SBN December Firmware Threat Report

What a December! Let’s see if we can write a threat report without mentioning log4j. Possible? Let’s find out! While everyone else is writing about it and you are completely overwhelmed, over-vendored, and over exhausted by it, there is still a lot of other activity going on that shouldn’t be ignored, missed or forgotten.

On the heels of our Meris botnet blog, CISA just released new guidance recommending organizations patch their MikroTik routers for the same CVE that continue to plague these cheap but powerful devices. Remember, a patched device doesn’t mean the device isn’t being used maliciously by Meris, or Gluteba, or Trickbot, etc. More often than not, these devices are simply maliciously configured, versus having been implanted with malicious code.

Beyond only Mikrotik routers, AT&T’s Alien Labs just discovered another botnet called BotenaGo (written in Go language) that can target millions of exposed and vulnerable devices with an arsenal of over 30 exploits. The attack surface of these devices is massive, yet awareness of this attack surface is still low; something CISA has been working very hard to change. 

Did you know that 60% of breaches involving a vulnerability were against devices for which a patch was available, but was never applied? You do now!

Speaking of Gluteba, (many believe this is the group that compromises devices like MiroTik, and then sells access to these devices to botnet operators/campaigns), it has a new trick: leveraging Bitcoin’s public ledger to maintain C2 in away that is both a) resilient and b) slightly Darwinian. This tactic is double-edged for the attackers as it allows the good guys to also see and anticipate the same public wallet addresses and new domains just like the malware does. This might come in handy some day when it comes time to prosecute them, too. 

Log4J represents another ‘first wave’ of attacks that gained an initial foothold and allowed myriad actors with myriad motives to gain presence wherever they might. Once a foothold had been established, however, the real story begins to play out.

One of these stories may be destruction – just as we saw when actors leveraged recent MS Exchange vulnerabilities to drop a destructive payload on victim machines. Another could be ransomware just like what we saw following the Microsoft Exchange attacks. Indeed, the Trickbot group behind Conti has already begun leveraging Log4J to drop ransomware only a few days after discovering its potential. Recall that ProxyLogon, too, was similarly used by ransomware gangs only days after its discovery. If destruction sounds incredulous or unlikely, check out what these Iranian nation state actors just did by leveraging a new HP iLO firmware vulnerability to wipe servers remotely.

This kind of rapid weaponization and ability to deploy follow-on payloads quickly puts a tremendous amount of pressure on security teams to patch and mitigate immediately. The very same group still leverages Fortinet vulnerabilities and ZeroLogon vulnerabilities, as well as look for vulnerabilities at the UEFI in order to implant there, just like many APTs have been discovered having done so of late.

Hackers have also been able to leverage Log4j exploits to specifically target ultra high end server hardware from HP (ones running Zen 3-based EPYC Milan CPUs) in order to mine the Raptoreum ($RTM) crypto currency.

In a dramatic yet somehow not surprising fashion, the Chinese government has decided to stop collaborating with Alibaba on cyber threat intelligence for a period no less than six months, after the organization failed to tell the government about the Log4J vulnerability prior to public disclosure. This demonstrates two things: 1) China’s bite is as bad as their bark in this regard; other organizations now have precedence, which they can use to justify disclosing vulns early and exclusively to the Chinese government and 2) he degree to which China’s offensive security strategy (proactively attacking western interests in order to gain key economic and military advantage) is overtly in play. 

Well, we didn’t think we’d be able to write this threat report without including Log4j, and sure enough, we had to.

A final word to reflect upon the passing of Dan Kaminsky, a luminary beyond compare in the field of cyber security and a dear friend to so many of us in the community. This month he was posthumously entered into the Internet Hall of Fame. He was the hero that saved the Internet more than once… but moreso, the hero that best embodied true discourse, critical thought, debate, rational exploration of myriad problem spaces, and someone that served as the pillar of ground truth and perspective for so many. Beyond even these things, he was the warmest of souls, the kindest of friends, and one of the most endearingly comical people any of us have ever met. Dakami, we’ll pour one out for you this NYE.

Here’s to a fantastic 2022. Let us be a stronger community, let us unite to fight those that do us cyber harm and protect those that cannot protect themselves, and let us innovate to solve for a better future together. We fight for the users!

Threats in the Wild

Threat actor uses HP iLO rootkit to wipe servers

An Iranian cyber-security firm said it discovered a first-of-its-kind rootkit that hides inside the firmware of HP iLO devices and which has been used in real-world attacks to wipe servers of Iranian organizations.”

Read More >

Industry News

Dan Kaminsky 2021 Internet Hall of Fame Induction Ceremony

“Dan inspired so many people, both technically and in hacker community personification of who we should all be, he reached the entire world, saved the internet more than a few times, and was literally and figuratively a key to the internet kingdom we all use.”

Read More >

Security Advisories

CISA Adds Zoho, Qualcomm, Mikrotik Flaws to ‘Must-Patch’ List

“The U.S. government’s cybersecurity agency has updated its catalog of “known exploited vulnerabilities” and set deadlines for federal agencies to apply fixes for security defects in software made by Qualcomm, Mikrotik, Zoho and the Apache Software Foundation.”

Read More >

Security Research

New Malware Uses SSD Over-Provisioning to Bypass Security Measures

“Korean researchers have detected a vulnerability in SSDs that allows malware to plant itself directly in an SSD’s empty over-provisioning partition. As reported by BleepingComputer, this allows the malware to be nearly invincible to security countermeasures.”

Read More >

Tools and Education

The firmware supply-chain security is broken: can we fix it?

“We decided to build an open-source framework to identify known vulnerabilities in the context of UEFI specifics, classify them based on their impact and detect across the firmware ecosystem with the help of the LVFS project. We will be sharing our approach as well as the tooling we have created to help industry identify the problems and get patched.”

Read More >

Definitive Guide to Enterprise Firmware Security

The security industry has made huge strides in reducing cybersecurity risk in operating systems and applications. But the underlying firmware, the digital DNA of every device, has largely been ignored…by everyone but our adversaries. With firmware threats and exploits increasing, security teams need a way to defend this unguarded attack surface. This Guide shows them how to do just that.

Read More>

*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Eclypsium. Read the original post at: https://eclypsium.com/2022/01/03/december-firmware-threat-report-2021/