tag:blogger.com,1999:blog-69325695421637699932024-03-05T07:29:20.701-08:00Thompson Cyber Security Labstcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.comBlogger84125tag:blogger.com,1999:blog-6932569542163769993.post-54406695284195861542021-10-17T16:02:00.002-07:002021-10-17T16:02:54.283-07:00Annnd another UEFI rootkitSo, anyway, I was examining some new firmware uploads this weekend (yes, when you work in the anitmalware space, you are like Inspector Gadget ... always on duty), and my program detected some similarities to a certain POC (Proof of concept) rootkit from a few years ago. (I call it a POC because when you look at the code, it has comments in it, paraphrasing, "This is empty, but is where the payload would go")br><br>
As I said, it's a few years old now, but it is very unusual for my scanner to detect any similar code, so, naturally, I had to look deeper.<br><br>
After researching it a bit, it seems likely that this new one, too, was a POC, from 2019, but the interesting things were ...<br><br>
(1) No major antimalware product detects either of these (one scanner from Russia that I'd never heard of detected one of them, but that was all), and...<br><br>
(2) When I tweaked my detectors (in this case, an ssdeep sig) a bit, I suddenly found multiple other detections in my collection, with 80% to as high as 97% code match. <br><br>
These may well turn out to be simple, and innocent, false positives, but ... they must be investigated... we shall see. <br><br>
And of course, one wonders how many other things like this are waiting to be discovered.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-19755222946241055612021-10-07T13:20:00.000-07:002021-10-07T13:20:50.336-07:00A couple of thoughts about the recent UEFI bootkit discoveriesSo, anyway, you've probably noticed that two "new" UEFI bootkits were announced in the last couple of weeks. One is ESPector (so named by our friends at ESET), and the other is FinSpy. <br><br>
ESPector has roots that go back to 2014-ish, but the main difference here is that they've found a way to bypass signature checking, and to gain persistence in the system partition... not quite in the firmware, but a separate partition on disk that is not easy to look at.<br><br>
Whenever I see something like that, I think, "Wait ... if this gang has found a way to bypass signature checking, how do we know that this is the only version of the bootkit?" After all, they've had six or seven years to work on this.<br><br>
The answer to this question, of course, is that we don't know. Not many people/products look at the system partition.<br><br>
FinSpy is interesting from another angle.<br><br>
FinSpy was originally developed by the Hacking Team, which was dox'd in 2016. Among the documents leaked was the source code to their VectorEdk UEFI rootkit (the product known as FinSpy). The Hacking Team's business model was to sell their product to law enforcement, and governmenrt bodies, ala NSO with Pegasus. This doxing effectively killed the Hack Team business, but it has now resurfaced, with a new, and improved, FinSpy, which was what the guys at Kaspersky found.<br><br>
Now, that's all very well, but the thing that concerns me is that the source code to VectorEdk/FinSpy is still freely available for download on GitHub.<br><br>
Does anyone really believe that this single company/group will be the only one to have developed new versions of this rootkit?<br><br>
If anyone does believe that, I would like to sell you some ocean front property in Arizona. It's very cheap, and a bargain. ;) <br><br>
Heads up, folks. Something evil, this way comes.<br><br>
Please pay attention to your firmware.<br><br>tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-50793063738694974322021-07-02T17:13:00.001-07:002021-07-02T17:13:51.779-07:00Scary, funny, and then scary againSo, anyway, I recently noticed that a firmware update seemingly had support for RTSP (Real Time Streaming Protocol), and my initial thought was, "Why the hell would firmware want to be able to stream media?". Further investigation showed that the same module seemingly had Gopher (Yes, Gopher) support, and SMTP support, and RTMP (Real Time Messaging Protocol) as well as HTTP, and FTP.<br><br>
I was starting to get a bit nervious about this, and then the funny bit happened. I noticed a reference to LibCurl.<br><br>
Wait ... so this is using LibCurl?<br><br>
That probably explains why this has exotic capabilities such as RTSP. These capabilities are there, but probably not being used.<br><br>
But then it got scary again... <br><br>
The LibCurl version seems to be 7.56.1.<br><br>
That's kind of old, and there have been a lot of vulnerabilities patched since that version was released.<br><br>
I hope I'm wrong about that version number, because if I'm not wrong, that's a pretty good attack surface.<br><br>
Investigation continues. Stay tuned. <br><br>
Firmware is fun.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-77724884962198303612021-06-24T09:39:00.001-07:002021-06-24T18:42:38.286-07:00Far be it for me to say I told you so... but ...So, anyway, our colleages at Eclypsium recently announced some bugs they found in Dell BiosConnect which could allow attackers to remotely implant code in firmware. You can read about it <a href="https://threatpost.com/dell-bios-attacks-rce/167195/" target="_blank">here.</a><br><br>
Dell has apparently released firmware upgrades which fix the bugs, and it is not thought to be under active attack, so all should be well, but there are still two problems.<br><br>
The first is that people tend to not be good at applying firmware updates. Unlike the monthly OS patches, there is rarely a mechanism for letting folks know they have a firmware patch to apply, and even if there is a patch, most people are not good at flashing firmware. As an example, we routinely still see Lenovo firmware that has the so-called "Lenovo rootkit" (which, btw, ain't that different from BiosConnect) from 2015 in it, and it should have been extinct since 2016.<br><br>
The second problem is, who knows how many other problems like this exist? Another six, (at least) manufacturers have firmware with similar capabilties to BiosConnect, and no one knows who has similar problems. Maybe none. Maybe some. I guess time will tell.<br><br>
<i>Oh, and functionality keeps getting added. When I <a href="https://tcsltesting.blogspot.com/2019/10/check-your-firmware-folks.html" target="_blank">blogged</a> about BiosConnect well over a year ago, one thing I noticed was that this particular firmware upgrade moved from 8 mb to 16 mb, and the number of programs in it grew from 320 to 575, and we now routinely see firmware (not just Dell) with nearly 1,000 executables. That's a lot of extra functionality, and therefore a lot of potential vulnerabilities.</i><br><br>
As I recently <a href="https://tcsltesting.blogspot.com/2021/06/how-do-people-know-whats-in-their.html" target="_blank">wrote</a>, you cannot protect your organization properly if you don't know what's in your firmware, especially the upgrades. We have recently done some "before and after" comparisons, that are highly instructive, and hopefully I'll get to disclose them here soon.<br><br>
And, if you would like some help in checking your firmware, please feel free to reach us at labs at armor.ai.<br><br>
So, far be it for me to say I told you so, but ... I told you so... This stuff is coming.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-16030549639833252842021-06-10T18:06:00.000-07:002021-06-10T18:06:58.842-07:00How do people know what’s in their firmware?Here's a quick summary of where we stand wrt firmware security... <br><br>
Nearly all computers built since 2007 contain UEFI (Unified Extensible Firmware Interface). UEFI contains between two hundred, and a thousand compiled C programs, in Windows format. This is a format well understood, by attackers, and defenders, alike. They are all cryptographically signed, but this signature is only checked at flash time. What this means is that if something can get write access to the firmware, it can change whatever it likes, including by virus-like infection, and probably nothing will detect it. UEFI is immensely powerful, and is an operating system in its own right. It has its own network stack, and can download over the public internet, via HTTP or FTP, and can write anything it likes to the disk. We have even found some that have email capability.<br><br>
UEFI runs at ring-1, or ring-2, well below ring-0, and is like 64bit, real mode, DOS. (Think about the implications of that for a minute)<br><br>
Firmware attacks have already happened, viz. LoJax, and ShadowHammer, that we know about, and we know that the TrickBot ransomware gang has been spotted looking for machines with Secure Boot turned off. There will be others, just waiting to be discovered. <br><br>
If you think ransomware is a problem now, wait until some of them gain persistence in firmware.<br><br>
Even if you are not concerned about ransomware, consider this. The SolarWinds attackers were obviously technically capable of firmware attacks. They were in networks well long enough, and were clearly cunning enough to cover their tracks.<br><br>
Given the “high profile” nature of some of their victims, this could be like a hidden bomb, waiting to be detonated.<br><br>
I think it was the Marines who came up with the expression Left Of Bang. The idea is that when the improvised explosive, or road-side bomb, goes off, that’s “Bang”. Getting Left Of Bang means that you realize that something is not right, and maybe an ambush is coming, and you do whatever you have to do to prevent, or avoid, the Bang.<br><br>
So how do you get Left Of (this sort of) Bang?<br><br>
Whether you are using our software, or someone else’s, you have to start dumping, and analyzing, your firmware. <br><br>
Even if there is nothing overtly malicious in it, you simply have to know what capabilities are in it, or you cannot properly defend your organization.<br><br>
And, the answer to the opening question of, "How do people know what's in their firmware?" is...<br><br>
They don't. Nearly everyone is using the Hope Method. <br><br>
The Hope Method is not a method.<br><br>
Folks, it’s coming. Please try to get ahead of it. <br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-76670084979385072302021-03-30T20:17:00.000-07:002021-03-30T20:17:21.525-07:00Goog blocked my searchSo, anyway, today I was out, and waiting for a kid, and just for fun, I decided to google for "push cs pop ds", just to see what popped up.<br><br>
(Older geeks will remember that back in the day, it all came down to push cs, pop ds. "Why" doesn't really matter any more, but it was important once.)<br><br>
Google predictive text offered 'push vs pop ds', and just for fun and to see what it showed, I clicked that.<br><br>
Much to my surprise, it blocked my search thusly...<br><br>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis-SppcNNN5gLhnQV5jzQJuiOMSdOmvu1ZMyP_9qavJLcPBrMqE38yFyJetyD4hhxql79FZL0c3uh3ErcinqH0PW_afdVJLSgWY_Rb3snaznx8CCSKAmbmPc0DDwsDwuvkNAwdyne0zR04/s2436/IMG_GoogBlock.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" height="600" data-original-height="2436" data-original-width="1125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis-SppcNNN5gLhnQV5jzQJuiOMSdOmvu1ZMyP_9qavJLcPBrMqE38yFyJetyD4hhxql79FZL0c3uh3ErcinqH0PW_afdVJLSgWY_Rb3snaznx8CCSKAmbmPc0DDwsDwuvkNAwdyne0zR04/s600/IMG_GoogBlock.png"/></a></div>
<br><br>
"unusual traffic from your computer network"<br><br>
Hmmm... I'm on my cellphone, on cellular data only.<br><br>
I tried it a couple more times, with the same result.<br><br>
Knowing that there are some iOS Zero days circulating, and out of an abundance of caution, I powered my phone off, and on, (It's hard for malware to obtain persistance past a reboot on iOS), and the problem went away.<br><br>
I don't know if it was malware, or just a bug, but it reminded me that it's not a bad idea to power devices off and on periodically, just to remove malware that's in ram. It's by no means a perfect defense, but it doesn't hurt.<br><br>
As I've said before, I reckon 2021 is saying "Hold my beer, and watch this!"<br><br>
Folks, stay safe, and keep your guard up.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-12872611347689467342021-02-07T12:18:00.002-08:002021-02-07T12:18:47.572-08:00Software Supply Chain hmmmsSo, anyway, I've been thinking a bit about the SolarWinds hack, and thinking how lucky we were that it was the only event of its kind, (Yes, my tongue is firmly in my cheek), and then a few days ago, I saw <a href="https://www.theregister.com/2021/01/07/great_suspender_malware/?fbclid=IwAR3iNYsb94BtafQLUs1ev1d0Xn1QUIjcMoTHo9zF9UEjvd0LJze1fpMGNhk" target="_blank">this article </a> in the Register.<br><br>
The headline is partly "What happens when a Chrome extension with 2m+ users changes hands, raises red flags,", but being a little cynical, I think a better question would be, "What happens when a Chrome extension with 2m+ users changes hands, and _doesn't_ raise red flags".<br><br>
And then, a couple of days ago, I saw an excellent <a href="https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google-play-infects-10-million-users-with-one-update/" target="_blank">MalwareBytes blog</a> about an Android app with 10m-ish users, that also changed hands, and is now regarded as malicious and has been removed from Google Play. As you can see from the blog, the app was pretty instantly obvious that it was being... uh ... a bit pushy.<br><br>
I look at things like those two events, and think, "That's a pretty good way to get yourself on millions of devices pretty quickly."<br><br>
And then I think, "I wonder how many more apps, or browser extensions, have quietly changed hands to someone of hostile intent, and _haven't_ been noticed?"<br><br>
Yes, it costs the perp some money to get these things, but then they could be on tens of millions of devices, quietly harvesting uids, and pws, to all sorts of services.<br><br>
Nation States actors would do this. RansomWare dudes would do this. Both adversaries are easily financially capable of this.<br><br>
The potential RansomWare consequences are instantly clear, and potentially costly if you ignore them. The Nation State level implications are more subtle, but this is exactly how you could end up with more hacks like SolarWinds.<br><br>
So the question then becomes, how do you handle it, and the short answer is, with great difficulty.<br><br>
The slightly longer answer is, if you are a builder of products, you have to really think hard about your software supply chain, and maybe not trust everything, and then <br><br>
(1) Consider what you would do if some open source components, on say, Github, are compromised <br>
(2) Consider how you detect that some of your own source components werer modified, ala SolarWinds<br>
(3) Given the potential for uids and pws to have been harvested by apps that have quietly "changed hands", you should assume that it's a matter of "when" and not "if", the Bad Guys get in your network, or in your supply chain somewhere.<br><br>
I will try to find some less nebulous answers about what to do. <br><br>
Oh, but don't get me started about Firmware Supply Chain.<br><br>
Stay safe, folks. It's tricky out there.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-22607888840976726712021-01-05T17:48:00.000-08:002021-01-05T17:48:39.095-08:00EMail to SMS. Good idea, right?So, anyway, a couple of days ago, I got this text message.<br><br>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSqyKbqMvw0f0vmm8wipyDl-2NfDV7Y04E05gmbRichFiyRQjvKS1AUwXoZXJd5Lsc2H-z41tw6xbqPwRv_9s5qvO8xE20V8a7AjudEBNSf_y_uGFAMBRNFuscaYBfkQ2hYP02Hi8lBBcJ/s2048/1.png" style="display: block; padding: 1em 0; text-align: center; clear: left; float: left;"><img alt="" border="0" height="400" data-original-height="2048" data-original-width="1152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSqyKbqMvw0f0vmm8wipyDl-2NfDV7Y04E05gmbRichFiyRQjvKS1AUwXoZXJd5Lsc2H-z41tw6xbqPwRv_9s5qvO8xE20V8a7AjudEBNSf_y_uGFAMBRNFuscaYBfkQ2hYP02Hi8lBBcJ/s400/1.png"/></a></div><br><br>
<BR CLEAR=LEFT>
The first odd thing was that it was a text message, that clearly came from an email address. (In this case, gmail)<br>
The second odd thing was that it was sent to twenty people. <br>
The third odd thing was that it simply referenced an ip address.<br><br>
Looking at the "20 people", it showed this...<br><br>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMhNoSQ1oYPYBvPoYstG840tybaIgAl-VYcZ-CFaj874mPPzJHKMPBPYt9IapuT40qZg32JT6jSrvxlPBS_jYtgxd5T77YaFVkTHgyafa05saed2Ey4PDrIHN40FfxVa2fGvQi1zhynohU/s2048/3.PNG" style="display: block; padding: 1em 0; text-align: center; clear: left; float: left;"><img alt="" border="0" height="400" data-original-height="2048" data-original-width="1152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMhNoSQ1oYPYBvPoYstG840tybaIgAl-VYcZ-CFaj874mPPzJHKMPBPYt9IapuT40qZg32JT6jSrvxlPBS_jYtgxd5T77YaFVkTHgyafa05saed2Ey4PDrIHN40FfxVa2fGvQi1zhynohU/s400/3.PNG"/></a></div>
<BR CLEAR=LEFT>
Twenty consecutive phone numbers. Nothing suspicious about that, right?<br><br>
I visited the ip address with a neat tool called Silo, from my friends at Authentic8. Silo can hide your ip address, as well as your country of origin, and can also isolate your computer from web-borne malware. The site was a "dating/porn site", and, although it did not seem to throw anything malicious at me, the typical m.o. with this sort of site is that every few visits, it randomly will, so it's one of those places you don't want to ever visit on an unprotected computer.<br><br>
This was the first time I've received a text from an email address, but a quick bit of googling shows that lots of providers offer such a service. I guess there must be some upside to it, but to me, it just seems like an easy way for the robo callers to send malicious things in bulk.<br><br>
The moral of the story, in my opinion is that if you get a text or iMessage from an email address that you don't know, don't trust it and simply delete it.<br><br>
Remember, www stands for World Wild War. Stay safe, folks.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-56584418756411223182020-12-17T16:21:00.000-08:002020-12-17T16:21:33.576-08:00assume that the threat actor has deployed further persistence mechanisms.So, anyway, today CERT released an excellent <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-352a" target="_blank">alert</a> about the SolarWinds compromise. It's full of good advice, but my favorite sentence is the one I used as a title.<br><br>
I will be shocked, if, in the fullness of time, we don't discover that they modified firmware, in order to achieve persistence.<br><br>
In order to do that, all they need to do is this:<br><br>
(1) Create a driver capable of reading and writing firmware. This is not easy, but there are examples, such as Chipsec, and don't bother arguing that these perps are not smart enough to do it.<br><br>
(2) Such a driver would need to be signed, but they already proved they can sign stuff. <br><br>
(3) Get the driver on the target system. That's what SunBurst (their downloader) can already do. <br><br>
(4) Modify the right bit of code in the firmware. Remember, there are between 200 and 1,000 compiled C programs, in Windows format, and Bad Guys have been modifying compiled C programs for a long time now. They know how to do that. Oh, and remember that although they are cryptograpically signed, the signature is only checked at flash time. <br><br>
(5) Remember, it's in the UEFI spec that the firmware can download anything from anywhere using HTTP or FTP, and the firmware has its own network stack. <br><br>
(6) Once the firmware is modified, SunBurst is perfectly capable of cleaning up such evidense.<br><br>
My second favorite sentence in the alert is the one about forensically imaging the systems. This is good, but I don't think any forensics kits currently capture firmware.<br><br>
Folks, everyone needs to start to watch their firmware. You maybe confident that "they" are.<br><br>
2021 is saying "Hold my beer".<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-2284862963231439622020-12-14T12:00:00.003-08:002020-12-14T13:33:04.003-08:002021 is going to be interestingSo, anyway, in my last post, I opined that 2021 might be saying, "Hold my beer", and this morning we wake up to news of the SolarWinds attack.<br><br>
Now, so far, there has not been any mention of resultant firmware attacks, but it seems to me that the attackers were sufficently "sophisticated" that they are capable of such attacks.<br><br>
Systems seem to have been compromised for six to nine months, and that is plenty of time to (1) install a signed firmware driver, (2) modify the firmware, and (3) remove the signed firmware driver.<br><br>
It might not have happened... but it might have.<br><br>
The question then becomes... how would you know?<br><br>
Everyone, from .gov to F500 needs to start to monitor their firmware. It's not part of your average toolkit, but there are options, and I blogged about how to dump your firmware <a href="https://tcsltesting.blogspot.com/2018/08/instructions-on-how-to-dump-your.html" target="_blank">here</a>, and we are happy to help if you need it.<br><br>
2021 is warming up!
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-11524251951734711932020-12-09T11:26:00.000-08:002020-12-09T11:26:11.790-08:002021 is saying, "Hold my beer!"I have been warning for quite a while, that firmware, particularly UEFI, is the next malware battleground. It is heating up, and everyone needs to start to pay attention. <br><br>
Consider these items:<br><br>
One of the RansomWare crews is starting to try to examine, and maybe modify, <a href="https://www.zdnet.com/article/new-trickbot-version-can-tamper-with-uefibios-firmware/%20" target="_blank">UEFI</a><br><br>
Just to highlight how powerful UEFI is, someone has ported Doom to UEFI. This is pretty awesome, especially if you are a Doom fan, but it sure shows something about UEFI … <a href="https://github.com/Cacodemon345/uefidoom" target="_blank">Doom</a> <br><br>
The Hacking Team UEFI rootkit seems to have re-surfaced from a nation/state team … <a href="https://www.wired.com/story/hacking-team-uefi-tool-spyware/%20" target="_blank">Hacking Team</a><br><br>
As well as those little itms, having analyzed about 3,000 firmware blobs, here are some of our key findings…<br><br>
• UEFI firmware contains between 200 and about 1,000 compiled C programs, in Windows format, which is a format well understood by attackers, and defenders, alike.<br><br>
• approximately half the executables will have signing certificates that are expired. It turns out that certificates are only checked at flash time. What this means is that if something can get write access to the firmware, it could infect, or replace, whatever it likes.<br><br>
• Nation-state actors have already managed some penetration, with attacks like Shadow Hammer, and LoJax.<br><br>
• about seven manufacturers have firmware programs that are roughly functionally equivalent to the Lenovo rootkit, from 2015. They are just not as noisy, so they haven’t been noticed.<br><br>
• out of a random sampling of about 1,500 blobs, 581 had remote update by http or ftp capability, 117 had email capabilities, 1287 had some password reset capability, and 260 contained the word ‘backdoor’<br><br>
• UEFI has its own network stack, and can download programs, and whole operating systems, from the Internet using http or ftp and some can send email using EHLO <br><br>
Now, I'm not saying that UEFI is bad. It's the opposite... it's great! It is, however, immensely powerful, and one of the truths of computer security is that functionality (or power) and security tend to exist in an inverse relationship. In other words, the more powerful something is, the less secure it tends to be. <br><br>
It is clear that our adversaries, from ransomware gangs, to nation/state teams, are attacking the firmware, and it is heating up. Everyone needs to start paying attention. It doesn't matter if your stuff is all in the cloud, because if something bad gets in the firmware, it will be able to find your cloud credentials, and your blockchain private keys, and ... whatever it wants.<br><br>
Everyone is waiting for 2020 to end, but I reckon 2021 is saying, "Hold my beer, and watch this!"<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-6465511218413701102020-07-29T16:59:00.002-07:002020-07-29T16:59:29.735-07:00A couple of firmware stats to think about.So, anyway, just for fun, I grabbed about 1,500 firmware blobs, randomly, from our collection, and ran a few Yara scans over them... just to see... this is what I found.<br><br>
Total firmware blobs under test: 1520 <br>
Number containing overt update capabilities: 581 <br>
Number containing overt email capabilities: 117<br>
Number containing some password reset capabilities:1287<br>
Number containing the word 'backdoor': 260<br><br>
I am still not seeing why firmware should send email, and some even use EHLO, but, oh well...I'm sure there is a good reason.<br><br>
And, on one hand it's good that firmware has update capabilities, but I still feel nervous about firmware updating over the Internet, using HTTP or FTP. What could go wrong? Oh, that's right ... ShadowHammer already showed what could go wrong.<br><br>
These updaters, by the way, are the obvious ones... firmware has its own network stack, so there could be other updaters that are a bit obfuscated. No one knows. <br><br>
And, it's understandable that firmware would need some password reset capabilities, but it's a bit awkward that some contain the word "backdoor".<br><br>
Now, I have no reason to think any of these are actually malicious, but ... without looking closely, we have no way to be sure. Some could be, and we just don't know, without looking really closely, and I believe that most organizations _are not_ looking at firmware at all, let alone closely. This stuff is immensely powerful, and always remember, functionality and security tend to exist in an inverse relationship. <br><br>
We may be confident that nation-states are looking hard at firmware attacks, and we may be equally confident that the ransomware players are also trying.<br><br>
Everyone is using the Hope Method, and this has to change.<br><br>
If they can get into the firmware of computers, tablets, phones, or IoT, they can persist indefintely, and can either move sideways from there, or simply surveil the network. This would be a Bad Thing(tm). <br><br>
To keep our critical infrastructure, financial institutions, and medical institutions, safe, everyone in those industries needs to start capturing their firmware, and monitoring it, and if they don't, they're going to regret it.<br><br>
Stay tuned, folks.<br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-30373528135655921952020-04-23T08:42:00.000-07:002020-04-23T08:45:58.835-07:00I might have been wr..wro... wron... can't say the word...So, anyway, yesterday I smacked poor FaceBook for being creepy, and adding Alt Text to my image, which only showed up because I added it to a Word document, and Word kindly, albeit briefly, showed me the Alt Text.<br><br>
I was then extra suspicious that something was going on, because I couldn't find the text in the jpg, and figured that it must be compressed, or obfuscated somehow, which lead me to wonder what else might be hidden in the jpg. When you are in my line of business, it's good to be suspicious<br><br>
But then... a friend commented on my post, saying that he'd had a similar problem with Word a couple of years ago... wait ...what? Word?<br><br>
Long story made short. Yes, Word adds its own Alt Text to images, and FaceBook was not hiding Alt Text in the images.<br><br>
Here is Word's Alt Text..<br><br>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYin5Y-gLpr3gC7AoJbujqOMD5O_1Q-pTCg6fqYEtz0ZE3LbaxKi-6AFh_JUL_R5xP7tolSWcQgwkISX2OZc5XY3lb_AI-92TAphBgveFv-VcAnp2b4bN6Sz8xq5kSbODK_Td6BI0bYkNK/s1600/JarJarAltTxt.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYin5Y-gLpr3gC7AoJbujqOMD5O_1Q-pTCg6fqYEtz0ZE3LbaxKi-6AFh_JUL_R5xP7tolSWcQgwkISX2OZc5XY3lb_AI-92TAphBgveFv-VcAnp2b4bN6Sz8xq5kSbODK_Td6BI0bYkNK/s320/JarJarAltTxt.png" width="320" height="145" data-original-width="1153" data-original-height="523" /></a></div>
<br><br>
And here is FaceBook's on the same image ...<br><br>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEika0fJYP7_6Os7Ldn6naxsKFccsEvSFp1cWusUO3qZqyBr6EA9sWUCpTooN53ZcA4NwxUVnpBpzaB8lXF_kK7TLpjFXfHvWbZkyaJWoPd8miELoS6eCa4spdUGaABL78V0H_ojciGiVZwP/s1600/FBAltTxt.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEika0fJYP7_6Os7Ldn6naxsKFccsEvSFp1cWusUO3qZqyBr6EA9sWUCpTooN53ZcA4NwxUVnpBpzaB8lXF_kK7TLpjFXfHvWbZkyaJWoPd8miELoS6eCa4spdUGaABL78V0H_ojciGiVZwP/s320/FBAltTxt.png" width="320" height="64" data-original-width="216" data-original-height="43" /></a></div>
I was wr... wro... wron.... still can't say the word. :) <br><br>
The FaceBook Alt Text was just a tag in the html. Yes, it's storing it somewhere, but it's not as creepy as I thought, and Word is doing it too, and probably so is just about any other browser, search engine, word processor, pdf maker... the list goes on.<br><br>
We can all relax, and go back to worrying about more important things, like firmware issues. Oh... yes... we found some interesting Android firmware stuff yesterday, so stay tuned.tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-51584492862959592772020-04-22T16:33:00.002-07:002020-04-22T16:35:14.726-07:00That's a bit creepy again, FaceBook!So, anyway, reasoning that life is too short to be completely serious all the time, I like to tell Dad Jokes. I'm really funny... or at least I think I am.<br><br>
One of my recent jokes involved a picture, and it went like this...<br><br>
This is my jar of jars. I call him JarJar. When I shake JarJar, he clinks...<br><br>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4o8mVsv-K8I-cSrgwgg11m1SkRHL8MLmJg2pdcNihTJn7ulI3P0m9cK5xYNYiTfbhi_Q5pupHytUQLioZmVnXyWbqLCYDeMB5jzeOkzdyGLCWUEII2gkFt-Bzf8WmmHngQruieRx8xjcV/s1600/JarJar.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4o8mVsv-K8I-cSrgwgg11m1SkRHL8MLmJg2pdcNihTJn7ulI3P0m9cK5xYNYiTfbhi_Q5pupHytUQLioZmVnXyWbqLCYDeMB5jzeOkzdyGLCWUEII2gkFt-Bzf8WmmHngQruieRx8xjcV/s320/JarJar.jpg" width="240" height="320" data-original-width="720" data-original-height="960" /></a></div>
I crack myself up, and as I usually do, I put it on FaceBook.<br><br>
I am collecting my best (imho) jokes into a document called Grandad Jokes, for my unsuspecting grand kids to read one day, so the easiest way to get the photo onto the right pc was to simply save it from FaceBook.<br><br>
I then imported it into Word, and this is where it got a bit creepy.<br><br>
I saw this text appear on the bottom of the imported photo, just for a few seconds...<br><br>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6Jf_9aCWNTyoYrxgeQHiKN61hN7EPEyklp3aSYd-jGmslhV_PzORnHhpvbXaPY8mafn22uGGzQwvIg_eJuAHgvVPbBM9-R9vkT3sFkqkVjub-wXZEP6gvuHgflAeSAresh-qnNoQ5uAvk/s1600/JarJarAltTxt.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6Jf_9aCWNTyoYrxgeQHiKN61hN7EPEyklp3aSYd-jGmslhV_PzORnHhpvbXaPY8mafn22uGGzQwvIg_eJuAHgvVPbBM9-R9vkT3sFkqkVjub-wXZEP6gvuHgflAeSAresh-qnNoQ5uAvk/s320/JarJarAltTxt.png" width="320" height="145" data-original-width="1153" data-original-height="523" /></a></div>
Wait ... what?.. Alt text? Where did that come from?<br><br>
It said, "Alt text: A picture containing table, indoor, sitting, food"<br><br>
Then I remembered reading a few months ago, that FaceBook automatically analysed all photo uploads, so that visually impaired people could have a photo described to them by a robot. While that, on the face of it, sounds very noble, I can't imagine it's terribly effective, because the description just isn't very accurate. I'm not saying FaceBook did anything wrong... it was just hidden and subtle. I may be being cynical, but I suspect that the real benefit is more along the lines of simple statistics for marketing.<br><br>
Thank goodness that Word showed me, or I wouldn't have known. <br><br>
One good thing was that I was able to confirm that, by default, FaceBook removes geo location data from the jpg.<br><br>
A bit more poking around, and I found that I could right click the picture in Word, and one of the options was to edit the Alt Text. That meant that the Alt Text was in the jpg somewhere, but another slightly disquieting thing was that the text was not visible in the jpg, as plain text, so that means it is compressed, or obfuscated somehow, and that leads me to wonder what else might be in there? <br><br>
I will keep poking. <br><br>
Chalk up another score for the Privacy Revolution.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-79122800052052379032020-04-20T11:58:00.000-07:002020-04-20T13:11:10.869-07:00Dell agrees that BIOS is the next malware battlegroundSo, anyway, I recently heard that Dell had released a BIOS testing tool, so I grabbed it and ran it over my trusty Dell Optiplex 7070. The tool was pretty hard to find, but I did find it, and installed it, and it ran, and it pronounced that my BIOS was fine.<br><br>
That was cool, and expected, but there were a couple of shortcomings.<br><br>
The first was that it did not tell me that there was an Intel Management Engine upgrade, marked as urgent, and also a BIOS upgrade marked as urgent, which, as a Dell product, I would have thought it should have known about, and told me.<br><br>
The second was that it doesn't see the sort of things that we see, such as components that seem to have similar functionality to the so-called Lenovo rootkit of 2015.<br><br>
This makes sense, as this functionality is in there by design, but, in my opinion, is a desirable target for the Bad Guys(tm)<br><br>
All security pros know that security and functionality tend to exist in an inverse relationship, which is to say that the more functional you make something, the less secure it tends to be.<br><br>
We think people need to know what (and who) is in their firmware.<br><br>
To me, the most important aspect of this tool is simply the fact that Dell is acknowledging that the BIOS is the next malware battleground. While poking around for the tool, I also found this <a href="https://www.delltechnologies.com/en-us/endpointsecurity/data-security.htm?gacd=9684689-1036-5761040-0-0&dgc=st&&gclid=CjwKCAjwkPX0BRBKEiwA7THxiMnL6__c9qW5Aq5U9f5bB7kvB2Y-6LwuhuBLuIlp5lB_041ycEkB8hoCZMIQAvD_BwE&gclsrc=aw.ds">report</a>, with the title, "BIOS Security - The Next Frontier For Endpoint Protection".<br><br>
Folks, all organizations need to start paying attention to what's in their firmware, because it's going to take time to fix.
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-83819209615607197512020-01-28T08:44:00.000-08:002020-01-28T08:44:12.792-08:00Not cool, Edge.So, anyway, Windows 10 likes to show me notifications from apps, and stuff, and mostly, that's ok, because I can turn them off from the Chatty Cathy things, and it's handy for the few important ones... and, mostly, they tell you which app it's coming from, so it's easy to turn it off if you don't want it... but ...<br><br>
There was one that kept coming in, several times a day, and it was annoying, because it would frequently cover up something I was trying to read, or click on... and it wouldn't say what was putting it up.<br><br>
The only clue I had was that it was from an Asian/English website, devoted to computer security and news, so I thought, "It must be a browser extension."<br><br>
I have Edge, Chrome and Firefox on this box, so I started searching each of them for extensions.<br><br>
None.<br><br>
Hmmmmmm.<br><br>
Then, I got another notification, and no browsers were running.<br><br>
Hmmmmmmmm again.<br><br>
I was starting to believe my machine might be compromised, but given that I knew the name of the website, I decided to search the registry for that name, just to see if anything gave me a hint, and sure enough, I found a key associated with MicrosoftEdge\Notifications\Domains. There were about six domains there, including the Chatty Cathy one.<br><br>
But then I thought, "Wait ... Edge is not running ... how can it be sending me notifications?", so I ran Task Manager, and sure enough, even though the Edge User Interface was not running, Edge _was_ running.<br><br>
Armed with that knowledge, I was able to go into Edge Advanced Settings, and remove those domains. I don't remember doing it, but I guess I must have clicked on something that allowed those websites to send me notifications. A refresh of the registry showed they were indeed gone, and my laptop is appropriately quiet again, but the disquieting thing is that Edge is still running in the background, and is presumably quietly sharing information, and accepting requests from websites I don't know about.<br><br>
I don't think there is much I can do about it, although the other browsers don't _seem_ to be running in the background, so I'll see. Maybe this was common knowledge, but I didn't know, so I'm sharing. <br><br>
At an absolute minimum, this is the Privacy Revolution in action, or mis-action, and to paraphrase Bill Shakespeare and Macbeth, "I hope nothing malicious this way comes."<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-15072336311341883382019-12-17T09:45:00.000-08:002019-12-17T10:10:43.729-08:00Firmware backdoors?
So, anyway, recently our colleagues at Eset published a paper that showed that a number of manufacturers had firmware modules with the word "AsusBackDoor" as part of the filename. <br><br>
Armed with that very helpful name, we found some samples pretty quickly, and while the name was a bit alarming, it seems to be a legitimate function for resetting lost firmware passwords, so all is fine and well.<br><br>
This, however, lead us to wonder how many other modules might exist, with similar functionality, but without the helpful name portion, and guess what? There are quite a few. We seem to have identified at least five manufacturers with similar modules.<br><br>
Again, they are probably all legit, but it does make one wonder.<br><br>
We did find one sample with the word "infected" in it, but that _seems_ to be an experiment, from someone who is maybe a hobbyist.<br><br>
The marines (I think) came up the idea of getting Left Of Bang. ("Bang" roughly refers to some incident such as an IED exploding.Right of Bang refers to responding after the event. Left of Bang refers to preventing the Bang in the first place, which is clearly the desired action)<br><br>
All corporates, government bodies, and utilities, need to start auditing their firmware, before the Bang.<br><br>
If you would like some help, please let us know. You can contact us at roger AT armor.ai<br><br>
Security and functionality have always existed in an inverse relationship, and modern firmware (UEFI) is immensely functional.<br><br>
We will continue to look for similar backdoor functionality. Stay tuned.<br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-49449674306446801742019-10-23T11:07:00.001-07:002019-10-23T11:07:13.538-07:00Check your firmware, folks.So, anyway, a few days ago, I noticed a tweet about a Dell Optiplex 7070 bios upgrade that announced an enhancement of "Added BiosConnect feature which enables connection to Dell.com without an operating system. This feature also enables downloading a recovery image from the cloud through wired or wireless connection."<br><br>
I thought that sounded interesting, so I decided to take a look, and sure enough, I quickly found the BiosConnect stuff, but then I found that Computrace had also been added.<br><br>
Now, Computrace is a good, and helpful program, and if your computer is ever lost, or stolen, you'll be glad you have it, and the ability to download a recovery image to a computer with a broken OS is also useful, but ... one of the truths about computer security is that functionality and security tend to exist in an inverse relationship. In other words, the more functional, or powerful, you make something the less secure it tends to be, and we may be confident that the Bad Guys (tm) will always try to take advantage of such features. <br><br>
Not only that, but some organizations don't want that sort of functionality in their computers... just in case. <br><br>
The other interesting thing here is that the previous version of this firmware was 8mb long, and had about 320 exes in it, and the new version is 16mb, and has about 575 exes, so one wonders what other functionality has been added. We're still looking at that.<br><br>
Again, I'm not saying that Dell or Computrace did anything bad. They just added a lot of functionality.<br><br>
One of the big problems with firmware security is that most people don't flash their firmware because, (1) they don't know that there's a new version available (unlike monthly OS patches which is a well understood, albeit sometimes problematic, mechanism), and (2) they don't know how to flash their firmware. As an example of that, about every two weeks, we get a fresh upload of the supposedly extinct-since-2016 so-called Lenovo rootkit.<br><br>
Obviously, you have to patch your firmware, because there will be bugs and vulnerabilities that need fixing, but this shows that you also need to examine what new things are coming in.<br><br>
We have been conducting audits of "before and after" firmware for some of our customers, and it is proving instructive.<br><br>
More to follow. <br><br>
Stay tuned.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-58344174668225607612019-08-15T18:00:00.000-07:002019-08-15T18:00:54.425-07:00Uh... why does firmware need to send EHLO?So, anyway, a little while ago, we stumbled across a program in firmware that seems to be sending an EHLO. The program in question also seems to have a UID and PW in plaintext.<br><br>
It also _seems_ to have the capability of starting a TLS connection.<br><br>
Now, I’m not saying the vendor is doing anything wrong, but it is just a bit of a surprise to find.<br><br>
Also, it is not yet clear if communications are hidden from the OS, but they could easily be.<br><br>
The program in question is about 27k in length, of compiled C, so it takes some time to study. Analysis continues.<br><br>
Oh, but this caused us to look for other examples of EHLO in firmware, and, lo and behold, we found another vendor, who seems to have that capability. This particular program is over 600k, so will take a little while to analyze properly.<br><br>
Again, I’m not suggesting that they are doing anything malicious. It’s just a surprise, and it makes one wonder what else might be found. There do seem to be other firmware programs that are capable of starting TLS. Oh, and it also makes us wonder if it is exploitable.<br><br>
Watch this space.<br><br>tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-64654390997328627062019-07-31T14:57:00.002-07:002019-07-31T14:57:59.777-07:00Uh ... secure boot might be trying to tell you something.So, anyway, today <a href="https://www.thewindowsclub.com/the-system-found-unauthorized-changes-on-the-firmware">this</a> popped up on my google alerts...<br><br>
Apparently, some people see a message that says "Secure boot violation. The system found unauthorized changes on the firmware, operating system or UEFI drivers.", and the article suggests that the answer is to (1) Turn off secure boot, and (2) Use a system restore point.<br><br>
The article explains how to do those steps, and the upside is that turning off secure boot will stop you seeing the message, but the downside is that Secure Boot might be trying to tell you something. ;-)<br><br>
The danger here is that malware is increasingly targeting firmware.<br><br>
And, I might be wrong, but I don't think that using a system restore point will restore firmware.<br><br>
If you do see such a message, you are better off to seek very professional help.<br><br>
Just sayin'<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-55200042326850848292019-07-03T14:16:00.001-07:002019-07-03T14:16:42.835-07:00Ok, that's kind of creepy, FaceBookSo, anyway, for some reason today, pictures on FaceBook are not rendering. In the overall scheme of things, this is neither here, nor there, and I'm sure it will soon be corrected.<br><br>
But...<br><br>
In place of pictures, I see things like this "image may contain three people, including xxxxxxxxx"<br><br>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaP1wUo6FP4FPdOEPIH7kU3VNacGxS8k_xkfqANGYK3Sn6NwcD24N20ZpBy3kZ7oWTvqZ_5j9p2O2s10FpKtyousRh8C9Cnbh8ZTp_BGSgIgMBHifUsmK09TB_la41rxnoxAoqVjeQLzCD/s1600/Screen+Shot+2019-07-03+at+11.38.23+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaP1wUo6FP4FPdOEPIH7kU3VNacGxS8k_xkfqANGYK3Sn6NwcD24N20ZpBy3kZ7oWTvqZ_5j9p2O2s10FpKtyousRh8C9Cnbh8ZTp_BGSgIgMBHifUsmK09TB_la41rxnoxAoqVjeQLzCD/s1600/Screen+Shot+2019-07-03+at+11.38.23+AM.png" data-original-width="1536" data-original-height="792" /></a></div><br><br>
It seems highly unlikely that a human sat there, and added all these "may contain" messages, so therefore, some AI did.<br><br>
That probably means that all pictures uploaded to FaceBook have had similar AI estimations applied to them.<br><br>
One one hand, it's innocent, but on the other hand (the suspicious, cynical hand), one wonders how this might play out long term, especially in places like China.<br><br>
Sigh. Privacy Revolution again, folks.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-35498124476620406992019-06-06T11:32:00.002-07:002019-06-06T11:32:27.410-07:00Firmware dumperHi all,<br><br>
We've made our Win10x64 firmware dumper available for download <a href="https://armor.ai/scan">here</a>, if anyone wants to give it a try. It's much easier than turning off secure boot, and booting off a thumb drive. It's probably not perfect, but it seems pretty good. If you get a firmware dump, you are also welcome to upload it to us at the same URL, for analysis.
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-22854582900907958562019-01-26T16:42:00.003-08:002019-01-26T16:42:51.130-08:00Privacy revolution againSo, anyway, I won’t mention Sandra’s name, but a friend of mine, who used to be a security geek, but is now a goat farmer, pinged me with a scary story yesterday.<br><br>
She got a robo call from PayPal, advertising something, which might be a bit annoying, but that’s not scary. <br><br>
As you generally do, with an unrecognized number, she let it go to voice mail, and the message asked her to call back a different number. Nothing entirely amazing there.<br><br>
But here’s the scary bit. The spoofed number pretended to be from a really small town in PA, that she had only ever been to once before... and that was _earlier that day_<br><br>
Amazing coincidence, right?<br><br>
Problem is, those of us in the security biz don’t tend to like coincidences, so the alternative is that something was tracking her.<br><br>
She checked her settings for PayPal, but it showed that it only tracked her while using the app, and as far as she knew, she was not using the app.<br><br>
So now we are left to wonder ... is something else selling its tracking data?<br><br>
At this point, we simply don’t know, but there are certainly lots of apps (it is an iPhone) that are capable of tracking you all the time.<br><br>
It’s either an amazing coincidence, or the Privacy Revolution in action.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-28393583517516415442018-11-28T14:40:00.002-08:002018-11-28T14:40:47.185-08:00ASUS UEFI rootkitHi folks,<br><br>
Late October, I noticed this <a href="https://www.techpowerup.com/248827/asus-z390-motherboards-automatically-push-software-into-your-windows-installation">article</a><br><br>
The nub of the article is that the authors noticed that the ASUS z390 motherboard was able to access the Internet, without any Windows 10 network drivers, and was able to install extra software.<br><br>
This is remarkably similar behavior to the Lenovo rootkit, from 2015.<br><br>
Now, let me stress, that in neither case, do I think they were of malicious intent. They were clearly designed to allow the vendor to install updates as needed, but the problem is that, just like with the Lenovo rootkit, no one would have known it was there, if it hadn't tipped its hand, by doing something obvious, and the obvious question is now, "What _else_ is out there?"<br><br>
We have now found five variants of the ASUS UEFI updater/rootkit software, none of which seem to be detected by anyone. Oh, and seven variants of the (hopefully extinct) Lenovo rootkit from 2015.<br><br>
Analysis continues.<br><br>
Stay tuned.<br><br>
P.S. If anyone wants to help, I blogged about how to dump firmware <a href="https://tcsltesting.blogspot.com/2018/08/instructions-on-how-to-dump-your.html">here.</a><br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0tag:blogger.com,1999:blog-6932569542163769993.post-85323094657188078602018-09-27T19:30:00.005-07:002018-09-27T19:30:58.287-07:00Stuff just got realSo, anyway, ESET just released that they found the first UEFI rootkit. You can read about it <a href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf">here</a> … , but the short version is that they found an example of a modified version of Computrace/Lo Jack being used to attack a computer.<br><br>
This is serious, and here are the main bits to know…<br><br>
(1) Computrace/Lo Jack is a legitimate application that is factory installed into the firmware of nearly every laptop in the world, of all varieties. The idea is that if your laptop gets stolen, you can find it, and/or wipe it remotely. This is obviously good, and useful.<br><br>
Close followers of my blogs, and posts, will know that I have pointed out that the Kaspersky guys, in 2014, showed how it could be compromised, and that it was therefore a potential problem, even though it is a legit app. This is not a slight against the excellent Lo Jack. All software has a weak underbelly, if you probe hard enough.<br><br>
This is now proof that I was right.<br><br>
(2) The perps are probably a Russian hacking group (military, KGB, FSB, or something similar), known by a bunch of names, but I call them Fancy Bear, for no particular reason other than it was the first name I knew them by, and it's a neat name. These are the same guys that (probably) broke into a factory in Taiwan in Feb 2018, and modified firmware in a bunch of computers, headed for the German government. If you are a suspicious soul, like me, you probably think this is not their only rodeo.<br><br>
(3) The perps used a legitimate, and scary powerful tool called <a href="http://rweverything.com">RWEverything</a>. This is new to me, but the nub of the matter is that it is a legitimately signed driver that, seemingly, can read or write everything in firmware. This is obviously powerful, and cool, as long as it is used for good.<br><br>
(4) So far, we have not found an exact match for the samples in their report in our collection, but we have _many_ variants of Lo Jack. They may be all innocent, or … maybe not. We are still looking and thinking.<br><br>
(5) We still have six variants of the Lenovo rootkit, that no one detects (well, one product detects one variant, but that’s approaching zero from a stats perspective… one out of 360). This may/probably mean they are extinct, or ... maybe not…<br><br>
(6) Interestingly, the modus operandi of the Lenovo rootkit and the modified Lo Jacks, are _remarkably_ similar. This might be pure coincidence… or … maybe something else.<br><br>
Bottom line is that we have many variants of Computrace/Lo Jack that need to be examined, and many Lenovo rootkit variants that need to be examined.<br><br>
And we have other things that look suspicious.<br><br>
It would be really helpful to get more firmware samples, and it's geeky, but some How To instructions can be found <a href="https://tcsltesting.blogspot.com/2018/08/instructions-on-how-to-dump-your.html">here</a><br><br>
All this, combined with what we have found about certificates being expired, or marked "Do not trust", or "Do not ship", which you can read about <a href="https://tcsltesting.blogspot.com/2018/09/50-of-firmware-certs-are-expired.html">here</a> suggests to me that we are on dangerous, shaky, and new, ground.<br><br>
Stay tuned.<br><br>
tcslhttp://www.blogger.com/profile/16820150960002669874noreply@blogger.com0