This month the FBI warned that Russian hackers were deploying a Linux rootkit and an Iranian hacking group is attacking F5 networking devices. APT41 attacks continue to target networking gear. And an Atlantic Council report called out incidents in supply chains, noting that almost 20% of such attacks targeted firmware. Meanwhile, researchers at Eclypsium disclosed a serious vulnerability in Secure Boot, which has proved challenging for many organizations to mitigate.
Securing The Enterprise From Drovorub and BootHole
The NSA and the FBI recently reported that the Russian GRU is deploying Drovorub, a rootkit that infects Linux systems. Would you be able to detect something like this if your organization was targeted? Activating UEFI Secure Boot is an essential step in preventative mitigation, but the BootHole vulnerability can leave systems vulnerable to attack. Learn how Eclypsium can help you assess and protect your devices from this vulnerability, and detect advanced persistent threats such as Drovrub.
Mitigating Risk From APT41 Attacks Against Networking and Enterprise Infrastructure
This year a widespread series of attack campaigns attributed to the Chinese hacking group APT41 has targeted a variety of enterprise technologies including Cisco routers, Citrix Application Delivery Controllers, and Zoho IT Management. These attacks target high-impact components of an enterprise’s infrastructure that could cause significant damage if compromised, and yet are easily overlooked by overburdened security teams.
There’s A Hole In The Boot
On July 29th, Eclypsium researchers disclosed a vulnerability in the GRUB2 bootloader that opens up Windows and Linux devices using Secure Boot to attack. The majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries. For the inside story on how our researchers found this vulnerability, and what it took for the industry to fix it, sign up for our webinar “Exploring the BootHole Vulnerability” on September 1st.
Since the disclosure, more than a dozen organizations have issued security advisories, including the NSA, which warned that “Monitoring for changes to firmware, firmware configuration, and boot components is recommended due to the amount of time that may be required to perform effective testing before all mitigations can be applied to all endpoints.” Eclypsium can assist with this monitoring, and with the complex, multi-step process involved in mitigating the BootHole vulnerability. The following resources are available to assist you:
- Updated BootHole vulnerability blog
- GitHub BootHole repository with open source scripts
- GitHub list of advisories
- Recorded webinar – Managing The Hole in Secure Boot
- Updating Secure Boot dbx with fwupd and the LVFS
- Contact us if you would like a consultation on assessing and mitigation this vulnerability.
Managing PC Firmware Health For Enterprise IT Cost Reduction
TAG Cyber’s Dr. Edward Amoroso proposes that establishing a program to systematically manage the firmware health of PCs could lead to extended replacement intervals and meaningful cost reductions. In this white paper he observes that explicit ongoing programs focused on device firmware health not only reduce cyber threats, but also extend the useful life of deployed PCs, and provides several examples.
THREATS IN THE WILD
- Russian Linux Hackers Threaten National Security Say FBI And NSA
- FBI says an Iranian hacking group is attacking F5 networking devices
- Hacker leaks passwords for 900+ enterprise VPN servers
- Chinese Hackers Have Pillaged Taiwan’s Semiconductor Industry
- Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections
INDUSTRY NEWS
- Breaking Trust: Shades of Crisis Across An Insecure Software Supply Chain
- Lattice Targets Supply Chain Security With New Sentry And SupplyGuard Announcements
- If you own one of these 45 Netgear devices, replace it: Kit maker won’t patch vulnerable gear despite live proof-of-concept code
SECURITY ADVISORIES
- NSA / FBI: Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
- NSA: Mitigate the Grub2 BootHole Vulnerability
- Cisco: GRUB2 Arbitrary Code Execution Vulnerability
- Ubuntu: USN-4432-2: GRUB2 regression
- Red Hat: System hangs after POST and the grub menu never loads after applying the RHSA-2020:3216 or RHSA-2020:3217
- FreeBSD grub-bhyve bootloader virtual machine escapes
- Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks
- Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
- Follow the Data: A Hidden Directory Traversal Vulnerability in QNX Slinger
- Intel® Server Boards, Server Systems and Compute Modules Advisory
SECURITY RESEARCH
- Researchers Warn of High-Severity Dell PowerEdge Server Flaw
- Thunderspy attacks: What they are, who’s at greatest risk and how to stay safe
- Researcher Demos Hacking of 3D Printer Firmware That Can Trigger a Fire
- Researchers warn of an Achilles’ heel security flaw for Android phones
- ReVoLTE attack can decrypt 4G (LTE) calls to eavesdrop on conversations
- Attack Secure Boot of SEP
- Over-the-air hacking and persisting in BLE controller firmware
- Don’t be silly – it’s only a lightbulb
- Backdooring a smart camera by creating a malicious firmware upgrade
- Intel® Trust Domain Extensions (Intel® TDX)
BLACK HAT ROUND UP
- Spectra: Breaking Separation Between Wireless Chips – Jiska Classen and Francesco Gringoli
- Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors’ Firmwares – Veronica Kovah
- Uncommon Sense: Detecting Exploits with Novel Hardware Performance Counters and ML Magic – Nick Gregory and Harini Kannan
- Industrial Protocol Gateways Under Analysis – Dr. Marco Balduzzi
- CloudLeak: DNN Model Extractions from Commercial MLaaS Platforms – Yier Jin, Honggang Yu and Tsung-Yi Ho
- Reversing the Root: Identifying the Exploited Vulnerability in 0-days Used In-The-Wild – Maddie Stone
DEFCON SAFE MODE ROUND UP
- Hacking the Supply Chain – The Ripple20 Vulnerabilities Haunt Hundreds of Millions of Critical Devices – Shlomi Oberman, Moshe Kol, & Ariel Schön
- A Hacker’s guide to reducing side-channel attack surfaces using deep-learning – Elie Bursztein
- Applied Ca$h Eviction through ATM Exploitation – Trey Keown & Brenda So
- Beyond Root: Custom Firmware for Embedded Mobile Chipsets – Christopher Wade
- Peer-to-peer takes on a whole new meaning when used to spy on 3.7 million or more cameras, other IoT gear – Paul Marrapese
- Bytes in Disguise – Eclypsium’s Mickey Shkatov and Jesse Michael
ADDITIONAL READING & LISTENING
- Hardware Security Is Hard: How Hardware Boundaries Define Platform Security
- Eclypsium’s John Loucaides discusses the BootHole Vulnerability on Enterprise Security Weekly
- Attacks on Implementations Course Book
- Dutch ISP Ziggo demonstrates how not to inform your customers about a security flaw
UPCOMING
- Webinar: Exploring the BootHole Vulnerability. Eclypsium’s Mickey Shkatov and Jesse Michael show you how the BootHole vulnerability works, share insights on the massive effort involved in addressing this vulnerability across the industry, and provide the latest advice on mitigating this threat.
