Thursday, June 10, 2021

How do people know what’s in their firmware?

Here's a quick summary of where we stand wrt firmware security...

Nearly all computers built since 2007 contain UEFI (Unified Extensible Firmware Interface). UEFI contains between two hundred, and a thousand compiled C programs, in Windows format. This is a format well understood, by attackers, and defenders, alike. They are all cryptographically signed, but this signature is only checked at flash time. What this means is that if something can get write access to the firmware, it can change whatever it likes, including by virus-like infection, and probably nothing will detect it. UEFI is immensely powerful, and is an operating system in its own right. It has its own network stack, and can download over the public internet, via HTTP or FTP, and can write anything it likes to the disk. We have even found some that have email capability.

UEFI runs at ring-1, or ring-2, well below ring-0, and is like 64bit, real mode, DOS. (Think about the implications of that for a minute)

Firmware attacks have already happened, viz. LoJax, and ShadowHammer, that we know about, and we know that the TrickBot ransomware gang has been spotted looking for machines with Secure Boot turned off. There will be others, just waiting to be discovered.

If you think ransomware is a problem now, wait until some of them gain persistence in firmware.

Even if you are not concerned about ransomware, consider this. The SolarWinds attackers were obviously technically capable of firmware attacks. They were in networks well long enough, and were clearly cunning enough to cover their tracks.

Given the “high profile” nature of some of their victims, this could be like a hidden bomb, waiting to be detonated.

I think it was the Marines who came up with the expression Left Of Bang. The idea is that when the improvised explosive, or road-side bomb, goes off, that’s “Bang”. Getting Left Of Bang means that you realize that something is not right, and maybe an ambush is coming, and you do whatever you have to do to prevent, or avoid, the Bang.

So how do you get Left Of (this sort of) Bang?

Whether you are using our software, or someone else’s, you have to start dumping, and analyzing, your firmware.

Even if there is nothing overtly malicious in it, you simply have to know what capabilities are in it, or you cannot properly defend your organization.

And, the answer to the opening question of, "How do people know what's in their firmware?" is...

They don't. Nearly everyone is using the Hope Method.

The Hope Method is not a method.

Folks, it’s coming. Please try to get ahead of it.

Tuesday, March 30, 2021

Goog blocked my search

So, anyway, today I was out, and waiting for a kid, and just for fun, I decided to google for "push cs pop ds", just to see what popped up.

(Older geeks will remember that back in the day, it all came down to push cs, pop ds. "Why" doesn't really matter any more, but it was important once.)

Google predictive text offered 'push vs pop ds', and just for fun and to see what it showed, I clicked that.

Much to my surprise, it blocked my search thusly...



"unusual traffic from your computer network"

Hmmm... I'm on my cellphone, on cellular data only.

I tried it a couple more times, with the same result.

Knowing that there are some iOS Zero days circulating, and out of an abundance of caution, I powered my phone off, and on, (It's hard for malware to obtain persistance past a reboot on iOS), and the problem went away.

I don't know if it was malware, or just a bug, but it reminded me that it's not a bad idea to power devices off and on periodically, just to remove malware that's in ram. It's by no means a perfect defense, but it doesn't hurt.

As I've said before, I reckon 2021 is saying "Hold my beer, and watch this!"

Folks, stay safe, and keep your guard up.

Sunday, February 7, 2021

Software Supply Chain hmmms

So, anyway, I've been thinking a bit about the SolarWinds hack, and thinking how lucky we were that it was the only event of its kind, (Yes, my tongue is firmly in my cheek), and then a few days ago, I saw this article in the Register.

The headline is partly "What happens when a Chrome extension with 2m+ users changes hands, raises red flags,", but being a little cynical, I think a better question would be, "What happens when a Chrome extension with 2m+ users changes hands, and _doesn't_ raise red flags".

And then, a couple of days ago, I saw an excellent MalwareBytes blog about an Android app with 10m-ish users, that also changed hands, and is now regarded as malicious and has been removed from Google Play. As you can see from the blog, the app was pretty instantly obvious that it was being... uh ... a bit pushy.

I look at things like those two events, and think, "That's a pretty good way to get yourself on millions of devices pretty quickly."

And then I think, "I wonder how many more apps, or browser extensions, have quietly changed hands to someone of hostile intent, and _haven't_ been noticed?"

Yes, it costs the perp some money to get these things, but then they could be on tens of millions of devices, quietly harvesting uids, and pws, to all sorts of services.

Nation States actors would do this. RansomWare dudes would do this. Both adversaries are easily financially capable of this.

The potential RansomWare consequences are instantly clear, and potentially costly if you ignore them. The Nation State level implications are more subtle, but this is exactly how you could end up with more hacks like SolarWinds.

So the question then becomes, how do you handle it, and the short answer is, with great difficulty.

The slightly longer answer is, if you are a builder of products, you have to really think hard about your software supply chain, and maybe not trust everything, and then

(1) Consider what you would do if some open source components, on say, Github, are compromised
(2) Consider how you detect that some of your own source components werer modified, ala SolarWinds
(3) Given the potential for uids and pws to have been harvested by apps that have quietly "changed hands", you should assume that it's a matter of "when" and not "if", the Bad Guys get in your network, or in your supply chain somewhere.

I will try to find some less nebulous answers about what to do.

Oh, but don't get me started about Firmware Supply Chain.

Stay safe, folks. It's tricky out there.

Tuesday, January 5, 2021

EMail to SMS. Good idea, right?

So, anyway, a couple of days ago, I got this text message.




The first odd thing was that it was a text message, that clearly came from an email address. (In this case, gmail)
The second odd thing was that it was sent to twenty people.
The third odd thing was that it simply referenced an ip address.

Looking at the "20 people", it showed this...


Twenty consecutive phone numbers. Nothing suspicious about that, right?

I visited the ip address with a neat tool called Silo, from my friends at Authentic8. Silo can hide your ip address, as well as your country of origin, and can also isolate your computer from web-borne malware. The site was a "dating/porn site", and, although it did not seem to throw anything malicious at me, the typical m.o. with this sort of site is that every few visits, it randomly will, so it's one of those places you don't want to ever visit on an unprotected computer.

This was the first time I've received a text from an email address, but a quick bit of googling shows that lots of providers offer such a service. I guess there must be some upside to it, but to me, it just seems like an easy way for the robo callers to send malicious things in bulk.

The moral of the story, in my opinion is that if you get a text or iMessage from an email address that you don't know, don't trust it and simply delete it.

Remember, www stands for World Wild War. Stay safe, folks.

Thursday, December 17, 2020

assume that the threat actor has deployed further persistence mechanisms.

So, anyway, today CERT released an excellent alert about the SolarWinds compromise. It's full of good advice, but my favorite sentence is the one I used as a title.

I will be shocked, if, in the fullness of time, we don't discover that they modified firmware, in order to achieve persistence.

In order to do that, all they need to do is this:

(1) Create a driver capable of reading and writing firmware. This is not easy, but there are examples, such as Chipsec, and don't bother arguing that these perps are not smart enough to do it.

(2) Such a driver would need to be signed, but they already proved they can sign stuff.

(3) Get the driver on the target system. That's what SunBurst (their downloader) can already do.

(4) Modify the right bit of code in the firmware. Remember, there are between 200 and 1,000 compiled C programs, in Windows format, and Bad Guys have been modifying compiled C programs for a long time now. They know how to do that. Oh, and remember that although they are cryptograpically signed, the signature is only checked at flash time.

(5) Remember, it's in the UEFI spec that the firmware can download anything from anywhere using HTTP or FTP, and the firmware has its own network stack.

(6) Once the firmware is modified, SunBurst is perfectly capable of cleaning up such evidense.

My second favorite sentence in the alert is the one about forensically imaging the systems. This is good, but I don't think any forensics kits currently capture firmware.

Folks, everyone needs to start to watch their firmware. You maybe confident that "they" are.

2021 is saying "Hold my beer".

Monday, December 14, 2020

2021 is going to be interesting

So, anyway, in my last post, I opined that 2021 might be saying, "Hold my beer", and this morning we wake up to news of the SolarWinds attack.

Now, so far, there has not been any mention of resultant firmware attacks, but it seems to me that the attackers were sufficently "sophisticated" that they are capable of such attacks.

Systems seem to have been compromised for six to nine months, and that is plenty of time to (1) install a signed firmware driver, (2) modify the firmware, and (3) remove the signed firmware driver.

It might not have happened... but it might have.

The question then becomes... how would you know?

Everyone, from .gov to F500 needs to start to monitor their firmware. It's not part of your average toolkit, but there are options, and I blogged about how to dump your firmware here, and we are happy to help if you need it.

2021 is warming up!

Wednesday, December 9, 2020

2021 is saying, "Hold my beer!"

I have been warning for quite a while, that firmware, particularly UEFI, is the next malware battleground. It is heating up, and everyone needs to start to pay attention.

Consider these items:

One of the RansomWare crews is starting to try to examine, and maybe modify, UEFI

Just to highlight how powerful UEFI is, someone has ported Doom to UEFI. This is pretty awesome, especially if you are a Doom fan, but it sure shows something about UEFI … Doom

The Hacking Team UEFI rootkit seems to have re-surfaced from a nation/state team … Hacking Team

As well as those little itms, having analyzed about 3,000 firmware blobs, here are some of our key findings…

• UEFI firmware contains between 200 and about 1,000 compiled C programs, in Windows format, which is a format well understood by attackers, and defenders, alike.

• approximately half the executables will have signing certificates that are expired. It turns out that certificates are only checked at flash time. What this means is that if something can get write access to the firmware, it could infect, or replace, whatever it likes.

• Nation-state actors have already managed some penetration, with attacks like Shadow Hammer, and LoJax.

• about seven manufacturers have firmware programs that are roughly functionally equivalent to the Lenovo rootkit, from 2015. They are just not as noisy, so they haven’t been noticed.

• out of a random sampling of about 1,500 blobs, 581 had remote update by http or ftp capability, 117 had email capabilities, 1287 had some password reset capability, and 260 contained the word ‘backdoor’

• UEFI has its own network stack, and can download programs, and whole operating systems, from the Internet using http or ftp and some can send email using EHLO

Now, I'm not saying that UEFI is bad. It's the opposite... it's great! It is, however, immensely powerful, and one of the truths of computer security is that functionality (or power) and security tend to exist in an inverse relationship. In other words, the more powerful something is, the less secure it tends to be.

It is clear that our adversaries, from ransomware gangs, to nation/state teams, are attacking the firmware, and it is heating up. Everyone needs to start paying attention. It doesn't matter if your stuff is all in the cloud, because if something bad gets in the firmware, it will be able to find your cloud credentials, and your blockchain private keys, and ... whatever it wants.

Everyone is waiting for 2020 to end, but I reckon 2021 is saying, "Hold my beer, and watch this!"