Eclypsium explores the techniques of successful firmware attacks as they apply to stages of a kill chain in this new report designed to help you assess and defend enterprise devices from firmware and hardware threats.
Get an inside look at:
- Attacker motivations
- Key firmware components and their role in attacks
- Attack vectors against firmware
- The role firmware plays in persistent attack
- Real-world examples of firmware threats in the wild
INDUSTRY NEWS
- 63% of organizations surveyed face security breaches due to hardware vulnerabilities Hardware-level breaches are one of the latest modes of attack by cybercriminals, according to a Forrester report released this month. The majority (63%) of organizations said they experienced at least one data breach in the past year due to a hardware security vulnerability. BIOS attacks can inflict massive damage, the report says, because such attacks are difficult to detect and even more difficult to remove as malicious code can persist through reboots and attempts to reflash the firmware.
- New ransomware attacks target your NAS devices, backup storage The number of ransomware strains targeting NAS and backup storage devices is growing, with users “unprepared” for the threat, researchers at Kaspersky say. In 2019 a range of new ransomware families have emerged with NAS-exploit capabilities. WannaCry ransomware remains as the most popular form of ransomware with cybercriminals, followed by Phny and GandCrypt.
- Merck cyberattack’s $1.3 billion question: was it an act of war? In a world where a keyboard can cause more harm than a gunship, a legal dispute between the drug giant and its insurers could determine who pays for cyber damage. NotPetya’s impact on Merck on the day of the attack and for weeks afterward was devastating, crippling more than 30,000 laptop and desktop computers at the global drugmaker, as well as 7,500 servers. Bloomberg explores the lawsuit now underway that will determine whether Merck’s insurers will pay up. More broadly, as CISOs consider how to right size their security spend, this throws into question how much reliance can be placed on cyberinsurance.
- NIST is seeking feedback on their recently released draft project description for Validating the Integrity of Servers and Client Devices. Organizations are encouraged to review the draft and provide feedback for possible incorporation into the project description before the public comment period closes on January 6, 2020.
- Hardware hacks: The next generation of cybercrime Attackers have and always will go for the low-hanging fruit. As additional layers of protection have been added to the operating system, attackers have begun to look for otherー easier ー ways to disrupt operations. They bypass software and target hardware through the supply chain, insider threats, system updates, firmware updates and hardware errors.
- Russian police raid NGINX Moscow office Earlier this month police raided the Moscow offices of NGINX, Inc., a subsidiary of F5 Networks and the company behind the internet’s most popular web server technology, seizing equipment and detaining employees for questioning. Ars Technica has an update, and a look at the potential impact on industry giants which depend on NGINX.
SECURITY RESEARCH
- Researchers use Intel SGX’s voltage-tuning function to breach chip security Three different academic research teams separately found and reported to Intel a vulnerability in its Software Guard Extensions (SGX) security feature that could be abused by an attacker to inject malware and steal encryption keys. What’s significant about this research is it is achievable from software and can be readily weaponized by an adversary with privileged access to access content not accessible by design. Intel urged customers to apply BIOS updates from system manufacturers to thwart this new class of attack techniques exploiting the voltage adjustment feature in several families of its microprocessors.
- Plundervolt: Software-based Fault Injection Attacks against Intel SGX Researchers from the University of Birmingham’s School of Computer Science and Graz University of Technology were the first to alert Intel to these software-based fault injection attacks.
- Voltpwn: Researchers from Technische Universität Darmstadt and University of California demonstrated a deviation of control flow during enclave execution.
- TP-Link routers give cyberattackers an open door to business networks Experts have found a firmware vulnerability in the popular router maker, TP-link, that if exploited, can give root access to the hacker and replace users as admin. First discovered by IBM X-Force Red’s Grzegorz Wypych, the bug affects TP-Link Archer C5 v4 routers. The risk is greatest for business networks where routers such as this can be used to enable guest Wi-Fi, and completely expose a victim’s device to an attacker.
- Major vulnerabilities found in popular wireless presentation system F-Secure consultants have discovered multiple exploitable vulnerabilities in Barco’s ClickShare wireless presentation system. Attackers can use the flaws to intercept and manipulate information during presentations, steal passwords and other confidential information, and install backdoors and other malware. F-Secure’s post details a dozen CVEs, and a patch from Barco, however, some fixes require hardware updates.
- Boffins ride the memory bus past Intel’s SGX to your data. Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus. Membuster: An Off-Chip Attack on Hardware Enclaves via the Memory Bus
- NVIDIA boot loader Ryan Grachek discovered a vulnerability in the NVIDIA Tegra in which the boot loader does not validate the fields of the boot image, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.
- BitLeaker: Subverting BitLocker with One Vulnerability Microsoft Windows has used Trusted Platform Modules (TPM) to protect the Volume Master Key (VMK) of their disk encryption software, BitLocker. In this Black Hat Europe presentation, Seunghun Han Jun-Hyeok Park of ETRI, describe a sleep mode vulnerability of both types of TPM that can subvert BitLocker.
- Siemens PLC Feature Can Be Exploited for Evil – and for Good Researchers at Ruhr University found a method to bypass firmware integrity checks in S7-1200 PLCs. They found that an attacker using the special access feature could bypass the bootloader’s firmware integrity check within a half-second window when the PLC starts up and loads malicious code to wrest control of the PLC’s processes.
- POC shows webpage dumping firmware Chrome has the ability to let a site ask to talk to a USB device. In this POC, a web page asks to talk to your Logitech USB dongle and dumps the firmware from the device including encryption keys. By default, Chrome will ask the user if they want to allow the site to talk to their usb device, so it’s not a silent attack, but it’s an interesting example of bridging the web and the firmware level.
SECURITY ADVISORIES
- HPE tells users to patch SSDs to prevent failure HPE published a critical fix for an issue that causes the SAS Solid State Drives (SSD) with HPE firmware (versions before HPD8) to fail after 32,768 hours of operation. This could be painful – drive failure and loss of valuable data. Details on fixing this critical issue are here.
- Intel NUC Firmware Advisory – Intel is releasing firmware updates to mitigate 5 high severity vulnerabilities in NUC firmware that may allow escalation of privileges.
- Intel Processors Voltage Settings Modification Advisory – Intel has released firmware updates to system manufacturers to mitigate the high severity “Plundervolt” and “Voltpwn”vulnerabilities described above.
- Intel Processor Graphics Advisory. A potential security vulnerability in Intel® Software Guard Extensions (SGX) enabled processors with Intel® Processor Graphics may allow information disclosure.
- VMware ESXi and Horizon DaaS updates address OpenSLP remote code execution vulnerability VMWare just patched the ESXi remote vulnerability that 360Vulcan used to won VM escape entry in @TianfuCup 2019. It received a CVSS rating of 9.8.
ADDITIONAL READING & LISTENING:
- Eclypsium’s Rick Altherr talks firmware security, mentoring, and vintage Mustangs on this podcast.
- Learn about UEFI firmware security enhancements in Mac computers.
- Software-based Side-Channel Attacks and Defenses in Restricted Environments – PhD Thesis by Michael Schwarz
- A Deep Dive Into Samsung’s TrustZone (Part 1)
- Should Intel Delete Firmware for Older Motherboards?
TOOLS
- The ScreamerM2 is a DMA attacker platform in a very convenient form factor. It’s affordable, stable and supported by PCILeech.
- Intel STORM team releases Randpoline support for LLVM
- HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation
- Disabling PCI busmastering on bridges during boot
FIRMWARE SECURITY TRAINING
Looking to build your knowledge and skills in firmware attack prevention and detection? Eclypsium researchers Mickey Shaktov, Jesse Michael and Rick Altherr will lead hands-on training classes in 2020 at CanSecWest in Vancouver BC in March, and again at RingZer0’s InfoSec Training in Las Vegas in August.
Class sizes are limited, and RingZer0 is offering a 25% discount for registrations before year end.
Practical Firmware Implants
In recent years as firmware based attacks are becoming more and more frequent, there is a growing need for understanding the motivation, capabilities and complexities of such attacks. How do they work? How hard is it to create an implant? What are the attackers considerations and thoughts when creating firmware implants?
This is a two day crash course in UEFI development for security practitioners in which we will spend most of our time working hands-on understanding how system firmware works, basic development and coding, firmware implantation strategies, attack and defense tactics and more.
At CanSecWest
March 16-17, 2020
Vancouver, BC
At RingZer0
August 1-2, 2020
Las Vegas, NV
Finding Firmware Implants
Firmware implants have been gaining momentum as an attack vector especially for Advanced Persistent Threats. How do you detect them? What are they capable of? How can you capture them for further study and remove them from a device?
This is firmware forensics and incident response two day course will dive into the tools and techniques used to extract system firmware from a system, unpack the contents, and analyze them for signs of tampering. Hardware Root of Trust systems such as Intel Boot Guard will be explained along with techniques used to subvert them.
At CanSecWest
March 14-15, 2020
Vancouver, BC
At RingZer0
August 3-4, 2020
Las Vegas, NV
