Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/3/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

TrickBot's New Tactic Threatens Firmware

A newly discovered module checks machines for flaws in the UEFI/BIOS firmware so malware can evade detection and persist on a device.

TrickBot malware has a new, and dangerous, trick: A recently identified module inspects target devices for firmware vulnerabilities that enable attackers to read, write, or erase the UEFI/BIOS firmware. With this level of access, one could install a backdoor or "brick" an infected machine.

Related Content:

Like the Energizer Bunny, Trickbot Goes On and On

The Changing Face of Threat Intelligence

New on The Edge: Loyal Employee ... or Cybercriminal Accomplice?

The malware was first identified in 2016 and initially considered a banking Trojan, used to steal financial data. Since then, it has evolved into a full-fledged operation and appears in different types of malware campaigns. TrickBot has been spotted working with Emotet to deliver Ryuk ransomware; it uses the EternalBlue exploit to spread across hosts in a target network via Server Message Block. 

Earlier this year, US Cyber Command and a Microsoft-led private industry group attempted to take TrickBot down; weeks later, researchers noticed a new version being distributed via spam.

Now, it's attempting to infiltrate the lowest level of target devices by checking for firmware flaws, researchers with Eclypsium and Advanced Intelligence (AdvIntel) report. A module they found in October 2020 "marks a significant step in the evolution of TrickBot," a threat that has consistently incorporated new capabilities to become stealthier and more malicious over time.

In this module, TrickBot uses a driver from the RWEverything tool to interact with the SPI controller and check if the BIOS control register is unlocked and contents of the BIOS region can be changed. RWEverything (read-write everything), the researchers say, could let an attacker write to the firmware on "virtually any device component," including the SPI controller that controls the system firmware. This would let the attacker write code to the system firmware, ensuring the malicious code executes before the operating system during the boot process.

The focus on UEFI in this so-called "TrickBoot" module indicates its operators are thinking beyond the operating system to target lower device layers that security tools often miss. Because firmware is stored on the motherboard and not in the system drives, UEFI-focused threats enable attackers to remain persistent after a system is reimaged or an infected hard drive is replaced.

"Once you've done that, you've escaped the rest of the entire security stack's ability to detect," says Scott Scheferman, principal cyber strategist at Eclypsium. "And you've gained persistence by doing that as well, that you can't eradicate or even detect in most organizations." 

In a writeup, researchers discuss what an attacker could do with this level of access. TrickBot operators could brick any device they find vulnerable. UEFI persistence could enable them to disable most OS-level security controls, allowing them to resurface with no endpoint security. They could land on thousands of hosts per day and learn which are vulnerable to UEFI attacks.

There are several reasons why TrickBot is moving in this direction, the researchers believe. The malware has become a key area of focus among defenders and security researchers, notes Vitali Kremez, CEO and chairman at AdvIntel. Given this ubiquity, it's necessary for its operators to innovate so they can stay ahead of corporate antivirus and endpoint security products.

"We see maturity and professionalization of the space, where the criminal groups are professionals like us. … They run their business as a company," Kremez explains. "It's not the coding of the tool, the level of attention, the thought process behind a crime that makes it more interesting. It's the level of criminal intent — it's elevated, so to speak." 

The capabilities seen in TrickBoot have been demonstrated by other attackers seeking persistence in firmware, researchers note. What's dangerous about this discovery is TrickBot's spread: In the last two months of infections, TrickBot has peaked at 40,000 in one day. Further, attackers don't need device access or a complex technique to make it work.

"This isn't some esoteric, nation-state, spy-level thing," says Scheferman. "This is commodity, massive, wide-scale criminal malware that has everything it needs in tooling to know what vulnerability to hit, and hit it."

What Happens if TrickBoot Hits?
Recovering from an attack like this is more involved and expensive compared with traditional malware attacks, the researchers report. Corrupted UEFI firmware requires replacing or reflashing the motherboard, which is more labor-intensive than replacing the hard drive. 

"A lot of times IT will have hot spares for drives and memory, and some of these replaceable components are more common to fail," says Jesse Michael, principal research with Eclypsium. "But replacing the server, or motherboard, or an entire laptop is a much heavier issue." IT may have a playbook to replace a server that won't boot; it's less likely they're prepared to replace several servers at the same time. 

The potential for this type of attack is especially concerning for operational environments, where uptime is top priority, Scheferman adds. A TrickBoot attack couldn't be remediated with their existing incident response playbooks and cause "devastating downtime," he adds.

While its capabilities have potential to be "a significant development," defenders should be cautious when attempting to determine the attacker's intent without further evidence, says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

"Threat actor capability does not always translate into real-world actions, but network defenders should assess their capabilities to detect UEFI modifications and what the implications of such attacks have on incident response and recovery," she explains.

There are steps businesses can take to prepare before an incident strikes. Scheferman advises first understanding which portions of an environment are vulnerable to this type of attack. Gain visibility; learn which devices at the firmware level may be what this module is looking for.

"One thing to keep in mind is that a lot of enterprises don't have visibility into firmware," says Michael. "Making sure firmware updates are also part of their management process and IT process, making sure that component is also updated, is a key point of their enterprise process that they need to be aware of." 

While many admins prioritize patches pushed via Windows Update or Linux, firmware patches may fall by the wayside when a vendor shares them. These are also generally more difficult to apply to systems, he adds, adding another challenge for businesses that learn they need them.  

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24285
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
CVE-2021-29379
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.