plus69free – Fotolia
New functionality discovered in Trickbot enables malicious actors to inspect the UEFI/BIOS firmware of targeted systems for well-known, unpatched vulnerabilities that, if exploited, would enable them to cause extremely disruptive, or even destructive cyber attacks.
That is according to researchers at Eclypsium and Advanced Intelligence (AdvIntel), who have described the developments – dubbed Trickboot – as a critical risk to organisational and national security.
“Our research uncovered Trickbot performing reconnaissance for firmware vulnerabilities,” wrote the research team in their disclosure announcement. “This activity sets the stage for Trickbot operators to perform more active measures such as the installation of firmware implants and backdoors, or the destruction of a targeted device.
“It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets. Similar UEFI-focused threats have gone years before they have been detected. Indeed, this is precisely their value to attackers.”
Trickboot is especially dangerous because, as with similar attacks, subverting the boot process lets attackers gain control over the system’s operating system and establish ongoing persistence.
More specifically, if the process is compromised by writing to the SPI flash memory chip that begins the boot process, malicious actors can: brick a device at the firmware level via a remote malware or ransomware campaign; reinfect a device that has undergone a system restore; bypass or disable security controls that the operating system and software relies on; chain exploits of other device components; and roll back firmware updates patching previous vulnerabilities.
The new capabilities are a significant step in the evolution of Trickbot and massively increase the danger it poses. The team said that given the links between the Trickbot toolset and active advanced persistent threat (APT) groups in Russia and North Korea – possibly even government-backed groups – and its use in the past to hit sectors such as education, financial services, healthcare, telecoms and other critical national infrastructure, defenders should be on high alert because most will not be tooled to mitigate such a threat.
“Adversaries leveraging Trickbot now have an automated means to know which of their victim hosts are vulnerable to UEFI vulnerabilities, much like they tooled up in 2017 to leverage EternalBlue and EternalRomance vulnerabilities for worming capabilities,” the researchers wrote. “Security teams should take action to mitigate this risk.
“Given the size and scope of Trickbot, the discovery of a module specifically targeting firmware is troubling. These threat actors are collecting targets that are verified to be vulnerable to firmware modification, and one line of code could change this reconnaissance module into an attack function.”
The team added: “Like other in-the-wild firmware attacks, Trickbot reused publicly available code to quickly and easily enable these new firmware-level capabilities. At a time when geopolitical events and a global pandemic have upended life across the globe, Trickbot is digging into the hidden area of firmware that is often overlooked.
“This presents a greater risk than ever before because the scale of Trickbot, which has previously brought highly disruptive ransomware, now brings firmware attacks to many more organisations that are likely unprepared for such techniques.”
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
Companies need to work on ensuring their developers are satisfied with their jobs and how they’re treated, otherwise it’ll be …
Companies must balance customer needs against potential risks during software development to ensure they aren’t ignoring security…
With the right planning, leadership and skills, companies can use digital transformation to drive improved revenues and customer …
Ransomware incapacitated Baltimore County Public Schools’ network just before Thanksgiving, but the school system said students’ …
A spokesperson for K12 told SearchSecurity that based on the current status of the investigation, the attack did not affect …
A security operations center can help lessen the fallout of a data breach, but its business benefits go much further than that. …
SD-WAN, SASE or some combination of the two — which approach will deliver the best and most secure network connectivity in your …
Celona 5G technology uses Citizens Broadband Radio Service spectrum to bring private mobile networking to the enterprise, …
Cisco DevNet certifications require a lot of time investment, but network pros who pursue the certifications say the gained …
Colocation is not a silver-bullet solution for everyone. Discover the benefits and drawbacks that come with allowing a …
Finding the right server operating temperature can be tricky. ASHRAE standards provide guidance for all server classes and what …
These unexpected charges and fees can balloon colocation costs for enterprise IT organizations.
The enterprise edition of the MySQL database is being enhanced on Oracle Cloud Infrastructure to enable users to run analytics …
The U.S. government has made data sets from many federal agencies available for public access to use and analyze. Check out some …
Check out this excerpt from the new book Learn MongoDB 4.x from Packt Publishing, then quiz yourself on new updates and …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info