May Firmware Threat Report
It’s About Time!
On the heels of RSA comes this month’s Below the Surface Threat Report. Our theme this month is “Time”. In the context of cyber warfare, cyber criminal attacks, and long-running espionage campaigns, it is time that serves as the ultimate advantage (or disadvantage) over an adversary. Both sides of the struggle are in a race. The blue team races to thwart the attacker’s objectives and their potential impacts to the mission, safety, uptime or revenue. The adversary on the other hand, has a bear on their back: eternally working to outpace the blue team’s next generation security stack; one that has become integrated, automated, and expanded via XDR. One that is better and faster at detecting and then interrupting an active attack. Both sides are in a race, and this race plays out across more than just the notional kill chain activities, but also in the realms of research, development, cooperation, software, firmware and hardware vulnerabilities, and in the human domains of endurance, focus, distraction, determination and persistence. Yet, how do we actively identify, baseline, and measure metrics related to time? With our playbooks? With our patching cadence for CISA’s KEVs or our CD (Coordinated Disclosure) timelines? It’s about how fast we can develop solutions vs. how fast cyber criminals develop malware, tooling, infrastructure and novel evasions.
One of the greatest myths in cyber security is that the adversary is more “sophisticated” or “advanced” than we are. They aren’t. They are simply quicker than our defenses. So it’s remarkable how little we focus on time itself, while the adversary continues to simply outpace us, instead of outsmarting us.
Real-World Examples
Why does the Iranian-backed Phosphorus group leverage spear-phishing to ascertain or influence the geo-location of targets they want kid-napped? Because it is the fastest way to organize that campaign and funnel on-the-ground resources to their targets. Put another way, it’s the quickest way to manifest kinetic/physical world objectives.
Why has the Conti core group of developers focused on low-level tactics to target the UEFI via BIOS write-enable vulnerabilities, or via the all-too-common and vulnerable Intel ME pathway? Because they know they can buy back precious time, and persist longer, by dipping underneath the entire rest of the security stack above. The adversary can out-pace, but they can ‘buy back’ time, too.
Why are newly-disclosed vulnerabilities targeted within hours of being disclosed? Why are there entire infrastructures already stood up to take advantage of these disclosures the moment they surface? Because both criminals and APTs know that the time advantage they have over blue team’s ability to assess, mitigate or patch is eternally in their favor, and that defenders are fixated more on efficacy and observables (of detection/blocking, etc.) than they are on speed and anticipation, respectively.
Why are attackers likely to take advantage of a new vulnerability in coreboot that allows for arbitrary code execution in SMM (System Management Mode)? Perhaps because researchers (ours, in fact) unveiled similar issues in 2017, including SMM not coming with write-protection enabled, giving attackers the greatest time advantage possible once exploited for persistence.
Why do adversaries leverage diversion, DDoS, and other tactics that lend to the ‘fog of war’ during an intrusion, or just prior to exfiltration? Obviously to divert resources but also to degrade confidence in the ability to make decisions quickly as a defender. Those delayed decisions buy back time. One of the greatest DFIR lessons during WannaCry, in both IT and OT environments alike, was that defenders did not have the tooling needed to identify devices, know who owned them, what their function/criticality was, whether they were vulnerable, etc. In essence, the device-level problem space was not captured by the victim orgs, and therefore both the automated worming elements as well as the hands-on keyboard activities of the threat actors (in certain target environments) were able to outpace defenders’ ability to identify, contain and eradicate the threat.
Look no further than PRC-backed hacking activity over the last two and half years as outlined in this CISA advisory. In it, we learn that these state actors are leveraging RouterSploit and RouterScan [T1595.002] to exploit no less than eight RCE (Remote Code Execution) vulnerabilities on six device manufacturers, four authentication bypass vulnerabilities on four vendors’ devices, as well as privilege escalation, injection and XML-related vulnerabilities on a total of ten popular manufacturers’ devices.
Vendor | CVE | Vulnerability Type |
Cisco | CVE-2018-0171 | Remote Code Execution |
CVE-2019-15271 | RCE | |
CVE-2019-1652 | RCE | |
Citrix | CVE-2019-19781 | RCE |
DrayTek | CVE-2020-8515 | RCE |
D-Link | CVE-2019-16920 | RCE |
Fortinet | CVE-2018-13382 | Authentication Bypass |
MikroTik | CVE-2018-14847 | Authentication Bypass |
Netgear | CVE-2017-6862 | RCE |
Pulse | CVE-2019-11510 | Authentication Bypass |
CVE-2021-22893 | RCE | |
QNAP | CVE-2019-7192 | Privilege Elevation |
CVE-2019-7193 | Remote Inject | |
CVE-2019-7194 | XML Routing Detour Attack | |
CVE-2019-7195 | XML Routing Detour Attack | |
Zyxel | CVE-2020-29583 | Authentication Bypass |
Top network device CVEs exploited by PRC state-sponsored cyber actors via CISA
This in turn allows them to quickly gain access to credentials inside the organization via classic RADIUS and other AAA (Authentication, Authorization, and Accounting) services, and from there, double back to attack an even larger set of devices in order to configure them to do network boundary bridging [T1599], mirror [T1020.001], and exfiltrate traffic out of the victim environment. If this sounds like the same kind of network penetration testing we used to do in the late 90’s and early 2000’s…that’s because it is. Why? Because it is still the most efficient and quickest way to get into an organization, and get data out of it. Why does quickness matter? Because this set of APTs knows that device-level integrity monitoring, log-monitoring, and configuration management moves at a slower pace than what is needed to achieve attacker objectives. It’s not that organizations aren’t doing those things, it’s that they don’t have the tooling, resources, or discipline to continuously improve the cadence at which they monitor these controls. Yet, when many read the CISA advisory above, they may not be giving enough credence to statements like this, mentioned in the first two recommended mitigations:
- Keep systems and products updated and patched as soon as possible after patches are released [D3-SU] . Consider leveraging a centralized patch management system to automate and expedite the process.”
- Immediately remove or isolate suspected compromised devices from the network.
And while the subsequent twelve mitigations are of paramount importance, try giving them a read and simply appending “as fast as possible” to the end of each. Indeed “Sooner is better than perfect” applies to every one of them. How might you baseline, in time-based metrics, your organization’s ability to execute each of them, such that you can show that over time, your organization is getting faster at being able to do each? Focus on getting faster at making decisions that matter in time enough to matter, ahead of those impacts that stand to cause your organization the greatest harm.
As you read through the stories, advisories, and research below, take a moment to reflect on not whether your organization is prepared for them, but rather, how quickly those preparations, mitigations, patches, playbooks, and device management are being carried out.
If a picture is worth a thousand words, this video might be worth a million. In just sixty seconds, an attacker goes from the results of a simple SHODAN scan, to exploiting an RCE on an Internet-facing VPN appliance, and gaining root and a reverse shell from a Windows host on the internal network.
Conti Targets Critical Firmware
“In late February of this year, an unknown individual began leaking internal information and communications from the notorious Conti ransomware organization. These leaks appear to confirm the long-suspected connections between Conti and the Russian FSB, and provide key insight into the development of new threats and techniques. Notably, these leaked chats exposed a new front in the ongoing evolution of firmware-based attacks. In addition to classical attacks that target UEFI/BIOS directly, attackers are now targeting the Intel Management Engine (ME) or Intel Converged Security Management Engine (CSME)” – Eclypsium Research
- People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
- Cyber attack on state organizations of Ukraine using the malicious program Cobalt Strike Beacon
- Fronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic Behavior
- Massive cyber attack on media organizations of Ukraine using the malicious program CrescentImp
- Karakurt alert latest indicator that feds are worried about spin-off ransomware groups
- Kinsing & Dark.IoT botnet among threats targeting Confluence CVE-2022-26134
- Conti spotted working on exploits for Intel ME flaws
- Conti’s Attack Against Costa Rica Sparks a New Ransomware Era
- Attribution of Russia’s Malicious Cyber Activity Against Ukraine
- Critical F5 BIG-IP vulnerability exploited to wipe devices
- NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks
- When Your Smart ID Card Reader Comes With Malware
- Costa Rican president says country is “at war” with Conti ransomware group
- A roundup of national statements related to the satellite cyber attack below
- New DNS Cache Poison Attacks put IoT devices of all types at risk!
- Zero-Day Exploitation of Atlassian Confluence
- Mandiant Quietly Investigating Suspected Russian Intrusions
- Clop ransomware gang is back, hits 21 victims in a single month
- Exclusive: Russian hackers are linked to new Brexit leak website
- #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks
- Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials
2022 Data Breach Investigations Report
“82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse. 13% increase in Ransomware breaches—more than in the last 5 years combined. 62% of incidents in the System Intrusion pattern involved threat actors compromising.”
- Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act
- Some QCT servers vulnerable to ‘Pantsdown’ flaw say security researchers
- Firmware Attack Surface Reduction (FASR) – Windows drivers
Weak Security Controls and Practices Routinely Exploited for Initial Access
“Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.”
- Threat Actors Exploiting F5 BIG-IP CVE-2022-1388
- Cloudflare’s approach to handling BMC vulnerabilities
- CISA Adds 34 Known Exploited Vulnerabilities to Catalog
- Protecting Against Cyber Threats to Managed Service Providers and their Customers
- HP fixes bug letting attackers overwrite firmware in over 200 models
- An issue was discovered in coreboot 4.13 through 4.16. On APs, arbitrary code execution in SMM may occur.
- Software Developer Guidance for Power Advisory
- Frequency Throttling Side Channel Software Guidance for Cryptography Implementations
A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys
“Hertzbleed attack targets power-conservation feature found on virtually all modern CPUs.”
- CISA and DoD Release 5G Security Evaluation Process Investigation Study
- Researchers devise iPhone malware that runs even when device is turned off
- SMM Callouts in HP Products
- Matryoshka Trap: Recursive MMIO Flaws
- How to find Log4j Vulnerabilities in Every Possible Way
- Frequency Throttling Side-Channel Attack
Known Exploited Vulnerabilities Catalog
“Although not bound by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT) governments and private industry can significantly strengthen their security and resilience posture by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well. CISA strongly recommends all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan.”
- Python library to normalize Yara signatures
- Black Hat Asia: Firmware Supply Chain Woes Plague Device Security
- GitHub – e-m-b-a/emba: EMBA – The firmware security analyzer
- Continuous Diagnostics And Mitigation Training via CISA
- culvert – A test and debug tool for BMC AHB bridges
- Matryoshka Trap: Recursive MMIO Flaws Lead to VM Escape
- Digging Into The Core of Boot
- “What does the FSB need with a Botnet?” NCFTA 2022
Executive Summary: Conti Opens A New Front In The Fight For Firmware
Recently leaked communications from within the notorious Conti ransomware group have exposed a new strategy to exploit firmware and gain complete control over a system. Unlike previous threats that directly target weaknesses in UEFI/BIOS, attackers are now attempting to go through a figurative side door by exploiting weaknesses in the Intel Management Engine, a critical part of the chipset with direct access to the same chip housing the code that boots a computer. To add fuel to the fire, many organizations do not update the chipset firmware with the same regularity that they do for other software. As a result, this shift to targeting out-of-date chipset firmware is a major development in the evolution of firmware threats that greatly expands the number of devices that are susceptible to a firmware attack.
*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Eclypsium. Read the original post at: https://eclypsium.com/2022/06/23/may-firmware-threat-report/