Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/3/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

TrickBot's New Tactic Threatens Firmware

A newly discovered module checks machines for flaws in the UEFI/BIOS firmware so malware can evade detection and persist on a device.

TrickBot malware has a new, and dangerous, trick: A recently identified module inspects target devices for firmware vulnerabilities that enable attackers to read, write, or erase the UEFI/BIOS firmware. With this level of access, one could install a backdoor or "brick" an infected machine.

Related Content:

Like the Energizer Bunny, Trickbot Goes On and On

The Changing Face of Threat Intelligence

New on The Edge: Loyal Employee ... or Cybercriminal Accomplice?

The malware was first identified in 2016 and initially considered a banking Trojan, used to steal financial data. Since then, it has evolved into a full-fledged operation and appears in different types of malware campaigns. TrickBot has been spotted working with Emotet to deliver Ryuk ransomware; it uses the EternalBlue exploit to spread across hosts in a target network via Server Message Block. 

Earlier this year, US Cyber Command and a Microsoft-led private industry group attempted to take TrickBot down; weeks later, researchers noticed a new version being distributed via spam.

Now, it's attempting to infiltrate the lowest level of target devices by checking for firmware flaws, researchers with Eclypsium and Advanced Intelligence (AdvIntel) report. A module they found in October 2020 "marks a significant step in the evolution of TrickBot," a threat that has consistently incorporated new capabilities to become stealthier and more malicious over time.

In this module, TrickBot uses a driver from the RWEverything tool to interact with the SPI controller and check if the BIOS control register is unlocked and contents of the BIOS region can be changed. RWEverything (read-write everything), the researchers say, could let an attacker write to the firmware on "virtually any device component," including the SPI controller that controls the system firmware. This would let the attacker write code to the system firmware, ensuring the malicious code executes before the operating system during the boot process.

The focus on UEFI in this so-called "TrickBoot" module indicates its operators are thinking beyond the operating system to target lower device layers that security tools often miss. Because firmware is stored on the motherboard and not in the system drives, UEFI-focused threats enable attackers to remain persistent after a system is reimaged or an infected hard drive is replaced.

"Once you've done that, you've escaped the rest of the entire security stack's ability to detect," says Scott Scheferman, principal cyber strategist at Eclypsium. "And you've gained persistence by doing that as well, that you can't eradicate or even detect in most organizations." 

In a writeup, researchers discuss what an attacker could do with this level of access. TrickBot operators could brick any device they find vulnerable. UEFI persistence could enable them to disable most OS-level security controls, allowing them to resurface with no endpoint security. They could land on thousands of hosts per day and learn which are vulnerable to UEFI attacks.

There are several reasons why TrickBot is moving in this direction, the researchers believe. The malware has become a key area of focus among defenders and security researchers, notes Vitali Kremez, CEO and chairman at AdvIntel. Given this ubiquity, it's necessary for its operators to innovate so they can stay ahead of corporate antivirus and endpoint security products.

"We see maturity and professionalization of the space, where the criminal groups are professionals like us. … They run their business as a company," Kremez explains. "It's not the coding of the tool, the level of attention, the thought process behind a crime that makes it more interesting. It's the level of criminal intent — it's elevated, so to speak." 

The capabilities seen in TrickBoot have been demonstrated by other attackers seeking persistence in firmware, researchers note. What's dangerous about this discovery is TrickBot's spread: In the last two months of infections, TrickBot has peaked at 40,000 in one day. Further, attackers don't need device access or a complex technique to make it work.

"This isn't some esoteric, nation-state, spy-level thing," says Scheferman. "This is commodity, massive, wide-scale criminal malware that has everything it needs in tooling to know what vulnerability to hit, and hit it."

What Happens if TrickBoot Hits?
Recovering from an attack like this is more involved and expensive compared with traditional malware attacks, the researchers report. Corrupted UEFI firmware requires replacing or reflashing the motherboard, which is more labor-intensive than replacing the hard drive. 

"A lot of times IT will have hot spares for drives and memory, and some of these replaceable components are more common to fail," says Jesse Michael, principal research with Eclypsium. "But replacing the server, or motherboard, or an entire laptop is a much heavier issue." IT may have a playbook to replace a server that won't boot; it's less likely they're prepared to replace several servers at the same time. 

The potential for this type of attack is especially concerning for operational environments, where uptime is top priority, Scheferman adds. A TrickBoot attack couldn't be remediated with their existing incident response playbooks and cause "devastating downtime," he adds.

While its capabilities have potential to be "a significant development," defenders should be cautious when attempting to determine the attacker's intent without further evidence, says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

"Threat actor capability does not always translate into real-world actions, but network defenders should assess their capabilities to detect UEFI modifications and what the implications of such attacks have on incident response and recovery," she explains.

There are steps businesses can take to prepare before an incident strikes. Scheferman advises first understanding which portions of an environment are vulnerable to this type of attack. Gain visibility; learn which devices at the firmware level may be what this module is looking for.

"One thing to keep in mind is that a lot of enterprises don't have visibility into firmware," says Michael. "Making sure firmware updates are also part of their management process and IT process, making sure that component is also updated, is a key point of their enterprise process that they need to be aware of." 

While many admins prioritize patches pushed via Windows Update or Linux, firmware patches may fall by the wayside when a vendor shares them. These are also generally more difficult to apply to systems, he adds, adding another challenge for businesses that learn they need them.  

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11997
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
CVE-2020-27266
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
CVE-2020-27268
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
CVE-2020-27269
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
CVE-2020-28707
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...