Recently the DHS, FBI, and the UK’s NCSC took the very unusual step of issuing a joint alert to warn of Russian state-sponsored attacks against network infrastructure such as routers, switches, firewalls, and IPS devices. The alert revealed that the campaign is widespread, targeting both government and private sector networks, and even SOHO devices. This was followed up by information about the VPNFilter malware that compromised hundreds of thousands of network equipment and network-attached storage devices. This disclosure has tremendous implications for cybersecurity going forward that many may not fully appreciate.
As part of our ongoing security research efforts, we recently reviewed various Supermicro systems and discovered serious firmware vulnerabilities.
We have already seen both proof-of-concept and in-the-wild demonstrations of attacks targeting system firmware such as SMM rootkits, device firmware replacement, and even usurping firmware-based features for malware. As part of our ongoing security research efforts, we recently reviewed various Supermicro systems and discovered serious firmware vulnerabilities. Such issues affect many models and have persisted for many years, which could be problematic since these systems are commonly used as data center servers. As other researchers have shown, Supermicro is not alone. Security vulnerabilities in firmware continue to be discovered regularly. Unfortunately, malicious activity at the firmware and hardware level is invisible to most detection and response mechanisms in use today, leaving many critical systems exposed to attacks that target this area.
Eclypsium researchers have discovered a new application of speculative execution attacks, bypassing hardware-based memory protections.
We have discovered a new application of speculative execution attacks, bypassing hardware-based memory protections. Vulnerabilities affecting speculative execution of modern processor architectures were first discovered in 2017 by Jann Horn of Google Project Zero and other security researchers. This class of vulnerabilities allows local unprivileged attackers to expose the contents of protected memory by exploiting the microarchitectural capabilities of modern out-of-order CPUs such as caching, instruction pipeline or speculative execution. We expanded on this method to gain access to the highly privileged System Management Mode (SMM) memory.
Eclypsium researchers are speaking and training at Black Hat USA 2018.
Eclypsium researchers have been accepted to speak about Remotely Attacking System Firmware at Black Hat USA! We will be presenting novel research into the remote attack surface of modern UEFI-based systems. We are also partnering with Intel to offer training in firmware security for the enterprise.
We are excited to present our work and will be publishing additional research soon. Stay tuned…
Today, we are proud to announce a new approach to enterprise security that protects the firmware and hardware at the heart of our devices. For everything from laptops to servers to network devices, we find the areas where you are vulnerable and actively defend against attacks in the firmware. This is specifically the area where the most innovative attackers have been focusing recently, and until today, where defenders have lagged behind. This is an incredibly exciting time for the industry, and I would like to thank our investors Andreessen Horowitz, Intel Capital, Ubiquity Ventures, and our individual investors for believing in Eclypsium. In the next few paragraphs I’ll try to quickly explain what is driving us on this journey.
Hardware and firmware-level attacks that live below the level of the operating system are a glaring blind spot that is reshaping enterprise security. For the entire history of modern information security, the battle has largely been waged from the operating system up. Antivirus software and malware continuously battle for control of the host OS, and when an infection is suspected, the common response is to simply reimage the machine. This approach is blind to vulnerabilities in firmware or hardware, which live below the level of the OS and fails both at protection and remediation of an actual attack.
The main motherboard, network cards, management controllers, storage devices and dozens of other components at the heart of our devices all rely on firmware developed by different manufacturers and can be compromised. This is true for any type of device and OS ranging from laptops to the servers that run our applications in enterprise, to the network appliances that operate our network infrastructure, to industrial systems that operate our critical infrastructure. It is a large attack surface and devices can be backdoored in the supply chain before you ever pull it out of the box.
Most organizations don’t have the inhouse expertise to find vulnerabilities or firmware backdoors and implants. Worse still, most firmware is rarely updated and upgrades are often manual and tricky procedures. So if an attacker can compromise the firmware on the device, he is often beyond the reach of traditional security. He often will have fundamental control over the device and its data while remaining invisible and persistent enough to survive even a complete OS reinstall. The recent DHS alert of state-sponsored attacks targeting enterprise network infrastructure show that these threats have become mainstream and are an immediate issue for all enterprises.
And that is the point – these attacks are all about persistence. Unlike the countless variants of evolving malware, infrastructure-level attacks are about persistence of an advanced attack. They are more rare by nature than commodity malware, but they are likewise far more valuable to an attacker and costly to an organization.
This problem has been the central focus of my research from my days leading the Advanced Threat Research team at Intel to founding CHIPSEC, and has culminated in our work here at Eclypsium. We have built a new layer of security that defends an organization’s firmware and infrastructure and protects them from backdoors and implants. We detect devices that have vulnerable hardware or firmware, detect and isolate devices with implanted firmware, and protect your critical hardware from compromise or physical damage by an attack. We apply this approach both in the enterprise, in data centers, and within the hardware supply chain itself.
We are currently engaged in product testing with select organizations, our focus at the moment is ensuring these initial deployments are successful and continuing to learn from additional real-world deployments. Over the coming weeks and months, we will be ramping up our ability to support more organizations, and will be sharing more details about the product. Please reach out to us if you would like to learn more, and we hope you will join us on this journey.