July 2021 Firmware Threat Report
July came in hot. Really hot. Not more than a few hundred miles from our Portland, OR headquarters, the Bootleg fire continues to burn as the nation’s largest wildfire and the 3rd largest in Oregon’s history. Panning out, there’s an equally massive firestorm of threat actors exploiting device firmware. Chinese state-sponsored actors and ransomware both took center stage, as did a nightmare of critical vulnerabilities in Microsoft products indicative of their SSDLC challenges of late.
Halfway through the year, it is apparent that Chinese and Russian state-sponsored actors, as well as criminal actors, are nearly all targeting the same critical vulnerabilities in externally facing devices. At a minimum, these include three CVE’s which CISA reports are actively being targeted by Russian SVR and Chinese APT40 actors:
CVE-2020-5902 (F5 Bip-IP)
CVE-2019-19781 (Citrix ADC)
CVE-2019-11510 (Pulse Secure VPN)
The recent attacks against Microsoft Exchange Servers have been attributed to Chinese APT31 and APT40 groups. APT31 also leverages SOHO routers to hide C2 traffic, taking a tip from Russian SVR state actors and criminal actors like the TrickBot group that continue to rely on MikroTik routers for their infrastructure.
Speaking of TrickBot, they are back in full force. Having fully adapted and recruited new talent, they are targeting a new array of victims at a blistering cadence and deploying CobaltStrike, among other new tricks. Criminal actors targeting these VPN devices exploit them and then create or steal VPN creds that later get sold to RaaS and state actors alike.
Hacking these devices isn’t just for nation-states and crime gangs. This curious pair of hackers decided to poke around at their own Aruba devices and ended up finding an abundance of CVE’s, several of which, when chained, yielded full remote code execution. It is a testament to just how many critical software flaws this class of devices has and how readily they can be exploited. After all, if two curious hackers can do it, imagine what nation-states and crime groups can (and do) do.
Speaking of poking around, one of our own Eclypsium researchers has been hard at work enumerating a particular device class exposed to the Internet that is commonly attacked. The initial results pretty much tell the whole story of why attackers target them. In one case, half of the devices exposed to the Internet are running 3+-year-old firmware that is End of Service (EoL) and vulnerable, and up to 95% of the devices have at least one critical vulnerability. Expect to read more about this in a future research blog we’ll be eager to publish.
Perhaps this is why we needed an Executive Order to address such fundamental flaws in the critical software and supply chains that power our infrastructure. What software could be more critical than the device operating systems and firmware running on them? Ironically, that’s the reason these devices never get updated; they are so critical no one wants to bring them down long enough to do an update: precisely what our adversaries have learned to rely on as their primary strategy of late. In the context of defining what “critical software” is in the Executive Order, firmware is critical by every criterion the order lays out and essential in the creation, execution, and operation of the “Zero Trust architectures” the order draws upon as a framework.
Eclypsium customers will be happy to know that the often-attacked and outrageously vulnerable devices we’ve highlighted above are covered in our platform capability. Everything from VPN devices to Routers and even Accellion FTA devices whose recent attack campaign is still underway. If it’s a critical device, our mission is to ensure you can defend it!
We look forward to seeing you virtually or in-person at the Black Hat and DEF CON conferences in Las Vegas next month, where both Mickey and Jesse will be presenting the “rest of the story” on the incredible BIOSDisconnect set of vulnerabilities they have discovered! In the meantime, you can catch @transhackersim on the PSW show discussing this and more, or, get his hot-take on this month’s report.