USBAnywhere vulnerability, fileless malware, US grid cyberattack and more.
Eclypsium Threat Report—September 2019
USBAnywhere BMC Vulnerability Opens Servers to Remote Attack
Research published this month by Eclypsium identified 47,000 servers with BMCs exposed to the Internet that are vulnerable to remote attacks. The USBAnywhere vulnerability allows an attacker to easily connect to a server and virtually mount any USB device of their choosing to the server remotely over any network including the Internet.
Attackers are always evolving in order to evade traditional security controls, and in recent years, fileless threats have become one of the most popular new strategies. Unlike traditional malware, fileless threats don’t exist as a file that resides on a system’s disk, making them harder to detect and analyze.
In one of the first real cyberattacks on US energy infrastructure, hackers used a DoS flaw to reboot firewalls at an electric power grid operator for hours. The power grid operator eventually discovered that they had failed to apply firmware updates for the firewalls that were under attack. The reboots stopped after the operator deployed the proper patches.The North American Electric Reliability Corporation (NERC) published their report this month on the March attack, highlighting lessons learned on the risks posed by firewall firmware vulnerabilities.
Attack events surpassed 1 billion in 1H 2019, 12 times higher than in the same period last year, according to the F-Secure’s latest Attack Landscape Report. Analysis of ransomware distribution methods implicated compromised firmware as the 3rd most common infection vector, accounting for 12% of attacks disrupting companies, public entities and other organizations. Get the complete report here.
The DoD has recognized that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. They are working with DoD stakeholders, researchers and industry to develop a new Cybersecurity Maturity Model Certification (CMMC) which addresses software, firmware and hardware risks. The framework is expected to be released in 2020 See draft.
Chromebook users should update devices to fix a critical vulnerability in a Chrome OS feature that handles two-factor authentication procedures. Google discovered the vulnerability in the H1 security chip firmware concerning ECDSA signature generation which impacts the “built-in security key” feature. Full remediation requires both a firmware fix and retiring key pairs that have generated vulnerable signatures. Technical details here.
Earlier this summer, a new strain of destructive malware known as Silex began to spread and effectively bricked over 4000 IoT devices, including routers, cameras and DVRs. Developed by a 14-year-old hacker, who was “trying to take down targets for other script kiddies who might be looking to build botnets,” the malware is evidence of the ease of corrupting vulnerable firmware.
This year’s Open Source Firmware Conference featured more than 40 presentations over four days, and included an entire track on firmware security as well as a hackathon.
Common BMC Vulnerabilities and How to Avoid Repeating Them
BMCs have a notorious past of critical vulnerabilities that allow complete takeover of the host system. Worse, the same types of vulnerabilities creep up in BMC firmware over and over again. Eclypsium’s Rick Altherr presented a comprehensive threat model for BMCs along with methodologies, practices, and techniques that can be used to avoid these common security mistakes. Download the paper
Debugging Intel Firmware using DCI & USB 3.0
Intel Direct Connect Interface (DCI) provides closed chassis hardware debug functionality through USB 3.0 for Intel platforms. Intel’s Maggie Jauregui and Eclypsium’s Mickey Shaktov demonstrated debugging firmware functionality using DCI with open source EDK II firmware and showed how to run CHIPSEC within the debugger to check security settings and run specific tools. Download the paper
Upcoming Presentations
BSIDES October 25-26, 2019 • Portland, OR
Argghh, yer kubernetes be now a shark bait!
Alex Ivkin, Director of Solutions Engineering, Eclypsium
With Kubernetes becoming a de-facto container orchestration platform, it’s only a matter of time before it becomes a major target. Turns out, the biggest threat to a kubernetes deployment is the person doing it. Many of the default deployment options open container infrastructure to easy pwnage. Come see how easy it is to slip in and wreak havoc in a k8s cluster and how some simple config hardening can make it substantially harder to abuse.
PacSec 2019 Conference Nov 5-6, 2019 • Tokyo, Japan
Get Off The Kernel If You Can't Drive
Mickey Shaktov and Jesse Michael, Principal Researchers, Eclypsium
For software to communicate with hardware, it needs to talk to a kernel-mode driver that serves as a middle-man between the two, helping to make sure everything operates as it should. In Windows that is done using the Kernel-Mode Driver Framework (KMDF). However, as the code in these drivers runs with the same privileges as the rest of the kernel, malicious drivers can be used to compromise the security of the platform.
Screwed Drivers - Common Design Flaw In Dozens of Device Drivers Allows Widespread Windows Compromise
Eclypsium researchers Jesse Michael and Mickey Shaktov give you an inside look at their research on insecure drivers, and discuss methods that security professionals can use to protect their organizations from device driver vulnerabilities.