Enter Through the Gift Shop: Door Controls, Phones & Rootkits

In modern computing, organizations are constantly barraged with new threats, risks, and vulnerabilities. Security staff are frequently in short supply and overworked, and priority and budget are allocated to systems like client desktops, servers, networking equipment, and cloud deployments. Yet, what recent research shows is that what is being protected isn’t necessarily what is being attacked. 

Attackers have instead moved their target, looking elsewhere for entry paths into organizations. That entry path is firmware. In fact, 27 out of 44 vulnerabilities actively exploited by ransomware are in the firmware embedded by OEMs and manufacturers within network devices. In today’s modern workplace, attackers have a wide array of methods to gain access; phishing, weak or reused credentials, lack of 2-factor authentication, compromises to the technology supply chain, unpatched servers and network equipment, and vulnerabilities in embedded systems like printers, phones, IoT devices, and even security systems. 

The concealed path to access 

On June 9th, 2022, Trellix disclosed a series of vulnerabilities in the LenelS2 Business Access Control System. Manufactured by HID Mercury, it is widely used across a variety of industry sectors, including corporate, education, healthcare and government to provide card-based access to secure areas. Trellix researchers discovered a total of eight vulnerabilities, ranging from denial of service to remote code execution. An exploited denial of service vulnerability could allow an attacker to disable the access control system, thus making it impossible for legitimate users to access buildings or secured locations inside a building. While annoying, exploitation of these vulnerabilities would be fairly easy to detect – the doors stop working – and a reboot of the affected system is generally sufficient to resolve the problem. 

More troubling however, is CVE-2022-31481, which could allow an attacker to execute commands remotely over a network and gain administrative access to the system. Once the Trellix researchers gained access, they were able to deploy a program, allowing them to remotely lock and unlock doors and disable system monitoring; meaning that their attacks would be invisible to a legitimate operator. 

A malicious attacker with this level of privilege would now be able to enter the facility and any secured areas at will, and prevent an administrator from noticing, for example, if a secured location of the building had been accessed late at night or during a weekend. This is a particularly topical concern for many organizations as their employees return to the office from the remote work by default model that was standard during the COVID pandemic.  

As any physical security specialist will tell you, once you’ve breached a building it’s usually game over. Devices can be stolen, hardware devices connected to the network for permanent remote access, or any myriad of malfeasance. But in this instance, the attacker has the ability to abuse this access in a more detrimental fashion.

To add another layer of threat, on June 10th, 2022, SySS disclosed an undocumented vendor backdoor in the firmware of Mitel 6800/6900 desk phones which allows an attacker with physical access to the phone to enable a telnet server on the device by holding the * and # keys simultaneously during startup. The phone has a static IP of which may not be routable depending on the network. However, since the attacker would already have access to an employee’s desk, it would be trivial to discover the internal addressing scheme simply by plugging a laptop in and receiving an IP. Then, the attacker could use a few Linux commands to change the backdoor IP on the phone in order to connect to the network and access the internet. From here, standard command and control access can be established.

While this scenario is complex, and requires physical access, a similar scenario has already been observed in real-world attacks. Notably, attackers used anti-forensic techniques in order to hide their presence on the device. Furthermore, since desktop phones don’t support security products like EDR, this attack would be invisible to most advanced security tooling. 

The expanded attack surface and broader implications 

But let’s hypothesize further. Let’s consider what an attacker could do even without physically accessing the building. For example, a geographically remote attacker may not be able to physically access the building, or simply may not want to incur the risk. However, with the ability to remotely access the building access system, the attacker could target the embedded version of Linux. Such administrative systems often run in dedicated network segments, and frequently lag behind in patching due to mission criticality or accepted risk due to the fact the system itself may not be internet-facing.

However, the access control system could provide the attacker with a beachhead in the network, which could then be used as a pivot to breach other vulnerable systems in the organization. A common post-exploitation technique is to install a backdoor or rootkit. In fact, Avast researchers have discovered an under development Linux kernel rootkit dubbed ‘Syslogk’ based on an open source rootkit named Adore-Ng. Syslogk is uniquely stealthy and uses an elegant way of loading that avoids the risk of crashing the target system. It also utilizes “magic packets” which is a method where a remote attacker can start or stop the payload by sending specifically crafted packets to the infected system, and it can hide its network activity from standard system tools like netstat.

Look under the surface for hidden paths 

While some of the scenarios in this article are hypothetical, they are not beyond the realm of possibility. Adversaries are always searching for undefended areas that they can use to gain an initial foothold and spread deeper into the target environment. We have already seen that firmware and integrated systems are highly popular targets with attackers. It is also important to note that vulnerabilities in these systems can open the door to tampering and compromise in the supply chain even before a system is ever delivered to an organization. Or as we’ve seen in the examples above, hidden management features or insecure update mechanisms can give attackers a hidden path into a vulnerable system.

As a result, it is critical that organizations be able to proactively find problems across the full lifecycle of any piece of equipment. A firmware security platform gives organizations a highly automated approach that can surface problems across a wide range of device types and vendors, and let security teams find problems before attackers do. Furthermore, since attackers can compromise devices prior to delivery or can easily hide their presence on a compromised device, it is also important that security teams are able to verify the integrity of all firmware to ensure that it hasn’t already been compromised as part of an attack. Once again, this is an area where the unique capabilities of a firmware security platform are indispensable. By leveraging the industry’s largest library of firmware, largest database of firmware threats, and firmware behavioral monitoring, Eclypsium is able to identify known threats, unknown threats, or any unexpected changes at the firmware level.

To learn more, reach out to the team at [email protected].