2021 kicks off much as 2020 ended, with continued attacks on US Hospitals by the Trickbot /Ryuk actors now armed with TrickBoot’s UEFI targeting capability. Having netted over $150M in profit, the criminal group continues to work with affiliate actors like North Korea.
The Sunburst supply chain attack continues to play out against critical infrastructure, big tech, cybersecurity companies, and the US government. The actors employed highly evasive, unorthodox, and persistent tactics. However, these tactics are now largely burned by researchers and IR teams: Environments that were previously compromised are now instead contested. It is now a battle between defenders looking to hunt, contain, eradicate and restore, and threat actors needing to adapt, evade, and maintain persistence to protect their long-game. In this precise situation, attackers turn to firmware targeting, as closely-related threat actors did in recent years via the LoJax implant. Interestingly, both LoJax’s BIOS Write Enable vulnerability and the driver it uses to target the UEFI are the same ones that the Trickbot/Ryuk ransomware group is now using.
With firmware-level threats continuing to gain popularity in the wild, security teams need to understand how these threats work and the real-world risks they pose to an organization’s security. So we began the year by updating one of our most popular resources – the Top 5 Firmware Attack Vectors – to highlight the threats that need to be on your radar in 2021. No surprise, supply chain breaches, and UEFI implants are on the list…can you guess the other three? Speaking of Top 5 lists, be sure to read this piece on excuses we tell ourselves for not addressing firmware risk.
If you’ve read this far then you may be wondering how to gauge these latest firmware threats from an Enterprise Risk Management perspective. If so, you are in luck, as we’ve documented these considerations extensively, and also have a short checklist of questions to get you started. As always, the Eclypsium team is here to discuss how to address this rising risk, and of course, demonstrate our solution’s unique ability to meet these threats head-on.
THREATS IN THE WILD
- Attackers Steal E-Mails, Info from OpenWrt Firmware Developer Forum
- 2021 Threat Predictions Report
- Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw
- Citrix devices are being abused as DDoS attack vectors
- Another LILIN DVR 0-day being used to spread Mirai
INDUSTRY NEWS
- SonicWall Says Internal Systems Targeted by Hackers Exploiting Zero-Day Flaws
- 33 hardware and firmware vulnerabilities: A guide to the threats
- MS-ISAC Releases Cybersecurity Advisory on Zyxel Firewalls and AP Controllers | CISA
- CES 2021: Intel adds ransomware detection capabilities at the silicon level
- Zyxel hardcoded admin password found – patch now!
- Washington Sets IoT Cybersecurity Standards
SECURITY ADVISORIES
- SonicWall Secure Mobile Access (SM 100 Series CVE)
- Nvidia Warns Windows Gamers of High-Severity Graphics Driver Flaws
- Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities
- Cisco SD-WAN Information Disclosure Vulnerability
- Cisco StarOS IPv4 Denial of Service Vulnerability
- Bleichenbacher’s attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library
- Out of bound issue in WLAN driver while processing vdev responses from firmware
- Multiple Vulnerabilities in dnsmasq DNS Forwarder Affecting Cisco Products
- Use of Hard-coded Cryptographic Key, and Cleartext Transmission of Sensitive Information vulnerabilities in Reolink camera devices using P2P
- Heap-based Buffer Overflow, Insufficient Verification of Data Authenticity, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Dnsmasq
- AMI MegaRAC SP-X BMC Vulnerability
SECURITY RESEARCH
- A Look At The CPU Security Mitigation Costs Three Years After Spectre/Meltdown – Phoronix
- Hunting the Haunter — Efficient Relational Symbolic Execution for Spectre with Haunted RelSE
- A Side Journey to Titan (The Google Titan Security Key FIDO U2F hardware device)
- Mobile Physical Memory Security
TOOLS AND TRAINING
- Advanced MicroControllers Firmware Exploitation
- Finding Software Bugs in Embedded Devices
- CET Updates – Dynamic Address Ranges
WEBINARS
While most organizations are accustomed to dealing with external threats such as malware, the technology supply chain itself has rapidly emerged as an important source of risk. In this live webinar, Eclypsium’s John Loucaides and Andrew Regenscheid from NIST will discuss:
- How the complex technology supply chain creates concentrations of risk
- Recent supply chain threats and their implications for enterprise risk management
- What a supply chain disaster scenario might look like
- What organizations can do today to begin verifying device integrity in the supply chain and throughout the lifecycle of their devices
- What’s coming down the road as part of the NIST project for “Validating the Integrity of Computing Devices.”
As firmware-level threats continue to gain popularity in the wild, security teams need to understand how these threats work and the real-world risks they pose to an organization’s security. In this recorded webinar, Eclypsium CEO Yuriy Bulygin and VP of R&D John Loucaides update you on the latest threats to firmware and hardware that need to be on your radar for 2021.
How do CISOs assess firmware security risks in the light of recent VPN, malware, and supply chain attacks? In this recorded panel discussion Malcolm Harkins – Chief Security and Trust Officer at Cymatic, Ed Amoroso – CEO of TAG Cyber and Eclypsium CISO Steve Mancini share their thoughts on why every CISO should be assessing their firmware security risk in 2021 and how to go about doing so.
