Time to Patch
What can we learn from a threat actor when it comes to protecting our missions and organizations from ransomware threats? A threat-informed defensive strategy is all the rage lately. MITRE ATT&CK has been fully adopted by many organizations. Threat intelligence solutions are in their heyday. Red team exercises are focusing heavily on “APT replay” style of engagements. The whole concept has even been automated via Breach Attack Simulation (BAS) platforms. The list goes on.
And yet, as an industry and as defenders, here we are, still reading the same headlines and advisories. Why is this?
How can it be that CISA puts out a concise list of things every organization can (indeed, must!) do in order to thwart ransomware attacks, and yet very few organizations have taken action on them? Let alone ensure they are maintained continuously?
How can it be that even when the threat actors themselves agree to an interview, provide actual recommendations and expose what they rely on to get the job done, that we still don’t implement the countermeasures needed to protect ourselves? At the very least, both CISA and LockBit actors recommend updating all software regularly. Lockbit further acknowledges that externally facing services like RDP and exploitable VPNs be patched. This sounds a lot like this section of CISA’s latest recommendations for preventing data breaches related to ransomware:
Mitigate internet-facing vulnerabilities and misconfigurations:
- Employ best practices for use of Remote Desktop Protocol (RDP) and other remote desktop services.
- Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices.
- Update software, including operating systems, applications, and firmware, in a timely manner. Prioritize timely patching of critical vulnerabilities and vulnerabilities on internet-facing servers
- Ensure that devices are properly configured and security features are enabled
- Disable or block inbound and outbound Server Message Block (SMB)
Notice how CISA’s recommendation to update firmware vulnerabilities compliments one of LockBit’s insights about their attack philosophy:
“A lot of noise around the attack is bad. A silent attack no one knew about is good for the company’s (victim’s) reputation, and our income.”
After all, there is no more silent, persistent, stealthy, and evasive position for an attacker to hide on than a device’s firmware – below the operating system and all of the security controls within it. Indeed throughout this year’s scourge of Microsoft Exchange related attacks affecting tens of thousands of devices worldwide, CISA has consistently included firmware updates in their recommendations, and in their 48-hour emergency response directives:
Software Updates – All software installed on the server (including the operating system and server firmware) must have security and cumulative updates deployed within 48 hours of update availability.
Why 48 hours? It’s because these days the time from when a vulnerability is disclosed to when an exploit is developed for it can come down to just days, sometimes even less.
An example from this month would be how quickly the Realtek SDK vulnerabilities resulted in active attacks in the wild just days after their disclosure. Speaking of SDK’s, up to 83,000,000 devices with cameras in them have firmware running remotely exploitable code care of ThroughTek’s Kalay SDK. Baby cameras serving as attack nodes on home networks…the same remote networks that our foe LockBit says has greatly benefited their ability to compromise enterprise networks resulting from the COVID workforce transition.
It’s important to realize that just because there isn’t a known exploit (yet) for a given vulnerability, doesn’t mean it doesn’t exist (and isn’t being used). It also doesn’t mean that on any given day, an attacker can’t compare the vulnerable firmware to the now-patched firmware, and quickly devise a working exploit by doing so. Such was the case for this red teamer that cracked into a Sophos UTM appliance via RCE as root.
The take-away here? Patch, patch, patch your firmware, whether or not there are ‘known’ exploits. And yet, countless organizations will fail to do just that. Why give up this obvious advantage to attackers, who today, have ready access to firmware vectors and purpose-built malware designed to exploit them?
Speaking of purpose-built malware, CISA just released five more MARs (Malware Analysis Reports) tied to the latest Pulse Secure VPN threat campaigns hitting in the wild. Each brings specific functionality ranging from a C2 backdoor, a local credentials logger, a credentials dumper, the ability to intercept MFA tokens, and two web shells. Combined with the RCE vulns to begin with, and the prior list of 13 other Pulse Secure-related malware samples, the only question left to answer is what can’t these nation-state and criminal actors do once they’ve compromised the device firmware? Again the take-away: patch. But note that if you are too late in patching, a compromised Pulse device allows the attacker to persist even through the new patch cycle.
We hear many practitioners say that patching firmware is too hard. It’s too error-prone, it’s too complex, it’s not automated enough. All true. But in order for any of us to follow our own advice and “Patch, patch, patch our firmware,” we need to automate some of that process. Eclypsium focuses significant R&D on that effort in order to make firmware vulnerability and patch management, actually manageable. For tips on what you can do today — with or without Eclypsium — go here. For those organizations pursuing Zero Trust as their north star strategy, here are three simple things that can be done to minimize enterprise and mission risk via the concept of verification.
At the end of the day, there is only one way to mitigate firmware and device-level risks, and that remains, action! Speaking of which, here’s what our Principal Strategist, Scott Scheferman, has to say about this month’s threat report when it comes to taking action! Let’s roll!