January Threat Report

Yesterday Eclypsium published new research exposing vulnerabilities to Direct Memory Access (DMA) attacks in laptops from HP and Dell. Eclypsium researchers, Mickey Shkatov and Jesse Michael demonstrated that high speed DMA attacks can bypass hardware protections on enterprise devices. This powerful class of attacks is an industry-wide issue that threatens servers as well as laptops.

READ THE REPORT >

Join us for a live webinar on February 5th. REGISTER NOW >

What is your line of sight to potential firmware vulnerabilities? Did you know that 2019 had the most firmware vulnerabilities ever discovered? There was a 43% rise over the previous record in 2018. This whitepaper outlines 5 questions to evaluate and improve your firmware security posture.

LEARN HOW >

Sponsorships Available

Sponsorships Available

Sponsorships Available

INDUSTRY NEWS

• Hackers target unpatched Citrix servers to deploy ransomware: REvil ransomware gang has been spotted abusing Citrix bug to infect victims. Companies still running unpatched Citrix servers are in danger of having their networks infected with ransomware. Companies, however, can apply a permanent fix to their servers by updating to the most recent version of the Citrix firmware.

• Report: Lenovo Blames USB-C Issues on Thunderbolt Firmware. Lenovo said that “USB-C issues affecting some of its ThinkPad notebooks were caused by problems with Thunderbolt firmware.”

• Tomato router firmware under attack by Muhstik botnet. If you’re operating a network with a router running Tomato firmware, check your router settings as the notorious botnet, Muhstik is now targeting Tomato.

• Netgear Signed TLS Cert Private Key Disclosure There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware. The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear’s support website, without authentication; thus anyone in the world could have retrieved these keys.

• 5 Key Security Lessons From The Cloud Hopper Mega Hack The Chinese hacking group known as APT10 is suspected of being behind the “Cloud Hopper” attack. If the hackers found weaknesses in cloud companies’ defenses, they exploited them to hop across different customers’ networks, stealing intellectual property, security clearances and other data as they went.

INDUSTRY PERSPECTIVE

• How to implement a ‘threat model’ to beef up your organization’s security. What are the main stages of building a threat model and why is it so important to have one in place? A threat model is the most effective way to take stock of your company’s security and make sure it’s continuously up-to-date.

• Hardware is a cybersecurity risk. Here’s what we need to know. The impact of a successful hardware attack makes designing a comprehensive risk mitigation strategy crucial. Prevention requires shoring up all stages of the manufacturing supply chain and developing thorough means of testing.

• Intel pushes for hardware-specific additions to vulnerability taxonomy. Intel tells hardware researchers to “talk the same talk.” Intel says that hardware threats are underrated because the researchers don’t have a common language to share information about potential vulnerabilities.

• Cybersecurity pros offer their 2020 predictions for healthcare. Healthcare is feeling the pain of a worrisome new trend of attacking automatic software and firmware update systems. This trend is liken to the ShadowHammer attack that hit in 2019.

SECURITY RESEARCH

• CacheOut – Leaking Data on Intel CPUs via Cache Evictions. Recent speculative execution attacks demonstrate how attackers can leak information while it moves through microarchitectural buffers. In this work, several researchers review CacheOut, a new microarchitectural attack capable of bypassing Intel’s buffer overwrite countermeasures implemented to prevent previous Spectre type of attack.

• JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms. Researchers demonstrate how JackHammer, a Rowhammer type attack from the FPGA to the host’s main memory, is 25% faster than a CPU Rowhammer attack in a realistic fault attack on the WolfSSL RSA signing implementation.

• ABSynthe: Automatic Blackbox Side-channel Synthesis on Commodity Microarchitectures. ABSynthe measures and optimizes the information leakage for the many shared components in microarchitectures today – they’ve also included a cool leakage map.

• A researcher from Synacktiv reverse engineered firmware on a Lenovo ThinkPad P51s and quickly found a vulnerability – a callout of SMRAM in one of the SWSMI handlers.

• A three part series on reverse engineering a Philips TriMedia based IP camera.The first part of the series introduces a research project, showing the different steps taken to analyze the firmware and the hardware of the camera. In the second part, the researcher presents the Philips TriMedia architecture, its instruction set, and assembly. The third part of the series focuses on an example of how a Philips TriMedia instruction can be disassembled.

• Gentech research announced the results of its new study – almost 4 in 10 security cameras can be at risk of cyber-attack due to outdated firmware. This highlights the breadth of firmware vulnerabilities.

• Exploiting Wi-Fi Stack on Tesla Model S. Keen Security Lab used two vulnerabilities they found in the Parrot Linux system to compromise it by sending malicious packets from a normal Wi_Fi dongle.

SECURITY ADVISORIES

Critical

• Cable Haunt is a critical vulnerability found in cable modems across the globe from different manufacturers. The vulnerability allows for remote arbitrary code execution. The vulnerability originated in reference software, which is copied by different cable modem manufacturers when creating their cable modem firmware.

• HPE Superdome Flex Server Firmware Bundle is a critical patch for the multiple remote vulnerabilities.

• Citrix rolled out patches for a critical vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products sooner than expected. CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available.

Moderate

• Positive Technologies discovered a bug in CSME on-die ROM. Specifically, security fuses can be extracted and Mehlow and Cannon Point chipsets are affected. Intel reports that this bug is targeted under CVE-2019-0090.

ADDITIONAL READING & LISTENING

• View Uncover, Understand, Own – Regaining Control Over Your AMD CPU. Listen to how researchers reverse engineered an unknown subsystem.They looked at what the AMD Secure Processor actually is – a dedicated security subsystem that runs code you don’t know and don’t control.

• Listen to the On the Metal podcast starring Eclypsium’s Rick Altherr. Rick discusses firmware as the latest attack vector, impossible bugs and the impact these attacks have on organizations.

• Firmware security researcher, Daniel Maslowski, provides an introduction to developing custom and open source firmware.

• Boot2root: Auditing Boot Loaders by Example: This talk on auditing boot loaders focuses on attack surfaces and the need for more security designers reviewing bootloaders and the related software, firmware and hardware.

TOOLS

GitHub: Validation environment  for hardware security requirements. This repository contains tools and documentation for validating hardware configuration of an x86 platform, and its security. The tools called out are CHIPSEC and key.efi binary. These tools can be used to build two bootable USB keys.

WEBINARS

• Answering your questions—join Eclypsium’s principal researchers, Mickey Shkatov and Jesse Michael for a Q&A about Direct Memory Access (DMA) Attacks
  • When: Wednesday, February 5, 2020 at 10  a.m. PDT.
  • What: Direct Memory Access (DMA) attacks are an industry-wide issue allowing direct access to information and kernel privileges, which can be devastating. Our research shows that enterprise-class laptops, servers, and cloud environments continue to be vulnerable to DMA attacks, even in the presence of protections.
  • REGISTER NOW >

• Join Eclypsium for the Anatomy of a Firmware Attack webinar
  • When: Tuesday, March 3, 2020 at 11 a.m. PDT.
  • What: By attending this webinar you will walk away with a better understanding of the rise of firmware and hardware attacks, attacker motivations, key firmware components, and their role in an attack, attack vectors and malicious techniques. We will conclude with a case study of an in-the-wild attack.
  • REGISTER NOW >

UPCOMING ECLYPSIUM TRAINING

Eclypsium is known for its excellent training in firmware security and threat prevention. These two-day sessions teach security at the hardware and firmware levels, understanding attacks against system firmware, how to mitigate them, how to identify vulnerabilities and how to perform basic forensics on different firmware components.

Sign up for our upcoming training at CanSecWest 2020:

• Mar 14-15 Practical Firmware Implants
• Mar 16-17 Finding Firmware Implants