March 2021 Firmware Threat Report
Beware the Ides of March. On the heels of the ongoing SUNBURST supply chain campaign, several other impactful campaigns came into full light this month. While the Halfnium MS Exchange attacks dominated headlines, there were other equally disturbing supply chain revelations like the damaging Accellion FTA device extortion campaign. This was carried out by the Russian TA505 (aka ‘CLOP’ group), who set aside their own ransomware in favor of a much more direct technique: targeting the firmware of hundreds of devices to exfiltrate files and extort victims.
Never down for the count, the TrickBot group raised eyebrows with yet another massive campaign, with CISA releasing an alert making direct mention of TrickBot’s UEFI-targeting TrickBoot module. This alert coincided with an eye-opening report from Switzerland that ties the recent SolarWinds activity to a host of potential criminal actors, ranging from TrickBot, to EvilCorp, to TA505/CLOP. Shared infrastructure and tactics across these groups further illustrates the convergent trend between APT and criminal actor activity.
The initial #Boothole GRUB2 vulnerability has led to follow-on research, discovery of eight more CVE’s, and mitigations focused around new functionality that reduces the size of revocation lists via “Secure Boot Advanced Targeting” or SBAT. This is a new feature in the shim allowing for revocation of entire generations of grub that are found to be vulnerable as a group instead of each one individually. Organizations continue working hard to identify and patch these critical vulns that allow attackers to bypass Secure Boot on both Windows and Linux devices.
Actors targeting firmware abound in March, from Keksec leveraging Citrix Netscaler RCE’s to Fbot targeting transportation device firmware, to crypto-miners hitting storage devices, and researchers cracking into 150,000 security cameras. The hardware threat landscape is also developing, with working POC exploits for Spectre leaked in an exploit pack, along with researchers demonstrating a browser-memory Spectre-based POC. Bad guys can even launch side-channel attacks against Intel CPU’s while leveraging machine learning to de-noise traces and leak bits.
Last but not least, F5’s Big-IP devices are back in the news again with 21 new CVEs making them vulnerable to an exploit-chain resulting in full RCE (remote code execution) based on the latest CVE-2021-22986. Exploit attempts are already in the wild, so patch these device firmware vulns soonest. Nearly all of the Fortune 50 run F5 devices and so do governments and ISPs. RCE POC is here. Video demonstration here.
And March isn’t even over.