Threat Reports

Railroad Crashing

Eclypsium Threat Report January 2022 Firmware Railroad Crashing

2022 managed to kick off with a bang. Under pressure from the United States, the Russian FSB detained 14 people tied to the REvil ransomware operation, seizing $600,000 of computer equipment and 20 luxury cars. This was a remarkable collaborative effort to shore up cyber relations between the two countries as tensions mount along the Ukraine / Russia border.

This otherwise positive development, however, has been subsequently shadowed via alerts coming out of CISA, requesting critical infrastructure to  prepare for destructive wiper attacks on US critical infrastructure. This, after (likely) Russian attackers leveraged Ghostwriter wiper malware and content-management supply chain attacks on the Ukrainian government and critical infrastructure, and after hacktivists in Belarus disabled the transportation rail system as a form of leverage in pressuring the government to both release prisoners and prevent Russian troop movements en-route to the Ukraine border. This, as part of a larger campaign called “Scorching Heat” carried out by the BCP (Belarus Cyber Partisans). Interestingly, the wiper malware used is a repurposed version of WhiteBlackCrypt, which was used in 2019 alongside bomb threats to pressure a Russian oligarch into repaying funds he stole from a Russian crypto exchange. The common theme? Actors using destructive wiper malware (and threat of physical harm) to achieve their motives, and wiper malware being used as much for a ‘cause’ as it is for ‘profit’, in motive.

s though there is much more focus by both attackers and defenders on attacks that have destruction as their primary motive. Last month, we learned of the iloBleed implant that was allegedly used to wipe servers. In the context of destructive attacks, firmware level attacks can pose the greatest risk to an organization, given that the impacts associated with firmware attacks can result in indefinite downtime. Even if the primary OS has been backed up properly, and even if there are spare hard-drives on the shelf, there is little recourse when a device is bricked at the motherboard level.  We’ve written about this extensively even in the context of ransomware actors that have begun looking for vulnerabilities in the UEFI of a device, which would allow them to then brick that device as a form of leverage. The UEFI, however, isn’t the only firmware element that can be targeted for such attacks. This month CISA added eight additional known-exploited vulnerabilities to their ever-growing catalog, and one of them is an Intel Active Management Technology (AMT) remote privilege escalation vulnerability that could be used by an attacker to disable a device.

One of the requirements for an attacker to exploit vulnerabilities at the firmware level is often having admin/root access at the primary OS level. While this is readily achievable on any given Sunday by skilled red teamers and attackers alike, it doesn’t help that there’s been a Linux bug present over the last 10 years that reliably allows any attacker to gain root level access on a device. Adding insult to injury, this bug was discovered, written about, and even submitted as early as 2013, calling into question the merits and assumptions of OSS’s implied security through peer-review. Of course, Microsoft is no exception here, and it also had two critical privilege escalation vulnerabilities in this month’s patch on Tuesday, one of which targets Kerberos, again.

When it comes to destructive firmware attack scenarios, it is important to realize that when we read about TTP’s being used for purposes of espionage and persistence, those very same firmware vulnerabilities can be used to also brick a device at the motherboard level, too. That applies to the recent spate of UEFI threats like FinSpyESPecterSlingShot (post exploitation framework tool), ilobleed, and MoonBounce, as well as to established (and freely available) threats like Vector-EDKLoJax, and TrickBoot.

It isn’t just traditional enterprise/IT devices that are exposed to device-bricking attacks, however. In similar fashion, many of the same vulnerabilities being exploited in VPN devices to gain access, could also be leveraged to disrupt or destroy such devices, causing significant impact to partners and remote workers. Whether it’s a new exploit for the same vulnerability that CISA says is being actively exploited in the wild, or a quarter of a million devices with exploitable UPnP vulnerabilities, or whether it is a list of some 20 odd network devices that can all be readily exploited via open-source tools like this popping up every day; network devices are not immune to destructive attacks.

The reality is that most organizations haven’t yet sized up their device-level attack surface in order to gauge the potential impact to operations, safety, or revenue. As a result, these risks don’t adequately get recorded on the risk register for consideration and budgeting…until they do. And that, sadly, usually happens after an organization has endured a destructive attack.

OEM’s, too, are being more and more proactive in patching firmware in order to reduce the risk of such attacks. Whether it’s Supermicro or Pulse Secure patching for Trickboot vulnerabilities, or it’s pushing out over 150,000 firmware updates in a day, vendors are doing their best to slow the tide. Vendors like Mikrotik and others continue to fight an uphill battle after the source code for the infamous BotengaGo botnet has been made public.