A scary Halloween it is! Researchers discovered a long-running campaign that has been leveraging a UEFI implant based on the stolen and leaked 2015 Hacking Team code, bringing renewed focus and concern around this class of such powerful, evasive and persistent threats. Fear not, as our researchers outline just how to address MosaicRegressor and other UEFI implants, and our CEO Yuriy Bulygin and Principal Cyber Strategist Scott Scheferman deliver a webinar covering this discovery, it’s impact, and how to mitigate the associated risk.
Meanwhile, the NSA advises that attackers continue to leverage exposed and vulnerable firmware on VPN devices from various manufacturers; so much so, we’ve decided to blog about it.
If that’s not spooky enough, then look no further than this blog, outlining how to detect and mitigate recent Intel TPM (Trusted Platform Module) and Out-of-Band (OOB) Management component vulnerabilities.
An eerie advisory from CISA and the FBI alerts to Russian and Iranian actors lurking in government agencies and looking to influence US elections, respectively. Meanwhile, another CISA advisory covers how Chinese MSS actors are constantly scanning for and exploiting recent CVEs in vulnerable firmware of Internet-facing devices, in just weeks after they are disclosed.
Finally, we have a hardware vulnerability in a two-year run of Apple Macs that is so bad it breaks Apple’s entire root of trust for the device, rendering security controls like FileVault2 and “Find My” features broken. Worse, it can’t be fixed and will haunt users of these devices for many Halloweens to come.
Protect Your Organization From MosaicRegressor And Other UEFI Implants
Researchers at Kaspersky recently disclosed a new UEFI implant being used in the wild, which they have dubbed MosaicRegressor. This type of implant has been used in targeted attacks as a way to maintain a persistent foothold in target organizations and evade most detection controls while delivering malicious payloads to compromised systems. We have confirmed that Eclypsium detects MosaicRegressor and similar threats even before they are publicly discovered or used in the wild, and without any signatures or associated IOCs. Read blog post >
Enterprise VPNs Need Securing as Attackers Capitalize on WFH Trend
In today’s New Normal, securing the remote workforce is paramount to nearly every vertical and organization. One of the ways attackers have capitalized on this trend is to attack the firmware of the same VPN devices and home routers that end-users rely upon for connectivity back to the enterprise. This blog details a list of related advisories from CISA, FBI, and US Cyber Command, and describes ways in which organizations should anticipate these attacks and how to mitigate them with tools like Eclypsium. Read blog post >
Detect and Mitigate Critical Intel Vulnerabilities (INTEL-SA-00241, INTEL-SA-00404)
Enterprise devices include a variety of components that are critical to the security posture of the device. Components used for out-of-band management and Trusted Platform Modules (TPM) used to protect cryptographic keys on the device are two such examples. Two recent Intel security advisories, INTEL-SA-00241 and INTEL-SA-00404, help us to understand the risk of these vulnerabilities as well as how to detect and mitigate them in a real-world environment. Read blog post >
Crouching Tiger, Hidden Danger: An unfixable hardware vulnerability in Apple T2 chip devices
Because this vulnerability breaks Apple’s root of trust for affected devices, it means that essential security controls meant to protect the data on those devices are also significantly weakened. Everything from Apple’s FileVault2 disk encryption, to core operating system components, are affected, as well as the application layer controls that normally make Apple devices an appropriate fit for a remote workforce, such as “Find My” features, remote wipe capabilities, etc. It’s also important to point out that this has been a vulnerability since 2018, well before the current shift to working from home and related travel restrictions. As such, business travelers could have been impacted over the last two years without ever knowing it, and devices mailed to unsuspecting victims can be the absolute shortest path for any adversary to target today’s work-from-home workforce. An end-user generating or inputting MFA (Multi-Factor Authentication) tokens on an affected device might also be a “game-over.”
THREATS IN THE WILD
- CISA – Potential for China Cyber Response to Heightened U.S.–China Tensions
- CISA – (Revised) Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
- NSA – Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities
- CISA and FBI – Release Joint Advisories Regarding Russian and Iranian APT Actors
- CISA – Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets
- IoT Device Takeovers Surge 100 Percent in 2020
- QNAP warns of Windows Zerologon flaw affecting some NAS devices
- Cisco Investigating Report of Vulnerability Found in Counterfeit Switches
- New Ttint IoT botnet caught exploiting two zero-days in Tenda routers
INDUSTRY NEWS
- Intel and AMD shouldn’t panic yet, but this Chinese vendor has repacked a Xeon CPU
- Intel Xeon Scalable Platform Built for Most Sensitive Workloads
- Cisco Warns of Severe DoS Flaws in Network Security Software
- Russia planned cyber-attack on Tokyo Olympics, says the UK
- Intel Adds Memory Encryption, Firmware Security to Ice Lake Chips
- UK report cites flaw of ‘national significance’ in Huawei kit
- Sweden is banning Chinese tech giant Huawei and ZTE from building new 5G wireless networks due to national security concerns
- U.S. Levies Sanctions Against Russian Research Institution Linked to Triton Malware
SECURITY ADVISORIES
- Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE
- Multiple CVE’s related to WAVLINK router firmware
- MikroTik RouterOS firmware vulnerability allows for remote DOS
- BlueZ Advisory
SECURITY RESEARCH
- Crouching T2, Hidden Danger – Unfixable Hardware JailBreak Vuln in Apple T2 Chip
- New technique allowing modification of Intel Microcode on the fly (see Tools below)
- Clandestine hunter: two strategies for supply chain attack
- CVE-2020-15808 STMicroelectronics CDC USB class is vulnerable for buffer overflow
- UEFI Firmware Fuzzing with Simics Virtual Platform
- There’s A Hole In Your SoC: Glitching The MediaTek BootROM
- If you’re running HP Device Manager, anyone on your network can get admin on your server via backdoor
- Google, Intel Warn on ‘Zero-Click’ Kernel Bug in Linux-Based IoT Devices
- CVE-2020-16938 WRITEUP- aka how I installed a UEFI bootkit from edge sandbox
- Most Cited Security Papers from 2015–2019
- RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
- Moving From Manual Reverse Engineering of UEFI Modules To Dynamic Emulation of UEFI Firmware
- Hardware Hacking Experiments by Jeremy Brun Nouvion (2020)
TOOLS
- IPC scripts allowing to extract and modify Intel Microcode (msrom) from your own Atom Goldmont platform
- Mikrot8Over – Fast Exploitation Tool For Mikrotik RouterOS
- Introducing MIDNIGHTTRAIN – A Covert Stage-3 Persistence Framework weaponizing UEFI variables
- The Hacker’s Hardware Toolkit
WEBINAR
Protecting Your Organization From MosaicRegressor and Other UEFI Implants
Join Eclypsium’s Founder and CEO Yuriy Bulygin and Principal Strategist Scott Scheferman in this webinar discussing the recent discovery of MosaicRegressor spyware; the latest in an ongoing trend of UEFI implants observed in the wild. These threats are particularly powerful because their malicious code runs before and supersedes the operating system, while also allowing the threat to persist within firmware even after a system is reimaged. The implant code itself is universal and easy to build and the UEFI file system format is largely unmodified by individual OEMs. This creates a relatively low barrier to entry for attackers making it likely we will see this type of capability show up in other campaigns.
