
July Firmware Threat Report
Forward to the Past
Check our discussion of this between Paul Asadoorian and Scott Scheferman.
DEF CON is celebrating its 30th anniversary this year in Las Vegas. For many of us, it is impossible not to be sentimental about this event and its significance in our lives, both personally and professionally. Between the talks that have been given, or the infinite number of hallway conversations, one thing is for certain: DEF CON has always been a ground-truth source of research, education and inspiration and this year’s DEF CON promises to be no different. Especially when it comes to firmware security, and in particular, bootkits and rootkits.
It was about a decade ago when the research community – including Eclypsium’s own founders and researchers – began to beat the drum of how threat actors could attack and reside at the firmware layer on a device, meaning that the operating system (Windows Vista, Windows 7 etc back then!) could not detect or defend against it. The industry responded, in part, by creating Secure Boot which, as the name suggests, secured the boot process by preventing the loading of UEFI drivers or OS boot loaders that are not signed with an approved digital signature. This was part of the UEFI specification itself and was a heavy lift for hardware and firmware OEMs, including Microsoft, to implement.
It didn’t take long however, for researchers (in this case our own founders!) to find ways to bypass it and in so-doing, highlight systemic and hard-to-fix challenges with the secure boot paradigm. This research resulted in a 2013 talk demonstrating a way to bypass Windows 8 Secure Boot and install a bootkit. Two years later our founders, alongside other researchers, spoke about vulnerabilities in the critical System Management Mode (SMM) and SMI handlers. Five years later, our founders presented research on how Windows features like Credential Guard and Windows 10 Virtualization Based Security (VBS) were bypassable, once again highlighting threat vectors at the foundational layer which Microsoft was then forced to address. Together, one saw sharpened the other’s, while Microsoft made incremental improvements to its OS to address foundational layers of trust and security. More recently this has taken the form of Secured-core PCs – which tie trust to hardware itself – and an overarching Chip-to-Cloud initiative, both promising fundamentally better approaches to the hardware/firmware root of trust challenge. As Microsoft states in their Windows 11 documentation:
“In Windows 11, hardware and software work together to protect the operating system, with virtualization-based security (VBS) and Secure Boot built-in and enabled by default on new CPUs. Even if bad actors get in, they don’t get far. VBS uses hardware virtualization features to create and isolate a secure region of memory from the operating system. This isolated environment hosts multiple security solutions, greatly increasing protection from vulnerabilities in the operating system, and preventing the use of malicious exploits. In combination with device health attestation with cloud services Windows 11 is zero trust ready.”
In spite of the progress together as an industry, we are still faced with fundamentally challenging problems centered around how the OS can both trust the hardware and firmware below it, and how the firmware can be secured from threats coming from the OS. Fast forward to recent years and this becomes even more apparent. Whether it’s a rootkit that can be installed on every Windows device for the last 10 years (including Secured-core PCs), or an industry-wide vulnerability in GRUB2 that allows for bypassing Secure Boot, the challenges persist, despite laudable efforts, once again, to address them.
While we are getting better via this cat and mouse game of researchers pushing OS vendors forward, time may be running out. Nowhere will this be more apparent than at this year’s DEF CON talk by Eclypsium researchers Jesse Michael and Mickey Shkatov. The title says it all: “One Bootloader to Load Them All”. In many ways, we are right back to where we began: a fundamentally difficult challenge that we must solve together while mitigating the risk in the meantime.
Secure Boot and Secured-core PCs are not the only challenges when it comes to firmware. Intel’s microcode has been the subject of much discussion in recent years, and new tools are making it easier for researchers to explore x86 architecture to find vulnerabilities before bad actors do, including this recent microcode decryptor, which some are already leveraging to dive down the rabbit hole.
Finally, research is also pushing the industry forward when it comes to the all-important UEFI. Only three months ago a major OEM was discovered to have critical vulnerabilities in its firmware, allowing attackers to disable secure boot on millions of laptops. Now, researchers have discovered even more exploitable vulnerabilities in the UEFI affecting dozens of models, ones which would allow an attacker to run their code pre-boot and disable critical OS security features.
Strong research is also underway to explore the soft underbelly of device firmware on VPNs, load balancers, firewalls and other externally-facing devices. In this area, the bad actors seem to be well ahead of both researchers and OEMs. Eclypsium’s Nate Warfield is looking to turn that tide, discovering ways that attackers can exploit and persist on such externally-facing devices in novel ways. Because they are. Despite CISA’s overt warnings to patch such devices, it seems the operational challenges of doing so, and the remote-workforce paradigm shift, are making it incredibly difficult to do so. At least that’s what Nate observed earlier on in his research leading up to the talk he presented at the TROOPERS conference. Make no mistake, attacks against these devices are commonplace, and some of the worst APT actors are leveraging them as we speak, in part because the attack surface is massive. In fact, another of our researchers, Vlad Babkin, discovered over 12,000 readily-exploitable Juniper devices and another 3400 that were highly likely to be vulnerable. So impactful was that analysis that we wrote a blog about it. Vulnerabilities are being discovered at a cyclic rate lately, by both eager researchers and threat actors alike. Speaking of attacks targeting firmware, industry awareness has never been higher. From recent surveys and reports, we learn that 80% of organizations have experienced a supply-chain attack and 83% have experienced a firmware attack. This indirectly mirrors Mandiant’s M-Trends report from Q1 which indicates over half of all initial vectors into a successful breach were via either supply chain or exploitation, compared to only 20% attributed to spear phishing and credential theft combined. Quite simply, the threat landscape has shifted, and in some ways, it feels as though we’ve regressed 25 years, like we’ve gone forward into the past.
Despite all the evidence of active threat campaigns targeting the supply chain, a recent report by Tata reveals that not everyone has gotten the message. Of those businesses with over $1B in revenue, decision makers only prioritized supply chain as the 9th likely target for attack in their organization. The report’s first-page recommendations include making supply chain security a higher priority. Message received.
If we don’t get ahead of supply chain attacks, they will continue to pose grave risk to our foundational services and critical infrastructure.
There are dozens of examples but here’s one that hits home: A supplier and integration platform who processes 100’s of billions of text messages per year, with direct connections to hundreds of blue chip telcos, was hit by a supply chain attack targeting their customers. What makes this interesting from a device firmware perspective is the extremely heterogeneous, complex and diverse environments involved with this type of infrastructure. These environments have evolved over the course of decades, with some of the most critical devices being the oldest and least-maintained. Mainframes, old firewalls, legacy VPN appliances, anything you can think of is in these environments, making them ripe targets for adversaries looking to persist indefinitely or disrupt the critical services they provide. Much like the Accellion FTA device supply chain attack carried out by TA505 in recent years, the vendor in question here provided a large-scale file transferring platform that served, effectively, the entire telco industry. Unfortunately we do not yet know the IV (Initial Vector) the attackers used. Why? Because the attack carried on for five years undetected, bringing home one of the most important aspects of these types of attacks: they are designed to be multi-year, indefinite campaigns.
APT 41 (aka WINNT) has excelled in long-running campaigns targeting supply chain, as well as leveraging UEFI bootkits like Moonbounce.
In one instance they compromised Avast’s CCleaner product to attack specific high-value targets that were themselves supply chain targets in automotive and other industries. In another, they compromised the gaming industry in order to distribute malware worldwide. And, speaking of telcos, APT 41 is the same group of actors who in March of 2019, compromised Asus’ software update process to infect over 1 million devices, specifically targeting systems in the telecommunications industry. A few years prior, they had similarly compromised a server-management tool (xShell, an SSH client) that is used by hundreds of organizations around the world to manage critical operations. It’s no wonder then, why the same adversary has taken the time to develop low-level UEFI attack tools like MoonBounce and likely, MosaicRegressor (moderate confidence attribution). Note that elements of these campaigns and their tooling go back years prior to their discovery. Portions of Moonbounce’s shellcode originate in 2013, and MosaicRegressor was a multi-year campaign which wasn’t discovered by anyone for years and incorporated leaked code from Hacking Team’s 2015 Vector-EDK UEFI implant. Quite simply, supply-chain attacks leveraging low-level TTPs like rootkits and UEFI implants have been around for years, and are only just now being discovered. To get a deeper understanding of PRC-backed hacking groups, their motives, sources of funding, and ways they systematically target the supply chain as both a technical strategy (compromise one to access many) and to serve macro geopolitical and commercial espionage missions, look no further than this testimony given earlier this spring to congress. Many of APT41’s actors have been hacking for decades, were recruited by the PLA as early as 2005, and leveraged low-level rootkits while hacking the Pentagon less than a year later. Once again, we go forward to the past: Low-level attacks have always been the most coveted, effective, and protected tradecraft of the adversaries who stand to do us the most harm.
Russian-backed actors are also adept at targeting supply chains, most recently in the context of the Russo-Ukraine cyber war. What better way to target your cyber adversaries than to backdoor the DDOS application activists around the world are using to target Russian military and infrastructure? And so it goes. So much so, we might even say that such tactics are the new ‘meta’ in cyber-security.
But, there is good news here, too. A seachange of policy – requirements as well as both corporate and mission emphasis – is now being placed on shoring up the vulnerabilities associated with supply chain. CISA just received over $200M for cybersecurity related initiatives and the TSA is thrusting cyber as a primary focus for pipeline operators, requiring them to:“Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
It’s a good thing then that Eclypsium just became the first and only supply chain security solution for enterprise hardware and firmware listed on CISA’s Continous Diagnostics and Monitoring (CDM) Approved Products List (APL). In fact, prior to Eclypsium earning the CDM APL designation, no other technology solution provided visibility into the firmware and hardware foundations of devices or could thereby reduce supply chain risk. The tide has finally begun to turn.
“Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
It’s a good thing then that Eclypsium just became the first and only supply chain security solution for enterprise hardware and firmware listed on CISA’s Continous Diagnostics and Monitoring (CDM) Approved Products List (APL). In fact, prior to Eclypsium earning the CDM APL designation, no other technology solution provided visibility into the firmware and hardware foundations of devices or could thereby reduce supply chain risk. The tide has finally begun to turn.
In closing, let’s remember that just because we’ve repeated past mistakes, the future is not set. There is no fate but what we make for ourselves. We now have the tools, the anticipation, the awareness, and the fundamental desire to shift the balance of power in our favor. Let’s get moving!

ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
“In late February of this year, an unknown i“The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter — devices which are routinely purchased by consumers but rarely monitored or patched — small office/home office (SOHO) routers.”
- Firms Not Planning for Supply Chain Threats
- Attackers target Ukraine using GoMet backdoor
- Cyber National Mission Force discloses IOCs from Ukrainian networks
- APT41: A Case Study
- The old school hackers behind APT41
- Albania shuts down government websites, services due to wide ranging cyberattack
- The Return of Candiru: Zero-days in the Middle East – Avast Threat Labs
- A New, Remarkably Sophisticated Malware Is Attacking Routers
- Conti Ransomware Group Explores Post-Encryption Future
- New malware from APT28
- Russian hackers may be behind Texas natural gas plant explosion: report
- CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report | CISA
- FOISted: a MikroTik remote jailbreak
- Video: Cyberattack against Iran’s steel industry
- RansomHouse extortion group targets AMD
- A user previously associated with Lapsus$ claims to have in possession Nvidia’s “hardware & firmware folders”
- Novel Exploit in Mitel VOIP Appliance
- Meet the Administrators of the RSOCKS Proxy Botnet
- Ransomware: Inside the former CONTI group
- How the Cybercrime Landscape has been Changed following the Russia-Ukraine War – Kela
- Russian Botnet Disrupted in International Cyber Operation
- Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’
- Analysis | Trickbot may be carrying water for Russia
- Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
- A Map to show countries targeted with cyber-events during #russiaukrainewar
- Cyber attack against telecommunications operators of Ukraine using the DarkCrystal RAT malicious program (CERT-UA#4874)
- Cyber attacks by groups associated with China against Russian scientific and technical enterprises and state bodies (CERT-UA#4860)
- Supplier hack had “scope to impact entire telco industry”: Vodafone
- Lazarus APT hit aero, defence sector with fake job ads
- RANSOMWARE IN Q2 2022: RANSOMWARE IS BACK IN BUSINESS
- Patchable and Preventable Security Issues Lead Causes of Q1 Attacks
- Russia’s Conti Cybercrime Group Belongs on the U.S. Terror List
- How Conti ransomware group crippled Costa Rica — then fell apart
- Ransomware: Inside the former CONTI group
- Who is TrickBot
- China: Declaration by the Minister for Foreign Affairs on behalf of the Belgian Government urging Chinese authorities to take action against malicious cyber activities undertaken by Chinese actors
- Trickbot/Conti employee “kerasid” from Mogilev, Belarus
- Conti’s “kerasid” claims he is “0_neday” from REvil
- INVISIMOLE: THE HIDDEN PARTOF THE STORY
- China-linked APT Bronze Starlight deploys ransomware as a smokescreen
- Overseas cyberattack, AKSHI blocks all online access for Albania
- BlackCat ransomware attacks not merely a byproduct of bad luck
- Russia-Ukraine War — Cyber Group Tracker. July 14.
- Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine
- Russia Released a Ukrainian App For Hacking Russia That Was Actually Malware

DHS CISA Expands the Continuous Diagnostics and Mitigation Approved Product List to Secure Firmware Supply Chain, A First for the Agency
“Eclypsium today announced that it has been added to Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) Approved Products List (APL). The inclusion reinforces CISA’s ongoing adaptation to the evolving threat landscape and the role of firmware in supply chains, the economy and national security of the United States Government.Prior to Eclypsium joining the CDM APL, no other technology solution provided visibility into the firmware and hardware foundations of devices, or could thereby reduce supply chain risk.”
- Secure Firmware Supply Chain, A First for the Agency
- Samsung’s 2nd-gen SmartSSD processes data right on the drive
- Software Bill of Materials | CISA
- Former #CIA employee Joshua #Schulte was convicted of #Vault7 massive leak
- Appropriations Committee Releases Fiscal Year 2023 Homeland Security Funding Bill
- Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks
- Router security report 2021
- ARM lays out their new 2022 IP
- CEO Arrested for Selling $1 Billion in Fake Cisco Hardware on Amazon, eBay
- Arrested Russian hacker Pavel Sitnikov looks to start a new chapter
- The first formal verification of a prototype of Arm CCA firmware
- Doxxed: Ransomware actor and RAMP forum creator who was responsible for Costa Rica declaring a state of emergency
- 9 Cybersecurity Challenges Companies Must Tackle Now

New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook Models
“Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain three security flaws in its UEFI firmware affecting over 70 product models. The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.”
- Cisco Releases Security Updates for Multiple Products | CISA
- Ubuntu Security Notice (UEFI SecureBoot Bypass) USN-5484-1
- 15 vulnerabilities discovered in Siemens industrial control management system
- Mitel Product Security Advisory 22-0002
- Cisco Security Advisory: Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities
- OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow
- Citrix Hypervisor Security Bulletin for CVE-2022-23825 and CVE-2022-29900
- Buffer overflow vulnerability in firmware for Huawai eSE620X vESS V100R001C10SPC200 and V100R001C20SPC200

Mapping The Juniper Vulnerability Landscape
“As part of our ongoing research on the security of network devices, we wanted to quantify the level of Juniper device exposure on the internet. Using Shodan and a variety of pre-authentication fingerprinting techniques we were able to identify the JunosOS version of 12,876 devices and found that 94% of them contained at least one Critical vulnerability. We identified a further 5,167 devices based on their year of release and determined that 67% of these additional devices were highly likely to contain at least one Critical vulnerability.”
- [BugTales] UnZiploc: From 0-click To Platform Compromise
- The Keys to the Kingdom
- RETBLEED: Arbitrary Speculative Code Execution with Return Instructions
- Rolling Pwn Attack (Honda firmware bug allows attackers to open/start vehicles)
- SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables
- Researchers: Chinese-made GPS tracker highly vulnerable
- FirmwareBleed: The Industry Fails To Adopt Return Stack Buffer Mitigations In SMM

One Bootloader to Load Them All
“The way Secure Boot works is simple and effective, by using tightly controlled code signing certificates, OEMs like Microsoft, Lenovo, Dell and others secure their boot process, blocking unsigned code from running during boot. But this model puts its trust in developers developing code without vulnerabilities or backdoors; in this presentation we will discuss past and current flaws in valid bootloaders, including some which misuse built-in features to inadvertently bypass Secure Boot. We will also discuss how in some cases malicious executables can hide from TPM measurements used by BitLocker and remote attestation mechanisms.”
- Exploring the hiddhttps://forum.defcon.org/node/241827en attack surface of OEM IoT devices
- Unblob – towards efficient firmware extraction – A tool to obtain content binary blobs
- When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors
- Highly scalable enterprise ready tool to create SPDX 2.2 compatible SBOMs
- Tool for gathering Indicator of Compromise (IOC)s sourced from Tweets
- GitHub – Immersive-Labs-Sec/BruteRatel-DetectionTools: A collection of Tools and Rules for decoding Brute Ratel C4 badgers
- Introducing Decompiler Explorer
- Firmware Security at Black Hat Briefings 2022
- s a n d s i f t e r : the x86 processor fuzzer
- MicrocodeDecryptor
- Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases
- Qualcomm Sahara / Firehose Attack Client / Diag Tools


Firmware, Supply Chain, And Frameworks: NIST SP 800-53
NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, is easily one of the most foundational documents in modern cybersecurity. While many security frameworks define high-level goals and requirements, SP 800-53 defines the specific controls to deliver on those goals. While many standards focus on “what” organizations should do, SP 800-53 defines the “how”.
Currently on its 5th revision, the document goes through regular updates to keep pace with changes in the cybersecurity landscape. Notably, the most recent updates have reflected a major focus on the importance of firmware as well as supply chain security. Supply Chain Risk Management was added as a new dedicated family of controls in Rev 5. Likewise, the word “firmware” appears 155 times in the most recent update compared to only 16 references in Rev 3. In total, firmware plays a role in 12 families of SP 800-53 controls and 40 specific underlying controls. A full analysis of these controls is available in Firmware, Supply Chain, and Frameworks: NIST SP 800-53.
This blog explores 3 key areas or themes where SP 800-53 really highlights the importance of firmware and supply chain security.

Mapping The Juniper Vulnerability Landscape
NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, is easily one of the most foundational documents in modern cybersecurity. While many security frameworks define high-level goals and requirements, SP 800-53 defines the specific controls to deliver on those goals. While many standards focus on “what” organizations should do, SP 800-53 defines the “how”.
Currently on its 5th revision, the document goes through regular updates to keep pace with changes in the cybersecurity landscape. Notably, the most recent updates have reflected a major focus on the importance of firmware as well as supply chain security. Supply Chain Risk Management was added as a new dedicated family of controls in Rev 5. Likewise, the word “firmware” appears 155 times in the most recent update compared to only 16 references in Rev 3. In total, firmware plays a role in 12 families of SP 800-53 controls and 40 specific underlying controls. A full analysis of these controls is available in Firmware, Supply Chain, and Frameworks: NIST SP 800-53.
This blog explores 3 key areas or themes where SP 800-53 really highlights the importance of firmware and supply chain security.
*** This is a Security Bloggers Network syndicated blog from Eclypsium authored by Eclypsium. Read the original post at: https://eclypsium.com/2022/07/27/july-firmware-threat-report/