On November 18th, earthlings experienced the longest duration Lunar eclipse in a stretch of over 1000 years. The moon was covered by Earth’s umbral shadow for over six hours. The next time a lunar eclipse will endure this long will be the year 2669. Here at Eclypsium, the eclipse serves as a reminder that we need to constantly examine those things that lurk in the shadows, even when the shadow is our own.
Last month we focused on an alarming yet predictable rise in UEFI level bootkits – with new threats like ESPecter and FinSpy emerging. ESPector is noteworthy as it can bypass signature checking and hides in the system partition. Meanwhile, FinSpy is a revamped VectorEDK bootkit from HackingTeam that has recently resurfaced in the wild as an improved version.While these developments may not be surprising given both are based on much earlier code going back seven years or more, they still both have very low detection rates. As this astute blogger alludes to, and as we here at Eclypsium often exclaim: Don’t be surprised when we find more campaigns, and a diversity of threat actors ranging from APT to criminal, that are using such TTPs to great effect. Let’s take a look at two threat actors types that might well be doing so, by simply focusing on the ‘why’. Asking the ‘why’ question is at the core of anticipating future threat scenarios.
First, let’s look at Trickbot: Already known to target the UEFI via their TrickBoot module, Trickbot has returned with a vengeance this month in terms of their ability to distribute broadly and quickly via a restored partnership with the revamped Emotet apparatus. Thus returns the Emotet-Trickbot-Ryuk(Conti) distribution and execution triad, and with it, their ability to broadly distribute Trickbot to nearly any industry or vertical in the world. What better way to maintain their previously hard-fought persistence (via prior Fortinet or other VPN device vulns) than by leveraging these readily available and well-documented bootkit methods? Especially when on any given Sunday, there is always a way to escalate privileges on Windows. From there, anyone can have a bootkit.
Next, we can look at recent Iran-based threat activity targeting IT infrastructure which has increased from nearly zero last year to over 1500 attacks this year. These actors may have been taking note of recent supply chain and third party trust/privilege abuse tactics employed in the Solarwinds (and subsequent) campaigns. In general, they thrive on three elements in particular:
- Leveraging third party admin-level accounts to perform their operations
- Persistence via stealthy TTPs
- Capacity and continued desire for disruptive or destructive capabilities
When viewed in this light, it might be reasonable to anticipate the same actors turning to UEFI bootkits (easily deployed with the above-referenced admin level credentials) or worse, UEFI level destruction that could destroy the device indefinitely, making back-up procedures much less effective in many cyber-physical scenarios. As Microsoft is keen to point out: “…the adoption of ransomware aided the Iranian hackers’ efforts in espionage, disruption and destruction, and to support physical operations.”
Alas, whether we’re talking about Trickbot’s Trickboot or the Iran-based DEV-0228 activities of late, it’s good to know you can fight back against these and other types of low-level bootkits.
Ultimately it comes down to taking it to the adversary and outpacing them in those areas where they currently hold an advantage. Things like patching firmware, and network devices. But also those areas we often forget to address as ever-so-busy cyber warriors. David Spark recently interviewed Linked-In’s CISO Geoff Belknap (@geoffbelknap) and Eclypsium’s Strategist, Scott Scheferman (@transhackerism), to discuss the four A’s of cyber leadership. Taken together, these have the power to turn the tables against the modern adversary.
We’ll let you listen and enjoy, but for now, one of those A’s is “Anticipation”.
