April Firmware Threat Report
Justice in the End
Summary Take-Aways Up Front
- Russian threat actors continue to employ multiple IV (initial vectors) into target networks, and carry out multi-objective operations once inside, with the primary aim of either long term persistence, destruction, or both
- Russian actors, including a newly identified espionage campaign, are more and more turning to connected devices within an environment to maintain persistence, disrupt operations, evade security controls and exfil or tunnel information and C2
- VPN devices serve as a primary IV (initial vector) into enterprise and government networks
- CISA’s known exploited vulnerabilites list, including this top 15 list, is key in deterring all threat actors of significance
- Exploited vulnerabilities continue to serve as a primary vector into organizations
Let’s just call this what it is. The US (and NATO allies) are in a cyber war with Russia, fighting tooth and nail against both nation-state affiliated actors and criminal actors alike. The nature of this cyber war is one of continued, steady escalation, as well as diversification of TTPs observed in the wild. Stakes are getting higher, and with them come bolder moves from both sides of the cyber conflict. While the invasion of Ukraine forms a centerpiece of discussion and is itself a large impetus for this escalation, it does not encompass the breadth nor gravity of the broader cyber conflict. This conflict did not begin on the eve of Feb 23rd, nor will it ever end.
From our vantage point here at Eclypsium, given our expertise and pedigree in the area of low-level attacks on firmware, supply chain, drivers and devices, we see playing out exactly what we had feared would: Attackers of all ilk and motive, are turning more towards lower-level attack vectors, and for good reasons: they are able to evade the rest of the security stack, persist indefinitely, and reserve the option to disrupt or destroy critical assets at a time of their choosing.
Equally apparent, is that actors are further leveraging connected devices within enterprise and operational environments as a core part of their overall attack methodology. Both externally-facing devices like VPN appliances, but also, too, devices on the inside of networks in the form of routers, cameras, printers and other soho/IOT devices. These devices are providing similar low-level advantages for the attackers with some additional expanded benefits as well: Evasion, stealth, persistence, tunneling, exfiltration, disruption/destruction, credential theft, backdoors, diversion, and more.
Recently there was (yet another) Trickbot group leak, only this time the chat logs leaked are from much more recent conversations earlier this spring. In these leaked chat conversations we are able to glean some more insights regarding the group’s use of such devices. Much akin to last month’s threat report we are fortunate to be able to lead off with some additional Darwinian humor; the beginning of a chat between “Ned” and “Benny”:
Which translates as follows:
Ned – hi
Benny – otr
Benny – otr test
Ned – ok
Benny – I think it is on.
Benny – Hi bro!
Ironically enough, indeed the chat client’s OTR (Off-The-Record) encryption was not enabled, else we wouldn’t be staring right at it. Hey Benny… “Hi Bro!”
Humor aside, in another chat between Beeny and Ruben, we see Benny asking questions about how their tooling around network devices works. One tool in particular, is called ‘checker.sh’:
Without translating every line, and extrapolating from additional pretext, we see that the checker.sh tool can be used to not only test for a vulnerability but also infect a device. It can ingest a list of routers to scan as one argument, or take another argument which will immediately infect them via a supplied list of C2 IPs. We see references to attacking MikroTik and Ubiquiti routers, and that an entire list of routers and dumped credentials is used. Looking at context prior to and after this section, one gets the idea that one part of the group finds the routers via a number of means, another group does the scanning of them, another develops the tooling, infects, credential dumping, and so on:
“Thank you man, I am awaiting material from a new seller, will be checking”. Here, ‘material’ likely refers to a user/password list that has been purchased, for example.
Taken as a whole, this latest Trickbot Leak confirms (and exposes first hand) what many analysts and DFIR heroes have long observed: that both Trickbot and Conti groups thrive on these types of devices, and have a very structured and effective layered approach to attacking them, whether on the internal network or whether they are externally-facing for initial access. Recall that after the Microsoft and US Cyber Command take-down attempts in 2020, Trickbot fell back to Mikrotik devices for their C2, as they were beyond the ‘reach’ of Microsoft’s legal arm, and beyond the rest of the security stack’s telemetry too. Over a year later, and they are still putting this class of device to effective use. These devices have become targets unto themselves, meaning it matters not who their owners are or the assets sitting behind them, as they have their own intrinsic value in providing tunneling and C2 for actors. Yet, indeed, a compromised router provides myriad vectors to attack devices behind it, and their communications to the Internet.
In a case of Darwinian double-irony, we’ll close this section with the following:
“Hi! Can’t say, Demetr is the one responsible for this, but there was a talk to delete history as much as possible and not store anything here…”
Looks like they goofed that one up, too. We’ll call this the “Benny Spill Show” for reference.
But of course it isn’t only Conti and Trickbot that leverage these devices. A new espionage threat actor, UNC3524 (possibly related to Russian GRU or SVR) relies on obscure devices in order to persist up to 18 months; 30 times longer than the 18-19 day dwell times seen in Conti infections. As Mandiant wrote in their research:
“For their long-haul remote access, UNC3524 opted to deploy QUIETEXIT on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers.These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs), subsequently leaving the underlying operating systems to vendors to manage.”
They didn’t just stop there; they also deployed the server component of the QUIETEXIT tunneling malware on LifeSize and D-Link camera systems exposed to the internet that were running outdated firmware.
If you are asking yourself “how would I even detect this activity?”, you are not alone, and it’s exactly why such groups are operating nearly malware-less on the traditional x86 hosts, and doing more of the lift on the connected devices around them.
Such cameras have been exploited in the past, too. You’ll find IP Camera CVE’s like CVE-2020-5735 and CVE-2021-36260 present on CISA’s all-important list of Known Exploited Vulnerabilities (KEVs). And you’ll find vulns for other D-Link devices there (CVE-2015-2051, CVE-2021-42237 and CVE-2020-9377), and even an Ubiquity CVE too (CVE-2010-5330). And these are but a fraction of the 650+ known-exploited vulnerabilities CISA is urging you to address foremost. It’s why Eclypsium applies a tremendous amount of research into understanding how attackers discover, analyze and attack the firmware of such devices, so that organizations can understand their networks through the lens of real-world threat actors.
Just prior to publishing this report, news broke of a newly discovered bug (CVE-2022-1388) in F5 BIG-IP devices that allows an unauthenticated attacker to gain remote code execution on the system through bypassing F5’s iControl REST authentication in the management interface. It wasn’t more than a few minutes later that one of our own researchers witnessed an active attack take place on one of our test lab cloud instances we use to develop our solution. After doing preliminary analysis, the payload that was dropped looks to be none other than the BillGates botnet, the same payload that has also been dropped onto numerous devices vulnerable to the Log4Shell vulnerability. This, only 5 days after the CVE was published. Already many hundreds of devices have been exploited and many thousands remain vulnerable. Should there even be that manyf publicly facing management interfaces? Normally the answer would be a resounding ‘no’…but in these times, when even core IT staff work remotely, remotely-accessible interfaces are no longer an exception. As in every instance described throughout this newsletter, the things an attacker can do once they have taken full control over a critical device, are nearly unlimited in scope, and impact. Does this affect most organizations? Absolutely, F5 BIG-IP products are deployed in tens of thousands of companies, and heavily inside medical organizations worldwide.
These kinds of attacks are, across the board, the shortest path for an attacker to take, with the least amount of effort, the least chance of being detected and evading the endpoint-centric security stack, and what’s more, the fastest way to target critical assets on the internal network too. When asked to create a simple demonstration of just how fast this can be done, one of our researchers sent back a video he made of an attacker going from a shodan scan of vulnerable VPN devices, to an RCE exploitation of them via metasploit, to a shell that they used to target an internal Windows host, to root on that device, all in less time that it has taken you to read this month’s Below the Surface threat report.
This is precisely why CISA continues to curate and push out what is perhaps the single most important and actionable tool your organization can use, their list of Known Exploited Vulnerabilities (aka ‘KEV’s), including a ‘top-15’ list recently too. Their number one recommendation includes the patching of firmware as a top priority: “updating software, operating systems, applications, and firmware, with a prioritization on patching known exploited vulnerabilities; implementing a centralized patch management system; and replacing end-of-life software”
Once again a picture (courtesy of AdvIntel’s Andarial platform) is worth a thousand words. Here you see the VPN vector serving to provide initial access to some of the worst ransomware actors there are: Conti, Hive, REvil and LockBit.
So we’ll leave you with this last question:
If threat actors are successfully finding easy-to-exploit device firmware vulnerabilities, shouldn’t we be able to do the same inside our own networks? Shouldn’t we know what percentage of our environment is vulnerable to threats that aim to persist there indefinitely or cause the most destructive impact to mission, safety, or uptime? While rhetorical by design, this question should at the least, serve to enable a brass-tacks conversation with the right stake-holders.
Finally, against the backdrop of this cyber war, the US Government is stepping up efforts to identify and indict both nation-state and criminal actors originating from Russia. Here, Sandworm (Russian GRU, Unit 74455) actors are called out for attacking SOHO routers.
Next, there is a reward for information related to these and other activities. The anonymous tip hotline is here:
http://he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion
And, sure enough, there is also a reward for members of Conti, which are now rumored to be so disrupted by the Conti Leaks and efforts of the community, that they may soon no longer remain as an holistic entity. Likely, they have already rebranded and will emerge again in some new form and method of operations and TTPs. The recently observed BazzarCall call-center social engineering campaign, for exampleBut for now, a tip of the hat to those who have worked behind the scenes to aid in their demise.
Speaking of infamous ransomware groups rebranding, it kind of flew under the radar, but suffice it to say, that REvil has resumed operations, after its core developer resurrected their infrastructure and a new encryptor sample was found in the wild to validate their return. This, despite two dozen arrests of their members just prior to the Ukraine invasion. Let’s hope this group hasn’t been ‘influenced’ by conversations with Russian intelligence officers during their brief time offline, now that Moscow has cut cyber-conviction related communications with the US.
So, we are back to where we began: the cyber war is real, ongoing, and always escalating. Let’s all hope for the best, and continue to work together as an industry and community, to defend against and bring down those that wish to harm us the most.
CISA, FBI, NSA, and International Partners Warn Organizations Of Top Routinely Exploited Cybersecurity Vulnerabilities
“Malicious cyber actors continue to aggressively target disclosed critical software vulnerabilities against broad target sets in both the public and private sectors. While the top 15 vulnerabilities have previously been made public, this Advisory is meant to help organizations prioritize their mitigation strategies.”
- Costa Rica declares national emergency after Conti ransomware attacks
- Sandworm hackers fail to take down Ukrainian energy provider
- RIPTA releases note from hackers in CONTI ransomware attack
- Rewards for Justice – Reward Offer for Information on Russian FSB Officers Conducting Malicious Activity Against U.S. Critical Infrastructure Between 2012-2017 – United States Department of State
- Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Systems
- Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine
- Hackers can infect >100 Lenovo models with unremovable malware. Are you patched?
- An overview of Russia’s cyberattack activity in Ukraine
- The Elite Hackers of the FSB
- THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE
- AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
- Cyber attack of UAC-0010 group (Armageddon) on state organizations of Ukraine (CERT-UA # 4434)
- Cyberattack by Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
- Cyber attack of the UAC-0098 group on the state authorities of Ukraine using the Metasploit framework (CERT-UA # 4560)
- Google: Chinese state hackers keep targeting Russian govt agencies
- Data-wiper malware strains surge as Ukraine battles ongoing invasion
- LAPSUS$: Recent techniques, tactics and procedures
- REvil ransomware returns: New malware sample confirms gang is back
NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks
“The National Institute of Standards and Technology (NIST) on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector.”
- Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice
- ”SBOM” should not exist! Long live the SBOM
- US Government (GSA) knows that firmware needs to be covered at scale.
- Disrupting cyberattacks targeting Ukraine – Microsoft On the Issues
- SpaceX shut down a Russian electromagnetic warfare attack in Ukraine last month — and the Pentagon is taking notes
- US District Court of California Search Warrant for Cylclops Blink infected device
- Reserve Bank drops Accellion after hack, rolls out Box
2021 Top Routinely Exploited Vulnerabilities
“Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.”
- Unpatched DNS bug affects millions of routers and IoT devices
- A potential security vulnerability in the Intel® Active Management Technology (AMT) SDK, Intel® Setup and Configuration Software (SCS) and Intel® Management Engine BIOS eXtensions (MEBx) may allow escalation of privilege.
- Cyclops Blink: Remediate a locally-managed Firebox
- F5 Releases Security Advisories Addressing Multiple Vulnerabilities
- APT Cyber Tools Targeting ICS/SCADA Devices
- Update: Destructive Malware Targeting Organizations in Ukraine
- When “secure” isn’t secure at all: High‑impact UEFI vulnerabilities discovered in Lenovo consumer laptops
- The web interface on Intelbras WIN 300 and WRN 342 devices through 2021-01-04 allows remote attackers to discover credentials
- Cyberattack by Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
- Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA
- An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2
- 4-Step Cyclops Blink Diagnosis and Remediation Plan
- HPE, Extreme Networks working to address five vulnerabilities in widely used network switches
- Password vulnerability fixed in Dell storage firmware
M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines
“Adversaries frequently leveraged exploits in 2021 with 30% of all intrusions involving exploit activity. In 2021, major vulnerabilities were discovered in products such as Microsoft Exchange, SonicWall […], Pulse Secure VPN appliances and Apache’s Log4j 2 utility among others. Adversaries exploited these vulnerabilities to initiate and further intrusions. Mandiant experts even observed adversaries leverage vulnerabilities to deploy ransomware”
- Industroyer2 IEC-104 Analysis
- Industroyer2: Industroyer reloaded
- Industroyer2 in Perspective
- LUBYANKA FEDERATION – How the FSB determines the politics and economics of Russia
- Hardware-assisted security will go big soon – study
- CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS)
- Conti and Hive ransomware operations: What we learned from these groups’ victim chats
- Ransomware Threat Actors Pivot from Big Game to Big Shame Hunting
- New Intel CPUs (CNL+) of A0 stepping can be Red Unlocked without any passwords (by single IR reg)
- Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
- UNC3524: Eye Spy on Your Email
- Stolen Images Campaign Ends in Conti Ransomware
NIST Special Publication SP 800-161r1Cybersecurity Supply Chain Risk
“This control applies to the federal agency and applicable supplier products, applications, information systems, and networks. The integrity of all applicable systems and networks should be systematically tested and verified to ensure that it remains as required so that the systems/components traversing through the supply chain are not impacted by unanticipated changes.”
- APT Cyber Tools Targeting ICS/SCADA Devices
- A way to execute commands remotely within VirusTotal platform and gain access to its various scans capabilities
- Hcltm – Documenting Your Threat Models With HCL
- Uncover – Quickly Discover Exposed Hosts On The Internet Using Multiple Search Engine
- RW-Fuzzer: A Fuzzing Method for Vulnerability Mining on Router Web Interface
- Hybrid Deep Neural Network Model for Detection of Security Attacks in IoT Enabled Environment
- ARL(Asset Reconnaissance Lighthouse (Used by APT 30)
- VIPER (Redteam operation platform with webui, used by APT 30)
- Ransom.Conti Code Execution
- Using Data Memory-Dependent Prefetchers to Leak Data at Rest
Defending Firmware in the Firmament
On 24 February 2022, a “multifaceted and deliberate cyber-attack” was waged against the land-based portion of ViaSat’s KA-SAT network. The attack resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service. The attack impacted several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.
Disruption and Destruction – Recent Low-Level Destructive Attacks and APT / Criminal Actor Insights
by Scott Scheferman, Principal Strategist at Eclypsium
(as presented to the Houston InfraGard TLP:White)
Against the backdrop of the cyber-hybrid conflict in Ukraine, the threat landscape has fundamentally shifted towards disinformation, disruption and destructive primary motives. To this end attackers have also shifted their TTPs towards low-level attacks that stand to do the most harm to their victims.
This talk will cover specific areas of low level attacks that many organizations are not adequately capable of anticipating, and describe why these TTPs are so effective and valuable to the modern adversary; whether their motives are destructive, financial, espionage or a combination of all three.
In this talk we’ll cover:
- What the low-level attack surface looks like (device-level, firmware) and the challenges of securing it (BIOS/UEFI, BMC’s, VPN Devices, etc)
- Why modern adversaries choose to target at this level and the unique advantages and flexibility it gives them
- Why this class of attacks can cause the most amount of harm to the mission, organization, or operations (including safety)
- Examples, discovered via threat intelligence and research, of cyber criminal actors moving towards low-level attacks
- A brief summary of the magnitude, diversity and impact of cyber attacks coming out of the invasion of Ukraine (in one picture worth 1000 words)
- A look at what organizations must do in order to proactively identify and hunt for low-level threats and vulnerabilities in their devices and supply chain
*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Eclypsium. Read the original post at: https://eclypsium.com/2022/05/12/april-firmware-threat-report-2022/