turn that tide, discovering ways that attackers can exploit and persist on such externally-facing devices in novel ways. Because they are. Despite CISA’s overt warnings to patch such devices, it seems the operational challenges of doing so, and the remote-workforce paradigm shift, are making it incredibly difficult to do so. At least that’s what Nate observed earlier on in his research leading up to the talk he presented at the TROOPERS conference. Make no mistake, attacks against these devices are commonplace, and some of the worst APT actors are leveraging them as we speak, in part because the attack surface is massive. In fact, another of our researchers, Vlad Babkin, discovered over 12,000 readily-exploitable Juniper devices and another 3400 that were highly likely to be vulnerable. So impactful was that analysis that we wrote a blog about it. Vulnerabilities are being discovered at a cyclic rate lately, by both eager researchers and threat actors alike. 

Speaking of attacks targeting firmware, industry awareness has never been higher. From recent surveys and reports, we learn that 80% of organizations have experienced a supply-chain attack and 83% have experienced a firmware attack. This indirectly mirrors Mandiant’s M-Trends report from Q1 which indicates over half of all initial vectors into a successful breach were via either supply chain or exploitation, compared to only 20% attributed to spear phishing and credential theft combined. Quite simply, the threat landscape has shifted, and in some ways, it feels as though we’ve regressed 25 years, like we’ve gone forward into the past.

Despite all the evidence of active threat campaigns targeting the supply chain, a recent report by Tata reveals that not everyone has gotten the message. Of those businesses with over $1B in revenue, decision makers only prioritized supply chain as the 9th likely target for attack in their organization. The report’s first-page recommendations include making supply chain security a higher priority. Message received.

If we don’t get ahead of supply chain attacks, they will continue to pose grave risk to our foundational services and critical infrastructure. 

There are dozens of examples but here’s one that hits home: A supplier and integration platform who processes 100’s of billions of text messages per year, with direct connections to hundreds of blue chip telcos, was hit by a supply chain attack targeting their customers. What makes this interesting from a device firmware perspective is the extremely heterogeneous, complex and diverse environments involved with this type of infrastructure. These environments have evolved over the course of decades, with some of the most critical devices being the oldest and least-maintained. Mainframes, old firewalls, legacy VPN appliances, anything you can think of is in these environments, making them ripe targets for adversaries looking to persist indefinitely or disrupt the critical services they provide. Much like the Accellion FTA device supply chain attack carried out by TA505 in recent years, the vendor in question here provided a large-scale file transferring platform that served, effectively, the entire telco industry. Unfortunately we do not yet know the IV (Initial Vector) the attackers used. Why? Because the attack carried on for five years undetected, bringing home one of the most important aspects of these types of attacks: they are designed to be multi-year, indefinite campaigns. 

APT 41 (aka WINNT) has excelled in long-running campaigns targeting supply chain, as well as leveraging UEFI bootkits like Moonbounce.

In one instance they compromised Avast’s CCleaner product to attack specific high-value targets that were themselves supply chain targets in automotive and other industries. In another, they compromised the gaming industry in order to distribute malware worldwide. And, speaking of telcos, APT 41 is the same group of actors who in March of 2019, compromised Asus’ software update process to infect over 1 million devices, specifically targeting systems in the telecommunications industry. A few years prior, they had similarly compromised a server-management tool (xShell, an SSH client) that is used by hundreds of organizations around the world to manage critical operations. It’s no wonder then, why the same adversary has taken the time to develop low-level UEFI attack tools like MoonBounce and likely, MosaicRegressor (moderate confidence attribution). Note that elements of these campaigns and their tooling go back years prior to their discovery. Portions of Moonbounce’s shellcode originate in 2013, and MosaicRegressor was a multi-year campaign which wasn’t discovered by anyone for years and incorporated leaked code from Hacking Team’s 2015 Vector-EDK UEFI implant. Quite simply, supply-chain attacks leveraging low-level TTPs like rootkits and UEFI implants have been around for years, and are only just now being discovered. To get a deeper understanding of PRC-backed hacking groups, their motives, sources of funding, and ways they systematically target the supply chain as both a technical strategy (compromise one to access many) and to serve macro geopolitical and commercial espionage missions, look no further than this testimony given earlier this spring to congress. Many of APT41’s actors have been hacking for decades, were recruited by the PLA as early as 2005, and leveraged low-level rootkits while hacking the Pentagon less than a year later. Once again, we go forward to the past: Low-level attacks have always been the most coveted, effective, and protected tradecraft of the adversaries who stand to do us the most harm. Likewise, supply-chain, and in particular the realization and acknowledgement that China-nexus devices’ firmware can be updated by the vendor to introduce new features, capabilities or backdoors, has come to a head in boardroom and war-room discussions alike, even posing a potential threat to the nation’s nuclear weapons program.

Russian-backed actors are also adept at targeting supply chains, most recently in the context of the Russo-Ukraine cyber war. What better way to target your cyber adversaries than to backdoor the DDOS application activists around the world are using to target Russian military and infrastructure? And so it goes. So much so, we might even say that such tactics are the new ‘meta’ in cyber-security. 

But, there is good news here, too. A seachange of policy – requirements as well as both corporate and mission emphasis – is now being placed on shoring up the vulnerabilities associated with supply chain. CISA just received over $200M for cybersecurity related initiatives and the TSA is thrusting cyber as a primary focus for pipeline operators, requiring them to:

“Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.” 

It’s a good thing then that Eclypsium just became the first and only supply chain security solution for enterprise hardware and firmware listed on CISA’s Continous Diagnostics and Monitoring (CDM) Approved Products List (APL). In fact, prior to Eclypsium earning the CDM APL designation, no other technology solution provided visibility into the firmware and hardware foundations of devices or could thereby reduce supply chain risk. The tide has finally begun to turn.

In closing, let’s remember that just because we’ve repeated past mistakes, the future is not set. There is no fate but what we make for ourselves. We now have the tools, the anticipation, the awareness, and the fundamental desire to shift the balance of power in our favor. Let’s get moving!