Threat Reports


Eclypsium Threat Report October 2020 Firmware osaicRegressor

A scary Halloween it is! Researchers discovered a long-running campaign that has been leveraging a UEFI implant based on the stolen and leaked 2015 Hacking Team code, bringing renewed focus and concern around this class of such powerful, evasive and persistent threats. Fear not, as our researchers outline just how to address MosaicRegressor and other UEFI implants, and our CEO Yuriy Bulygin and Principal Cyber Strategist Scott Scheferman deliver a webinar covering this discovery, it’s impact, and how to mitigate the associated risk.

Meanwhile, the NSA advises that attackers continue to leverage exposed and vulnerable firmware on VPN devices from various manufacturers; so much so, we’ve decided to blog about it.

If that’s not spooky enough, then look no further than this blog, outlining how to detect and mitigate recent Intel TPM (Trusted Platform Module) and Out-of-Band (OOB) Management component vulnerabilities.

An eerie advisory from CISA and the FBI alerts to Russian and Iranian actors lurking in government agencies and looking to influence US elections, respectively. Meanwhile, another CISA advisory covers how Chinese MSS actors are constantly scanning for and exploiting recent CVEs in vulnerable firmware of Internet-facing devices, in just weeks after they are disclosed.

Finally, we have a hardware vulnerability in a two-year run of Apple Macs that is so bad it breaks Apple’s entire root of trust for the device, rendering security controls like FileVault2 and “Find My” features broken. Worse, it can’t be fixed and will haunt users of these devices for many Halloweens to come.


Protect Your Organization From MosaicRegressor And Other UEFI Implants

Researchers at Kaspersky recently disclosed a new UEFI implant being used in the wild, which they have dubbed MosaicRegressor. This type of implant has been used in targeted attacks as a way to maintain a persistent foothold in target organizations and evade most detection controls while delivering malicious payloads to compromised systems. We have confirmed that Eclypsium detects MosaicRegressor and similar threats even before they are publicly discovered or used in the wild, and without any signatures or associated IOCs. Read blog post >

Enterprise VPNs

Enterprise VPNs Need Securing as Attackers Capitalize on WFH Trend

In today’s New Normal, securing the remote workforce is paramount to nearly every vertical and organization. One of the ways attackers have capitalized on this trend is to attack the firmware of the same VPN devices and home routers that end-users rely upon for connectivity back to the enterprise. This blog details a list of related advisories from CISA, FBI, and US Cyber Command, and describes ways in which organizations should anticipate these attacks and how to mitigate them with tools like Eclypsium. Read blog post >

INTEL-SA-00241 INTEL-SA-00404

Detect and Mitigate Critical Intel Vulnerabilities (INTEL-SA-00241, INTEL-SA-00404)

Enterprise devices include a variety of components that are critical to the security posture of the device. Components used for out-of-band management and Trusted Platform Modules (TPM) used to protect cryptographic keys on the device are two such examples. Two recent Intel security advisories, INTEL-SA-00241 and INTEL-SA-00404, help us to understand the risk of these vulnerabilities as well as how to detect and mitigate them in a real-world environment. Read blog post >

Crouching Tiger, Hidden Danger: An unfixable hardware vulnerability in Apple T2 chip devices
Because this vulnerability breaks Apple’s root of trust for affected devices, it means that essential security controls meant to protect the data on those devices are also significantly weakened. Everything from Apple’s FileVault2 disk encryption, to core operating system components, are affected, as well as the application layer controls that normally make Apple devices an appropriate fit for a remote workforce, such as “Find My” features, remote wipe capabilities, etc. It’s also important to point out that this has been a vulnerability since 2018, well before the current shift to working from home and related travel restrictions. As such, business travelers could have been impacted over the last two years without ever knowing it, and devices mailed to unsuspecting victims can be the absolute shortest path for any adversary to target today’s work-from-home workforce. An end-user generating or inputting MFA (Multi-Factor Authentication) tokens on an affected device might also be a “game-over.”

Bug Icon







Protecting Your Organization From MosaicRegressor and Other UEFI Implants
Join Eclypsium’s Founder and CEO Yuriy Bulygin and Principal Strategist Scott Scheferman in this webinar discussing the recent discovery of MosaicRegressor spyware; the latest in an ongoing trend of UEFI implants observed in the wild. These threats are particularly powerful because their malicious code runs before and supersedes the operating system, while also allowing the threat to persist within firmware even after a system is reimaged. The implant code itself is universal and easy to build and the UEFI file system format is largely unmodified by individual OEMs. This creates a relatively low barrier to entry for attackers making it likely we will see this type of capability show up in other campaigns.