May 2021 Firmware Threat Report
Sometimes it takes a thunderstorm before seeing positive outcomes and real change: Cyber May Flowers, if you will.
The SolarWinds and related supply chain attacks put our government through the crucible of painful incident response and restoration efforts. The events also became a watershed moment, one in which cyber risk to national security fully materialized. In response to this broader supply chain threat, President Biden signed a complex and broad Executive Order that was 18 pages long and included over 70 actionable directives. In a sense, this EO not only helps protect the supply chain but directly leverages its dynamics to improve software security across the board. It will require developers that sell to the USG to create SBOM (software bill of materials) for all critical software. This, in turn, raises the tide even for companies that do not sell directly to the USG because their downstream customers who do will need to account for their upstream providers via SBOM level provenance/verification.
For Eclypsium’s part, we were glad to see that the five criteria listed as what shall define ‘critical software’ are a 1:1 mapping to firmware overall. After all, firmware is simply software that is stored differently (on hardware versus on disk). It is critical to the entire rest of the stack above as a dependency and hugely impactful to every aspect of computing when attacked. It is the root of trust, and it operates at the highest level of privilege. Therefore, we expect that calls for SBOM level verification will extend to FBOM (firmware bill of materials).
Another positive development is the fantastic work CISA has been doing to quantify, analyze, and expose the risk that BtOS (Below the Operating System) threats pose to critical infrastructure and enterprises alike. They presented a pair of talks at this year’s RSA Conference that confirm firmware’s worst offender status regarding high-impact threats like those targeting the UEFI (Trickboot, MosaicRegressor, LoJax, VectorEDK, etc.)
Much has been written about the Colonial Pipeline attack. Still, the number one takeaway made evident to both threat actors and critical infrastructure organizations is that operations can be disrupted whether or not malware targets OT systems directly. Devices like the ones that form the fictional ‘air gap’ between IT and OT are themselves increasingly being targeted, with tremendous impact potential as a result. Indeed both Darkside affiliates and UNC2447 have been targeting SonicWall CVE’s to gain initial access into victim networks, and CISCO’s ASAs have been vulnerable to DoS attacks. Meanwhile, the NCSC updated the list of CVE’s that Russia’s SVR is actively using and now includes five such critical device CVE’s in the list.
The best Cyber May Flower we saved for last. Eclypsium just announced new product functionality that directly addresses these kinds of device-level threats by allowing our customers to discover, analyze and assess the risk for both critical appliances and other ‘agentless’ types of connected devices. This functionality further expands our unique visibility into those devices giving organizations the ability to register and manage down the associated risks. No more flying blind; it’s time to take back security control of these devices and get ahead of the attackers that continue to exploit them. Hats off to our customers who continue to make us better by requesting new capabilities and helping us blossom into one of the 15 hottest solutions at RSAC.