February 2021 Firmware Threat Report
A short month, but one packed with developments in cybersecurity! The Sunburst supply chain campaign continues to unfold with significant revelations, including one by Microsoft, who discovered the attackers viewed and exfiltration key portions of source code related to Azure, Exchange and Intune products. Notably, components related to Identity, Security and Service were successfully stolen. It is estimated that it took over 1000 code authors to pull off the Sunburst campaign. In response to these attacks, President Biden remarked during a recent address that the U.S. “will not hesitate to raise the cost on Russia” for the Kremlin’s aggressive behavior, including cyber-attacks.” Meanwhile, newly appointed Deputy National Security Advisor, Anne Neuberger noted that “many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions”. Stand by for the The U.S. House of Representatives’ Oversight and Homeland Security Committees holding a joint hearing on the 26th.
Eclypsium have authored two new Sunburst-related blogs covering both the need for independent validation and baselining of device hardware, firmware and software in the supply chain, as well as significant and timely IR recommendations to organizations responding to the attack.
Sunburst wasn’t the only supply chain attack story in the news this month. Additional reporting from Bloomberg covering three overall hardware/firmware supply chain attacks originating from Chinese suppliers was revealed. Of note to us was that two of the three firmware attacks were conducted remotely, dispelling notions that firmware attacks are largely confined to local attacks. While there has been controversy surrounding the evidence supporting the reported incidents, and a well-articulated reply from the vendor mentioned, one thing is for certain: firmware level vulnerabilities and related attacks are here and now, and being employed by APT, FIN and criminal actors alike.
Detecting these types of threats is fast becoming an imperative for many organizations ranging from hospitals to water treatment plants. This is because firmware sits at the nexus of device trust, integrity, and the cyber-physical (kinetic) impact dynamic central to clinical risk and community safety. It is also where attackers are moving in order to evade, persist, and adapt to defenses. Perhaps this is the reason for the rise of the CPSO?
Finally, if you enjoy crypto puzzles, then US Cyber Command’s Valentine’s Day Challenge won’t disappoint!
THREATS IN THE WILD
- Researchers identify 223 vulnerabilities used in recent ransomware attacks
- Sonicwall 0day exploited in the Wild
- NATOs Mission-Critical Space Capabilities under Threat: Cybersecurity Gaps in the Military Space Asset Supply Chain
- Sandworm intrusion set campaign targeting Centreon systems (same actor behind Industroyer that targeted firmware update process)
- Microsoft says SolarWinds hackers downloaded some Azure, Exchange, and Intune source code
- Supply Chain Security in the Shadow of Centreon and Solarigate
- What Did NSA Do to Help Prevent Supply Chain Attacks?
- CISA Announces Extension of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force | CISA
- The World Is Dangerously Dependent on Taiwan for Semiconductors
- Apple Offers Closer Look at Its Platform Security Technologies, Features
- White House Says 100 Private Sector Orgs Hit in SolarWinds Campaign
- Solarwinds Hacks Perpetrated from Inside US Whitehouse Says
- The Long Hack: How China Exploited a U.S. Tech Supplier
- Fortinet fixes critical vulnerabilities in SSL VPN and web firewall
- CISA | Zero-Day Vulnerability in SonicWall SMA 100 Series Version 10.x Products
- Intel® Server Boards, Server Systems and Compute Modules Advisory
- Improper initialization in the firmware for the Intel(R) Ethernet I210 Controller
- CISCO Warns Small Business VPN Router Users Prone to Remote Root Attacks
- Security vulnerabilities in some Intel® Graphics Drivers
- Cisco SD-WAN Software Privilege Escalation Vulnerability (updated)
- Sudo Privilege Escalation Vulnerability Affecting Cisco Products (updated)
- Cisco Security Advisory: Cisco Small Business RV Series Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities
- Critical Cisco Flaws Open VPN Routers Up to RCE Attacks
- Intel Squashes High-Severity Graphics Driver Flaws
- CVE-2020-24581 D-Link DSL-2888A Remote Command Execution
- Major Vulnerabilities Discovered in Realtek RTL8195A Wi-Fi Module
- Open Source Firmware status on AMD platforms 2021
- Large Scale Firmware Analysis For Open Source Components, Hard Coding and Weak Passwords
- ManiMed: Hamilton Medical AG – HAMILTON-T1 Ventilator Vulnerabilities
- New type of supply-chain attack hit Apple, Microsoft and 33 other companies
- International Security and Estonia 2021 Report
- Detection and Prevention of Hostile Network Traffic Flow Appropriation and Validation of Firmware Updates
- Server platforms: experiment with your expensive hardware too!” – Jeremy Kerr (LCA 2021 Online)
- A Practical Approach To Attacking IoT Embedded Designs
- Qualcomm IPQ40xx: An Unexpected Cup of TEE
- Fuzzing Hardware Like Software
- Using TensorFlow / machine learning for automated RF side-channel attack classification
TOOLS AND TRAINING
- NIST SPECIAL PUBLICATION 1800-33A for 5G Cybersecurity
- Six Pillars of Cyber-security: Embracing Digital Transformation – Episode 36 | Intel
- Water Sector Cybersecurity Risk Management Guidance (including firmware)
- Mystikos: tools to run apps in a hardware trusted execution environment (TEE)
Join Dr. Saif Abed BSc MBBS MPhil MSc, UK NHS’s CISO, Joint Cyber Chair Shaun van Niekerk, Erik Decker, Chief Security and Privacy Officer for the University of Chicago Medicine and Eclypsium’s Principal Strategist Scott Scheferman in a lively, frank and deeply insightful discussion on what the biggest threats to patient and hospital safety are for 2021, and what is being done to get ahead of them. They unpack what makes 2021 a markedly more volatile threat landscape, and how hospitals can measure and triage risks in the form of medical device vulnerabilities, supply chain threats, and ransomware. They also discuss what the impact potential is for the very latest developments in the firmware threat landscape, specifically in the context of critical medical device workflow examples.