Shaken, and stirred. That’s how a lot of us feel after so much news this month centered around a common theme, that once distilled, looks like this: Spies continue to target devices at their lowest layers in order to best position themselves for the longest persistence and best access to data. There are a lot more cyber spy outfits than many realize. It might be Q Cyber (aka NSO Group) embedding into WhatsApp, or even into the Apple device’s firmware you are holding in your hand right now (did you update this week?) Or it might be Hacking Team (aka Memento Labs, and still actively targeting reporters’ phones in the US, Morocco, and Ethiopia). Perhaps it is Vupen (now “Zerodium”) selling low-level zero-day exploits to governments, or it might be Mollitiam Industries in Spain, helping soldiers in Colombia intercept calls. Whether it’s an exploited vulnerability or whether it’s via a supply chain attack, or whether it’s trojan software, embedding at the device level is the name of the game, and even more so these last five years:
- November 2016 – Firmware authors for major Chinese phone manufacturers embed backdoor
- December 2016 – Malware found in the firmware of 26 different Android smartphones
- July 2017 – Triada banking trojan firmware found on Android smartphones
- March 2018 – Even more Triada malware found in 42 different models
- May 2018 – Cosiloon trojan found in the firmware of 141 Android cellphones
- January 2019 – Pre-installed malware discovered on Alcatel smartphone.
- June 2019 – Unremovable malware found on 20K Android phones in Germany
- January 2020 – Preinstalled malware on Assurance Wireless (Virgin Mobile) phones in U.S.
- September 2021 – Pushbutton phones in Russia backdoored with spy software
- September 2021 – GriftHorse campaign infects tens of millions globally on Android phones
And this brings us to FinSpy, the discovery of a capability that took researchers 8 months to unpack, resulting in a 300-page report documenting a complex, (truly) sophisticated, and powerful new spy campaign. A spy company called Gamma in Munich, Germany, which had already been raided by prosecutors after selling low-level spyware to the Turkish government had a new trick: embedding itself on Windows, Linux, and Mac devices at the MBR, and in some cases, at the UEFI/boot level. In operation for years, this capability has allowed customers of Gamma (aka FinPhisher) to spy indefinitely on their targets by persisting at such a low level, hardly anything could detect it. These new bookits that target UEFI boot loaders and the legacy MBR boot mechanism serve to remind us just how powerful and desirable these low-level tactics are.
Indeed this is one reason why Microsoft is putting so much emphasis on new technologies in Windows 11. Everything from Secured-Core, to TPM and all else in between, including new Defender capabilities. Yet, as this new Eclpysium research and quick video demonstration clearly show, all it takes is one click to go from a spearphishing email to a bootkit level implant. This, even on a new Secured-Core PC with every OS-level security control possibly related to firmware enabled; and that’s if you are lucky enough to even have a TPM in your device. As this study shows, less than half of 30 million Windows devices found in 60,000 organizations are even capable of enabling this feature. In fact, pretty much every Windows OS for the last decade or so is vulnerable to precisely this style of attack.
So what can you do to thwart a “FinSpy Who Hacked Me” style attack? Enable Secure Boot to ensure only signed bootloaders can run. Even better? Make sure your devices that have this feature enabled, aren’t vulnerable to myriad vulnerabilities in the boot process, such as BootHole. Patch the devices that are vulnerable. Even better than that? Be able to detect an attack like this when it happens by continuously monitoring the integrity of all UEFI components with Eclypsium.
Way too much trust is being placed in our devices and the integrity of the firmware that allows the operating system, and every single application and security control running on it, to function.
We know it. James Bond knows it. And you know it too.
FinSpy: unseen findings
“Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit.”
- A security expert’s guide to the top-exploited vulnerabilities – CISA
- Researchers compile list of vulnerabilities abused by ransomware gangs
- Yandex hit by largest DDoS attack involving 200,000 hacked devices
- MĒRIS BOTNET
- US CISA, FBI, and NSA warn an escalation of Conti ransomware attacks
- Hackers leak passwords for 87,000 Exploited Fortinet VPNs
- Malware Finds a New Place to Hide: Graphics Cards
- Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs
- Accellion-related breach disclosures continue to unfold
- Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role
- How Your Printer Is Like Swiss Cheese
- Do you have a Kindle? Be cautious of books that may attempt to steal your Amazon login by exploiting a vulnerability in unpatched firmware
- Malware found preinstalled In push-button phone firmware sold In Russia
- Apple Addresses Critical Security Loopholes Across All Devices Via Latest Firmware Updates
- APT focus: ‘Noisy’ Russian hacking crews are among the world’s most sophisticated
AMD disclosed details of previously fixed vulnerability
“As part of checking the vulnerability, he was able to download several gigabytes of confidential data from an AMD-based machine – while he did not have administrator rights.”
- AMD disclosed details of the previously fixed vulnerability
- Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role
- Federal cyber agencies call zero trust ‘new normal’ of security
- Intel Working On Future Firmware Updates Without Restarting
- Security boost in Windows 11 limits PC reuse
Critical Cisco Bugs Allow Code Execution on Wireless, SD-WAN
“Unauthenticated cyberattackers can also wreak havoc on networking device configurations.”
- Best-selling router ships with vulnerable firmware
- New BrakTooth Bluetooth vulnerabilities affect billions of devices around the world
- Third Critical Bug Affects Netgear Smart Switches — Details and PoC Released
- New CPU side-channel attack takes aim at Chrome’s Site Isolation feature
- AMD Chipset Vulnerability Leaks Passwords, Patch Available
- Netgear fixes dangerous code execution bug in multiple routers
- Security Notice: Critical Arbitrary File Delete Vulnerability in SonicWall SMA 100
- Critical firmware root vulnerability discovered in Annke network video recorder
- Zero-click RCE vulnerability in Hikvision security cameras could lead to network compromise
- A New Bug in Microsoft Windows Could Let Hackers Easily Install a Rootkit
- VPN users unmasked by zero-day vulnerability in Virgin Media routers
- Thanks to Disney, 11 Netgear Routers Need to Be Patched Immediately
- Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution Vulnerability
- SonicWall Issues Patches for a New Critical Flaw in SMA 100 Series Devices
Researchers Found a Vulnerability in All Windows PCs Since 2012
“Researchers at Eclypsium have found a flaw in Microsoft’s WPBT firmware, allowing attackers to install rootkits in the device’s OS.”
- BRAKTOOTH: Causing Havoc on Bluetooth Link Manager
- Researchers Bake Malware Protection Directly Into SSDs
- Firmware and research tools for Nordic Semiconductor nRF24LU1+ based USB dongles and breakout boards
NSA, CISA Release Guidance on Selecting and Hardening Remote Access VPNs
“Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. ”
- Sharing Information to Get Ahead of Supply Chain Risks | CISA
- Has a Cyberstalker Taken Over Your Life? Here’s How to Get It Back
- BrakTooth ESP32 BR/EDR Active Sniffer/Injector
- BrakTooth PoC Tool Request Form
- Geutebruck instantrec Remote Command Execution
- UEFI / BIOS at Security Camp 2021 (Japanese)
A few years ago, a casual Google search on the term “zero trust” would have returned hundreds of thousands of hits. Search for the same term today, and you’ll get about 4 billion hits — that’s “billion” with a “B.” It’s possible that no other cybersecurity approach has matured so fast and received such widespread adoption in such a short time.
But can a Zero Trust security strategy be effective without accounting for the needs of firmware security? What does it even mean to apply Zero Trust principles to something as difficult to assess and secure as firmware? And who owns this initiative, the vulnerability management team? The CIO’s team?
In this webinar, John Loucaides, Eclypsium VP of R&D, and Michael Thelander, Director of Product Marketing, will discuss the four pillars of Zero Trust security:
- Default deny
- Contextual authentication
- Granular control
- Dynamic response
They will tie each of these pillars to the unique security requirements of firmware across the modern enterprise.
John and Michael will discuss how firmware is under fire by commercially motivated and nation-state attackers today and reveal the gap between modern infosec tools and firmware-based exploits. Then they’ll outline an approach to identify, verify, and fortify the firmware underneath every organization’s current technology stack–sustainably and cost-effectively.
*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Eclypsium. Read the original post at: https://eclypsium.com/2021/09/30/september-firmware-threat-report-2021/