July 2020 Firmware Threat Report
There has been a spate of attacks targeting firmware and hardware recently — from ransomware targeting bootloaders, to hackers exploiting the F5 networking equipment vulnerability, to warnings that APT29 is exploiting Citrix and VPN vulnerabilities to go after Covid-19 vaccine research. In fact, by our tally, 40 of the 170 DHS CISA alerts issued so far this year involve device security at the firmware and hardware level.
In this issue of Below the Surface, we round up the recent attacks and the latest research and advisories on vulnerabilities, show how you can detect and mitigate these threats, and share tips on device security, including a new white paper that looks at how to apply Zero Trust principles to device integrity.
Detecting Ransomware and Other Threats from Malicious Bootloaders
ESET researchers have recently identified a new ransomware technique being used in the wild in which attackers replace the victim’s legitimate bootloader with a malicious version. The malicious bootloader prevents the compromised computer from completing the boot process at which point the attacker demands payment to recover the device.
This style of threat underscores both the critical importance of Secure Boot as well as the damaging power of vulnerable or malicious bootloaders. The integrity of the boot process is one of the most critical aspects of security for any device. In general, the earlier code is loaded, the more privileged it is because it has the potential to alter the code that is run after it. For example, if the boot process is compromised, attackers can gain control over the operating system and subvert all higher-layer security controls on the device. Learn how to defend against threats to the boot process in this blog post >
F5 BIG IP Remote Code Execution Exploit
A critical vulnerability (CVE-2020-5902) was recently patched in F5 BIG IP products. The vulnerability scored a whopping 10.0 on the CVSSv3 scoring calculator. The vulnerability allows, among other things, for unauthenticated users to execute arbitrary system commands over the network possibly resulting in a complete device compromise. Only a few days passed before exploitation attempts were detected in the wild by companies such as Tenable and Qualys, which is not a big surprise with proof of concept exploit code becoming quickly available on GitHub.
Screwed Drivers Open ATMs to Attack
Eclypsium research reveals how Windows drivers used in Diebold ATM, POS and other devices allow arbitrary access to I/O ports, allowing attackers to target data to and from PCI-connected devices. Vulnerable and malicious drivers are a serious issue for a large percentage of Windows-based devices, as we detailed in our two earlier research reports, Screwed Drivers and Mother of All Drivers. Our latest update to this line of research looks at how the problem of poorly designed drivers applies to devices in highly regulated environments such as ATMs and point-of-sale (POS) devices, and can expose them to jackpotting and other attacks. Read research report>
The CISO Perspective – Ripple20
Steve Mancini – CISO, Eclypsium
The Ripple20 vulnerability disclosure serves as one of those infrequent but impactful cautionary tales spanning several domains of risk for a CISO. If you haven’t reviewed the really well-documented disclosure by JSOF with your teams, I would encourage you to do so. The disclosure involves nineteen(19) vulnerabilities spanning numerous vendors who all leveraged a third-party TCP/IP software library. The CVSS scores for these vulnerabilities included several critical ratings which for most organizations requires immediate attention and mitigation. The coordinated disclosure required engagement with several CERT authorities and an extensive list of impacted vendors.
This disclosure reinforces several challenges faced by a CISO:
- The third-party library is incorporated into the firmware of numerous vendors of OT and IOT devices spanning numerous industries; so if it does not affect you immediately, it could easily impact your vendors or your supply network chain.
- Third-party libraries in firmware images can be modified for efficiency or performance reasons; they can be rebranded or white-labeled as part of their adoption. This can make vulnerability management that relies purely on hashes or expected probe/response functionality problematic. As a result, there are several scanners available via github trying to identify the presence of this issue.
- Our firmware attack surface is at the mercy of our vendors. Vendor response has been active by some (22) and lacking by others. Many (70) identified vendors are still “pending” weeks after the disclosure. This immediately impacts most mature vulnerability management programs that commit to addressing critical issues quickly.
Even if Ripple20 doesn’t immediately impact you, it serves as an excellent real-world example of the challenges that can quickly arise with a disclosure of this nature and can serve as an excellent foundation for a future war game or risk assessment.
Researcher Perspective – CISCO Vulnerabilities
This month featured a wide variety of vulnerabilities in Cisco network devices, with CVSS scores of up to 9.8. Affected products include SD-WAN vEdge and RV series routers, as well as devices running on the IOS XE operating system. CVE-2020-3323, one of the critical vulnerabilities disclosed this month, impacts RV110W, RV130, RV130W, and RV215W router models, and allows an attacker to execute arbitrary code with root privileges by exploiting the lack of proper input validation in the web management interface for these devices.
Cisco disclosed that outdated versions of IOS XE utilized a vulnerable telnet server (telnetd) that can be exploited to gain arbitrary code execution. This vulnerability is especially dangerous, as a public exploit against the telnet servers has been available since late February 2020, giving malicious actors plenty of time to begin weaponization. More information about this vulnerability, including indicators of compromise (IoCs), can be found on the Cisco advisory page
Device Integrity and the Zero Trust Framework
The recent shift to a remote work environment has created new challenges for many businesses and government institutions, with profound impacts on organizational security models. Suddenly, many users are no longer protected by the many layers of security found on-premise in the corporate network. Instead, security policies must evolve to support a new reality where users are remote by default and massive amounts of untrusted, inbound connections are the norm. Incorporating security concepts like Zero Trust can be a critical part of securing these remote work environments, which often include a mix of corporate laptops, BYOD devices, and home networking gear.
THREATS IN THE WILD
- ESET identified multiple malicious EFI bootloader samples in the wild.
- APT29 targets COVID-19 vaccine. Advisory. Article.
- New Mirai variant includes exploit for a flaw in Comtrend Routers
- Hacker leaks passwords for more than 500,000 servers, routers and IoT devices.
INDUSTRY NEWS
- FCC Designates Huawei and ZTE as National Security Threats
- NSA Guidance on Configuring IPsec Virtual Private Networks
SECURITY ADVISORIES
- Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update. 11 new vulnerabilities in Citrix network appliances
- Another Palo Alto Networks remote unauthenticated code execution vulnerability, this one found internally, rated 7.2
- ‘CallStranger’ vulnerability affects billions of UPNP devices
- Unpatched vulnerability identified in 79 Netgear router models
- Multiple Cisco UCS-Based Products UEFI Secure Boot Bypass Vulnerability
- Unpatched Wi-Fi Extender Opens Home Networks to Remote Control
- Monash Uni infosec staff find gaping security hole in Palo Alto Networks gear
- Multiple vulnerabilities found in V-SOL OLTs
- Mobile IoT modules vulnerable to FOTA updates backdooring at scale
- Four vulnerabilities found in MikroTik’s RouterOS
- CVE-2020-6616: Firmware Insider: Bluetooth Randomness is Mostly Random
SECURITY RESEARCH
- Data Sampling on MDS-resistant 10th Generation Intel Core (Ice Lake)
- The Fake Cisco: Hunting for backdoors in Counterfeit Cisco devices
- Meltdown can still be used to leak some specific kernel data and break Windows KASLR in the latest Windows versions
- TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs
- Bypass kernel lockdown/uefi secure boot on Ubuntu 18.04 using ACPI SSDT injection, in order to load unsigned kernel modules
- Appalling results of security study involving 127 home routers from seven brands
- Breaking the D-Link DIR3060 Firmware Encryption – Static analysis of the decryption routine. Part one Part two
- Netgear R6700v3 LAN RCE write-up and exploit: Github, article, video
- SSD Lil’ Bytes – Alexander Ermolov – Untrusted Roots: exploiting vulnerabilities in Intel ACMs
TOOLS
ADDITIONAL READING & LISTENING
- Apple Lightning and related technologies: Tristar, Hydra, HiFive, SDQ, IDBUS
- Explore the new system architecture of Apple Silicon Macs
- Reverse Engineering Firmware (in Mice): Analyzing the USB Controller’s Firmware, Decrypting the Optical Sensor Firmware, Streaming Video from the Mouse
- Privilege Escalation Explained – Why The Flaws Are So Valuable to Hackers
UPCOMING
HACKER SUMMER CAMP
Join us for Hacker Summer Camp with Security Weekly. John Loucaides will discuss the spate of recent attacks on firmware and hardware, how to protect enterprise devices and the latest research from Eclypsium on the Enterprise Security Weekly podcast on Wednesday, August 5 at 4PM ET / 1PM PT.