THREAT REPORTS

July 2020 Firmware Threat Report

Eclypsium Threat Report July 2020 Firmware

There has been a spate of attacks targeting firmware and hardware recently — from ransomware targeting bootloaders, to hackers exploiting the F5 networking equipment vulnerability, to warnings that APT29 is exploiting Citrix and VPN vulnerabilities to go after Covid-19 vaccine research. In fact, by our tally, 40 of the 170 DHS CISA alerts issued so far this year involve device security at the firmware and hardware level.  

In this issue of Below the Surface, we round up the recent attacks and the latest research and advisories on vulnerabilities, show how you can detect and mitigate these threats, and share tips on device security, including a new white paper that looks at how to apply Zero Trust principles to device integrity. 

Detecting Ransomware and Other Threats from Malicious Bootloaders
ESET researchers have recently identified a new ransomware technique being used in the wild in which attackers replace the victim’s legitimate bootloader with a malicious version. The malicious bootloader prevents the compromised computer from completing the boot process at which point the attacker demands payment to recover the device.

This style of threat underscores both the critical importance of Secure Boot as well as the damaging power of vulnerable or malicious bootloaders. The integrity of the boot process is one of the most critical aspects of security for any device. In general, the earlier code is loaded, the more privileged it is because it has the potential to alter the code that is run after it. For example, if the boot process is compromised, attackers can gain control over the operating system and subvert all higher-layer security controls on the device. Learn how to defend against threats to the boot process in this blog post > 

F5 BIG IP Remote Code Execution Exploit 
A critical vulnerability (CVE-2020-5902) was recently patched in F5 BIG IP products. The vulnerability scored a whopping 10.0 on the CVSSv3 scoring calculator. The vulnerability allows, among other things, for unauthenticated users to execute arbitrary system commands over the network possibly resulting in a complete device compromise. Only a few days passed before exploitation attempts were detected in the wild by companies such as Tenable and Qualys, which is not a big surprise with proof of concept exploit code becoming quickly available on GitHub.

Screwed Drivers Open ATMs to Attack
Eclypsium research reveals how Windows drivers used in Diebold ATM, POS and other devices allow arbitrary access to I/O ports, allowing attackers to target data to and from PCI-connected devices. Vulnerable and malicious drivers are a serious issue for a large percentage of Windows-based devices, as we detailed in our two earlier research reports, Screwed Drivers and Mother of All Drivers. Our latest update to this line of research looks at how the problem of poorly designed drivers applies to devices in highly regulated environments such as ATMs and point-of-sale (POS) devices, and can expose them to jackpotting and other attacks.  Read research report>

The CISO Perspective – Ripple20
Steve Mancini – CISO, Eclypsium
The Ripple20 vulnerability disclosure serves as one of those infrequent but impactful cautionary tales spanning several domains of risk for a CISO. If you haven’t reviewed the really well-documented disclosure by JSOF with your teams, I would encourage you to do so. The disclosure involves nineteen(19) vulnerabilities spanning numerous vendors who all leveraged a third-party TCP/IP software library.  The CVSS scores for these vulnerabilities included several critical ratings which for most organizations requires immediate attention and mitigation. The coordinated disclosure required engagement with several CERT authorities and an extensive list of impacted vendors.

This disclosure reinforces several challenges faced by a CISO:

  • The third-party library is incorporated into the firmware of numerous vendors of OT and IOT devices spanning numerous industries; so if it does not affect you immediately, it could easily impact your vendors or your supply network chain.
  • Third-party libraries in firmware images can be modified for efficiency or performance reasons; they can be rebranded or white-labeled as part of their adoption. This can make vulnerability management that relies purely on hashes or expected probe/response functionality problematic. As a result, there are several scanners available via github trying to identify the presence of this issue.
  • Our firmware attack surface is at the mercy of our vendors. Vendor response has been active by some (22) and lacking by others. Many (70) identified vendors are still “pending” weeks after the disclosure. This immediately impacts most mature vulnerability management programs that commit to addressing critical issues quickly.

Even if Ripple20 doesn’t immediately impact you, it serves as an excellent real-world example of the challenges that can quickly arise with a disclosure of this nature and can serve as an excellent foundation for a future war game or risk assessment.  

Researcher Perspective – CISCO Vulnerabilities
This month featured a wide variety of vulnerabilities in Cisco network devices, with CVSS scores of up to 9.8. Affected products include SD-WAN vEdge and RV series routers, as well as devices running on the IOS XE operating system. CVE-2020-3323, one of the critical vulnerabilities disclosed this month, impacts RV110W, RV130, RV130W, and RV215W router models, and allows an attacker to execute arbitrary code with root privileges by exploiting the lack of proper input validation in the web management interface for these devices.

Cisco disclosed that outdated versions of IOS XE utilized a vulnerable telnet server (telnetd) that can be exploited to gain arbitrary code execution. This vulnerability is especially dangerous, as a public exploit against the telnet servers has been available since late February 2020, giving malicious actors plenty of time to begin weaponization. More information about this vulnerability, including indicators of compromise (IoCs), can be found on the Cisco advisory page

Device Integrity and the Zero Trust Framework
The recent shift to a remote work environment has created new challenges for many businesses and government institutions, with profound impacts on organizational security models. Suddenly, many users are no longer protected by the many layers of security found on-premise in the corporate network. Instead, security policies must evolve to support a new reality where users are remote by default and massive amounts of untrusted, inbound connections are the norm. Incorporating security concepts like Zero Trust can be a critical part of securing these remote work environments, which often include a mix of corporate laptops, BYOD devices, and home networking gear. 

Bug Icon

THREATS IN THE WILD

INDUSTRY NEWS 

SECURITY ADVISORIES

SECURITY RESEARCH

TOOLS

ADDITIONAL READING & LISTENING

UPCOMING 

HACKER SUMMER CAMP
Join us for Hacker Summer Camp with Security Weekly. John Loucaides will discuss the spate of recent attacks on firmware and hardware, how to protect enterprise devices and the latest research from Eclypsium on the Enterprise Security Weekly podcast on Wednesday, August 5 at 4PM ET / 1PM PT.