April 2020 Firmware Threat Report
A disciplined process of firmware updates is an essential element of good cybersecurity hygiene but can be challenging for many enterprises. With the help of industry experts, Eclypsium has developed a new white paper that provides IT and security leaders with insights into firmware update management and guidance on best practices. Read our new report – Enterprise Best Practices for Firmware Updates and join us for a live webinar on April 7th.
- There’s Now COVID-19 Malware That Will Wipe Your PC and Rewrite Your MBR — At least five malware variants have been identified. The most advanced, however, were two variants that rewrote the Master Boot Record (MBR). The first of the variants makes system unusable by modifying the MBR. For details read the report from SonicWall. The second variant’s primary function was to steal passwords from an infected host and then mimic ransomware to mask its real purpose. Read more about this strain here.
- Rootkit in the Cloud: Hacker Group Breaches AWS Servers — Attackers used a rootkit to remotely gain access to AWS Windows and Linux servers allowing them the ability to retrieve sensitive corporate data. The article points out that it was “not an AWS problem per se. It represents a method of piggybacking C2 traffic on a legitimate traffic in a way that can bypass many, if not most, firewalls.” To read the full technical report, Cloud Snooper Attack Bypasses Firewall Security Measures, go here.
- HPE Warns Firmware Bug Will Brick Some SSDs Starting in October This Year — Hewlett Packard Enterprise (HPE) issued a security advisory warning customers about a bug in the firmware of some SAS SSDs (Serial-Attached SCSI solid-state drives) that will fail after reaching 40,000 hours of operation. To read the HPE advisory go here.
- A Mysterious Hacker Group is Eavesdropping on Corporate Email and FTP Traffic —Researchers detected two different threat actors, each exploiting a different zero-day vulnerability in DrayTek Vigor — load-W routers and VPN gateways typically deployed on enterprise networks. Read the report from DrayTek here. (CVE-2020-8515)
- Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign — “Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide.” APT41 is using firmware based vulnerabilities in their campaign, which allows them to compromise Cisco routers via CVE-2019-1652.
- New Android Malware Strain Sneaks Cookies from Facebook — Kaspersky Lab researchers have linked Cookiethief malware with widespread Trojans including Sivu, Triada, and Ztorg. This type of malware, they say, is planted in the device firmware before it’s purchased. Attackers can also leverage vulnerabilities in the operating system to put the malware in system folders, where it can download different applications onto the system. This is how programs like Cookiethief and Youzicheng can land on a target device.
- FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS —FIN7 hackers are mailing USB drives via USPS to numerous businesses where they target employees in human resources, IT, or executive management departments.These malicious USB devices sometimes include “gifts” like teddy bears or gift cards. Drives are then configured to emulate keystrokes that launch a PowerShell command to retrieve malware from a server controlled by the attacker, which then diverts the USB device contacts to domains or IP addresses in Russia.
- Hackers are Hijacking Router to Push Malware-Laden Covid-19 Apps — Hackers have begun targeting home and small office routers with presumably weak passwords to change the DNS settings and redirect users to malicious websites masquerading as legitimate resources for Covid-19. Read more about research from Bitdefender here.
- Rare BadUSB Attack Detected in the Wild Against US Hospitality Provider — A USB thumb drive (BadUSB) functions as a keyboard when connected to a computer, where it emulates keypresses to launch various automated attacks.” Once they plugged the BadUSB into a test workstation, the BadUSB triggered a series of automated keypresses that launched a PowerShell command.This Powershell command downloaded a bulkier PowerShell script from an internet site and then installed malware on the test machine — a JScript-based bot.” Read the full report here.
- Zyxel Flaw Powers New Mirai IoT Botnet Strain — Named Mukashi, the botnet takes advantage of a vulnerability (CVE-2020-9054) in Zyxel NAS devices running firmware version 5.21 that allows remote attackers to execute code. According to researchers at Palo Alto Networks, “cyber criminals are actively attempting to exploit the attack in the wild.”
- Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware — The Secured-code PCs can defend against malware that leverages vulnerable kernel drivers in live-off-the-land attacks highlighted in recent Screwed Drivers research by Eclypsium.
- Securing the stack – A 2020 Imperative — Steve Orrin, CTO at Intel Federal, provides guidance for government agencies protecting their data and systems from firmware hacks.
- Proof of Concept Released for kr00k Wi-Fi Vulnerability — kr00k has been estimated to have had an impact on well over 1 billion Wi-Fi capable devices, including some from Apple, Amazon, Google, Samsung and Xiaomi. Device owners are urged to be sure that their devices have been updated to the latest operating system and firmware releases.
- Update your Lenovo ThinkPad X1 Carbon BIOS or be prepared to wait 6 hours for a full charge — Six hours is a little long to full charge, but there is an easy fix. You need to launch the included Lenovo Vantage software and run the system updates to download and install the latest Thunderbolt 3 and BIOS drivers for the laptop. After a system restart, recharging from empty to full capacity will take about 1.5 hours only. For the full take on the ThinkPad X1 Carbon, see the review here.
FIRMWARE SECURITY RESEARCH
- New AMD Side Channel Attacks Discovered, Impacts Zen Architecture — A new paper released by the Graz University of Technology details two new “Take A Way” attacks (Collide+Probe and Load+Reload) that can leak secret data from AMD processors by manipulating the L1D cache predictor.
- 5 years of Intel CPUs and Chipsets Have a Concerning Flaw That’s Unfixable — The vulnerability was discovered inside Intel’s Converged Security and Management Engine (CSME), a subsystem inside Intel CPUs and chipsets. The issue appears to be that protection against DMA access to internal CSME memory (internal CSME IOMMU) is not enabled early enough. Read the original report here.
- Are We Susceptible to Rowhammer? An End-to-End Methodology for Cloud Providers — This paper provides a methodology for cloud providers to determine if their servers are susceptible to Rowhammer attacks.
- Hardware-enforced Stack Protection in Windows 10 — The Windows kernel team describes hardware-enforced stack protection in Windows 10 based on Intel’s Control-flow Enforcement Technology (CET) Shadow Stack hardware capability to protect from ROP exploits.
- “We Present Load Value Injection(LVI)” — LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad and RIDL and defeats all existing mitigations. In this post, learn how LVI works, and view the PoC attack code demonstrating LVI in synthetic enclave scenarios as part of the SGXStep framework. LVI vulnerability (CVE-2020-0551) ranked as medium severity and INTEL-SA-00334 provides additional information on the LVI vulnerability.
- A Mysterious Bug in the Firmware of Google’s Titan M Chip (CVE-2019-9465) — In the Titan M handling of cryptographic operations, there is a possible information disclosure due to an unusual root cause. This could lead to local information disclosure with no additional execution privileges needed.
FIRMWARE SECURITY ADVISORIES
- Millions of Routers Running OpenWRT Vulnerable to Attack — The open source operating system for Linux is vulnerable via its package manager, which could allow attackers to compromise the embedded and networking devices running it. (CVE-2020-7982)
- High-Severity Flaws Plague Intel Graphics Drivers — Intel has issued security patches for six high-severity vulnerabilities in its Windows graphics drivers which, if exploited, could enable escalation of privilege, denial of service (DoS) and information disclosure.
- TRRespass (CVE-2020-10255) — Any Rowhammer or derivative attacks, such as the new TRRespass technique, require that an attacker be able to locally execute malicious code against the targeted system. The recommendations for IT teams is to follow good security practices including keeping firmware up to date and gaining insight into your hardware and firmware attack surfaces.
- Critical Netgear Bug Impacts Flagship Nighthawk Router — Outdated firmware impacts many Nighthawk routers and other Netgear routers and modems. Netgear is urging customers to visit its online support page and search by device model for the most recent firmware to update and patch your devices.
- Google Releases Tool to Block USB Keystroke Injection Attacks — This tool for Linux systems measures the timing of incoming keystrokes in an attempt to determine if this is an attack based on predefined heuristics, without the user being involved.
ADDITIONAL READING & LISTENING
- At RSA, Intel engineers presented on the topic of cyber resiliency including a deep dive on solution architecture for firmware resiliency.
- GE Global Research and NSA presented on trusted supply chain management for firmware at RSA Conference.
- How to Reduce Supply Chain Risk: Lessons from Efforts to Block Huawei — A lively discussion on supply chain and removing Huawei out of the supply chain. Is this a national security issue or a trade issue? Listen to the experts discuss the risks associated with Huawei and how to address building a trustworthy network with untrustworthy parts.
- Agencies Need to Patch Dedicated VPN Hardware Appliances Regularly — Dedicated VPN hardware is typically forgotten about and can contain firmware that is subject to security vulnerabilities. This article provides tips on how government agencies can enhance the protection of their VPN implementations.
- Partners Take On a Growing Threat to IT Security — Intel works with Microsoft, and OEM Partners to implement hardware-based capabilities to increase security for the business PC fleet.
Enterprise Best Practices for Firmware Updates — Does your organization have a disciplined process for firmware updates? It’s essential for device integrity, but a challenge for most companies. Learn the steps security and IT leaders can take to build a safe and reliable firmware update process in this webinar featuring Eclypsium’s VP R&D, John Loucaides, and CISO, Steve Mancini. April 7, 2020 at 10:00 A.M. PDT. REGISTER
Detecting & Defeating Persistent Attacks — System firmware and dozens of other components that contain millions of lines of firmware are vulnerable to attacks that have capabilities which persist and survive operating system reinstalls and even hard drive replacements. These attacks can go unnoticed by traditional security and can provide access to high-value targets allowing the highest of privilege. Moreover, cleaning a system’s firmware means re-flashing it, an operation not quickly done nor guaranteed. In this webinar, Eclypsium’s VP Product, Ron Talwalkar and Principal Researcher, Jesse Michael, will discuss persistent attacks, what are the vulnerabilities and techniques that lead to these attacks and how the Eclypsium solution can help defend against these types of threats. April 16, 2020 at 10:00 A.M PDT. REGISTER
Anatomy of a Firmware Attack — Attacks against the hardware and firmware of a device stand as some of the highest impact threats facing modern organizations. With insight into the anatomy of firmware attacks and how they work, organizations can make informed decisions to better defend their data and assets. Listen to this recorded webinar with John Loucaides, VP R&D and Ron Talwalkar, VP Product as they discuss this critical topic. LISTEN