Eclypsium: Understanding the Top 5 Common Firmware and Hardware Attack Vectors

January 2, 2019January 2, 2019 ~ hucktech ~ Leave a comment

Spoiler alert:

1) Malware and UEFI Rootkits
2) Exploiting Firmware Remotely
3) Physical Tampering
4) Management Backdoors
5) Supply Chain Attacks

Full blog post: https://eclypsium.com/2018/12/28/the-top-5-firmware-and-hardware-attack-vectors/
Whitepaper: https://eclypsium.com/wp-content/uploads/2018/12/Top-5-Firmware-Attack-Vectors.pdf

Eclypsium: Remotely Bricking a Server

December 19, 2018 ~ hucktech ~ Leave a comment

https://eclypsium.com/2018/12/19/remotely-bricking-a-server/

Eclypsium gets more funding!

December 4, 2018 ~ hucktech ~ Leave a comment

https://eclypsium.io/2018/12/04/series-a-funding-and-eclypsiums-next-chapter/

https://www.geekwire.com/2018/eclypsium-raises-8-75m-series-round-led-madrona-venture-group-tackle-hardware-security/

Eclypsium on LoJax UEFI malware

October 3, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/, Eclypsium has a new blog post on this malware:

New blog by Eclypsium research team:

UEFI Attacks in the Wildhttps://t.co/wzVsZqRQhw #UEFI #firmware #LoJax #CHIPSEC pic.twitter.com/TBbrU1nDb0

— Eclypsium (@eclypsium) October 1, 2018

We have been tracking firmware vulnerabilities for years. Now there is proof of them being used in the wild: https://t.co/nsxTN4JjLG #uefi #firmware #LoJax @chipsec

— Alex Bazhaniuk (@ABazhaniuk) October 1, 2018

UEFI Attacks in the Wild

Eclypsium announces beta

September 8, 2018September 8, 2018 ~ hucktech ~ Leave a comment

We are proud to announce the availability of Eclypsium Beta!https://t.co/0wtXRPfNQi pic.twitter.com/v73mu3OCJT

— Eclypsium (@eclypsium) September 5, 2018

Eclypsium Beta Now Available

Eclypsium research on SuperMicro BMC/Redfish vulnerability

September 8, 2018 ~ hucktech ~ Leave a comment

Insecure Firmware Updates in Server Management Systems

We published a new research about vulnerability in Supermicro BMCs (from X8 to X11 gen) which can be compromised from software to take full control (implant BMC or System Firmware) or even brick a system: https://t.co/axZnhSRrm5 with @jessemichael & @HackingThings pic.twitter.com/SKJAvRLI96

— Alex Bazhaniuk (@ABazhaniuk) September 6, 2018

Vulnerabilities found in the remote management interface of Supermicro servers.

All X8 through X11 generation Supermicro servers impacted.https://t.co/lD7LVyP64C pic.twitter.com/OGey8myYjY

— Catalin Cimpanu (@campuscodi) September 6, 2018

New blog by Eclypsium research team:

Insecure #Firmware Updates in Server Management Systems: Supermicro #BMC Case Studyhttps://t.co/uoLyH39qKx pic.twitter.com/7kRjlGMtbo

— Eclypsium (@eclypsium) September 6, 2018

BMC is a critical subsystem on each server responsible for remote server management including recovering the host if it’s corrupted.

What if the BMC firmware itself can be infected?

Read @eclypsium‘s new research: https://t.co/ZuyJ9ScmUZ

— Yuriy Bulygin (@c7zero) September 6, 2018

Eclypsium presentations from Blackhat and DEF CON uploaded

August 16, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/08/10/eclypsium-remotely-attacking-system-firmware/

Click to access DC26_UEFI_EXPLOITATION_MASSES_FINAL.pdf

Click to access BH2018_REMOTELY_ATACKING_SYSTEM_FIRMWARE_FINAL.pdf

Progress bar: loading and installing persistent UEFI firmware implant remotely 😁😁😁…

before BitLocker, System Guard, Credential Guard or other SW defenses, before the OS!

Remote UEFI exploit by @jessemichael @HackingThings @ABazhaniuk at #BHUSA

Demo https://t.co/V8LP4FE9M4 pic.twitter.com/Vhg2wntQOh

— Yuriy Bulygin (@c7zero) August 16, 2018

Slides of "UEFI Exploitation for the Masses" #DEFCON26 talk. @HackingThings and @jessemichael showed how to debug exploits in UEFI system firmware: https://t.co/fjlGzucote pic.twitter.com/OjdsIkgtiD

— Alex Bazhaniuk (@ABazhaniuk) August 16, 2018

Slides of our "Remotely Attacking System Firmware" #Blackhat2018 presentation. We demonstrated 100% reliable RCE exploit in the UEFI system firmware : https://t.co/iL6nZpwSnf // with @HackingThings @jessemichael pic.twitter.com/L4WB8apPry

— Alex Bazhaniuk (@ABazhaniuk) August 16, 2018

Black Hat presentation: https://t.co/rOTwxwv3H6 [PDF]

DEFCON presentation with additional details: https://t.co/xBP9lo4PQ6 [PDF]

— Yuriy Bulygin (@c7zero) August 16, 2018

Eclypsium: Remotely Attacking System Firmware

August 10, 2018 ~ hucktech ~ 1 Comment

At BlackHat, Eclypsium gave a great talk with an overview of platform firmware security threats, focusing on network-based attacks, including poorly-tested OEM firmware update implementations.

Don't miss our presentation "Remotely Attacking System Firmware" with @jessemichael & @HackingThings at #BlackHat2018 tomorrow 1:30pm in South Pacific F: https://t.co/QmDabencJ3 pic.twitter.com/ipZ85gjFVE

— Alex Bazhaniuk (@ABazhaniuk) August 7, 2018

Here is the video from our @BlackHatEvents presentation "Remotely Attacking System Firmware", and as customary with such things, calculator must be involved.https://t.co/4EkAoRjeZs

— Mickey (@HackingThings) August 9, 2018

“Update Mechanism Flaws Allow Remote Attacks on UEFI Firmware” by @LindseyOD123 covering most recent research presented by @Eclypsium’s @HackingThings @jessemichael & @ABazhaniuk at #BHUSA https://t.co/XIOp6ZszJl

— Yuriy Bulygin (@c7zero) August 8, 2018

https://threatpost.com/update-mechanism-flaws-allow-remote-attacks-on-uefi-firmware/134785/

https://www.blackhat.com/us-18/briefings/schedule/index.html#remotely-attacking-system-firmware-11588

Eclypsium creates new CHIPSEC module to test USB security

July 25, 2018 ~ hucktech ~ Leave a comment

Eclypsium has created a new CHIPSEC module to see if USB Debug attacks are possible!

“Evil Maid” Firmware Attacks Using USB Debug

https://github.com/chipsec/chipsec/blob/master/chipsec/modules/debugenabled.py

Eclypsium: Infrastructure Attacks Take Center Stage

July 4, 2018 ~ hucktech ~ Leave a comment

Infrastructure Attacks Take Center Stage. Our CTO @ABazhaniuk explains a trend of attacks against network infrastructure devices going mainstream https://t.co/WIMcVRHpyn

— Eclypsium (@eclypsium) July 3, 2018

Infrastructure Attacks Take Center Stage

Eclypsium: new Supermicro firmware research

June 7, 2018 ~ hucktech ~ 1 Comment

We published new research about Supermicro firmware, where we discovered issues with firmware storage and update authentication: https://t.co/KO5s8Yy4Bs with @jessemichael @JohnLoucaides @HackingThings

— Alex Bazhaniuk (@ABazhaniuk) June 7, 2018

Firmware Vulnerabilities in Supermicro Systems

https://www.bleepingcomputer.com/news/security/firmware-vulnerabilities-disclosed-in-supermicro-server-products/

[…]We have confirmed missing firmware storage access controls and insecure firmware updates on specific Supermicro systems. Many other systems are likely to have similar vulnerabilities, leaving them exposed to attacks targeting firmware and hardware. Since most organizations do not monitor at this deep level, these attacks may go unnoticed for an extended period. By providing this summary of the vulnerabilities, impacts, and mitigation strategies, we hope to assist organizations in understanding and defending against threats at this level.

I did not see any CVE yet, I hope SuperMicro has seen this.

Eclypsium on BloombergTV

June 4, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/05/17/eclypsium-in-bloomberg/

Eclypsium was on BloombergTV today! Hmm, I can’t find the URL of the video, if you can, please add it as a Comment to this blog.

Eclypsium co-founder and CEO @c7zero discussed the growing threat of firmware attacks with @jordanr1000 and @CarolineHydeTV on #BloombergTV pic.twitter.com/ORQRyDffqa

— Eclypsium (@eclypsium) June 4, 2018

Thank you for a great discussion! https://t.co/JwlftCUqsG

— Yuriy Bulygin (@c7zero) June 4, 2018

BlackHat cancels Intel/Eclypsium CHIPEC training

June 3, 2018 ~ hucktech ~ Leave a comment

I notice that the Intel/Eclypsium training at Black Hat USA 2018 is no longer listed. Sounds like not enough people signed up?!

AFAIK, the next opportunity to get Eclypsium CHIPSEC training is at REcon (and REcon appears to have cheaper training rates than Blackhat):

https://recon.cx/2018/montreal/training/trainingfirmware.html

There’s also the training materials from older training from Intel ATR/CHIPSEC team, available here:

https://firmwaresecurity.com/2017/05/25/intel-atr-releases-uefi-firmware-training-materials/

Eclypsium in Bloomberg

May 17, 2018 ~ hucktech ~ 1 Comment

We’ve just published our recent research on #Spectre attack against x86 System Management Mode by @ABazhaniuk @jessemichael @HackingThings @JohnLoucaides https://t.co/viEA1CA4nn

— Yuriy Bulygin (@c7zero) May 17, 2018

Awesome piece by @jordanr1000 on our new #Spectre SMM research! Most importantly, sheds light on much less understood hardware & firmware threats. https://t.co/GIe8O1qZee

— Yuriy Bulygin (@c7zero) May 17, 2018

https://t.co/CQPMhIvthW @c7zero @martin_casado @securelyfitz

— Jordan Robertson (@jordanr1000) May 17, 2018

System Management Mode Speculative Execution Attacks

Yuriy working on new CHIPSEC Spectre test

January 17, 2018January 18, 2018 ~ hucktech ~ 1 Comment

Working on this… https://t.co/w6GOLV0Ue9

— Yuriy Bulygin (@c7zero) January 17, 2018

Nice to see some recent CHIPSEC activity, given all the recent related CVEs…
…But this is not from the CHIPSEC team, it is from ex-CHIPSEC team member Yuriy of Eclypsium.

Added new module checking for Spectre variant 2
The module checks if system is affected by Speculative Execution Side Channel vulnerabilities. Specifically, the module verifies that the system supports hardware mitigations for Branch Target Injection a.k.a. Spectre Variant 2 (CVE-2017-5715)

See source comments for more info.

https://github.com/c7zero/chipsec/commit/b11bce8a0ed19cbe1d6319ef9928a297b9308840

Eclypsium to offer firmware training at REcon

December 29, 2017 ~ hucktech ~ Leave a comment

Learn about security of system firmware (BIOS and UEFI), understand attacks against the system firmware and mitigations, learn how to identify vulnerabilities and perform basic forensics on the system firmware.https://t.co/UIfzbokvEi @c7zero @ABazhaniuk pic.twitter.com/OoM9S3W61z

— REcon Brussels (@reconbrx) December 28, 2017

Defending From Platform Firmware Threats
Instructor: Yuriy Bulygin, Oleksandr Bazhaniuk
Dates: 29 to 31 January 2018
Price: 2625 EURO before January 1, 3500 EURO after.

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern operating systems against bootkits. The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.

https://recon.cx/2018/brussels/training/trainingfirmware.html

https://www.eclypsium.com/

PS: Looking forward to when Eclypsium will release their ARM port of the GPL CHIPSEC project. They’ve been saying they’d release this since Black Hat. It would be nice if ARM OEMs could use it, not just Eclypsium clients.

@c7zero @ABazhaniuk Hi, any chance you will release the ChipSec and expl. code for your Blue Pill Presentation ? Would like to do some arm smc/tz tests/fuzzing without reinventing the wheel (coding as solution already available).

— Bjoern Kerler (@viperbjk) December 28, 2017

Eclypsium funding news

October 23, 2017 ~ hucktech ~ Leave a comment

Congratulations to Eclypsium for getting funded! Here’s some more recent news stories on this:

http://altolawgroup.com/2017/10/06/eclypsium-inc-closes-2-3-million-seed-round-financing/

https://www.nwinnovation.com/eclypsium_finds_funding_from_intel_for_security_software/s-0072416.html

http://www.oregonlive.com/silicon-forest/index.ssf/2017/10/intel_capital_boosts_startup_i.html

https://techcrunch.com/2017/10/19/data-is-the-name-of-the-game-as-intel-capital-puts-60m-in-15-startups-566m-in-2017-overall/

local press story on Eclypsium

October 8, 2017 ~ hucktech ~ Leave a comment

Former Intel sec guys @c7zero & @ABazhaniuk launch firmware-targeted startup in Porland OR / Bay Area w $2m from VCs https://t.co/Ycyg2LFsYj pic.twitter.com/BSP0l0EgNA

— Daniel Bilar (@daniel_bilar) October 8, 2017

https://www.bizjournals.com/portland/news/2017/10/04/former-intel-security-researchers-launch-firmware.html

Totally missed it: @c7zero and @ABazhaniuk have founded Eclypsium focusing on firmware security!
Talk about a dream team…

— Arrigo Triulzi (@cynicalsecurity) October 5, 2017

Even my congrats to @c7zero and @ABazhaniuk! You rock guys 🙂 https://t.co/JprN6yIff0

— Andrea Allievi (@aall86) October 6, 2017

Woow that's awesome! It is definitely
pioneer in the field of IT security! Congrats @ABazhaniuk @c7zero 😊

— Thomas Roccia 🤘 (@fr0gger_) October 6, 2017

best of luck ninjas!

— Zuk (@ihackbanme) October 6, 2017

Congrats! Awesome team! https://t.co/JaZF0pgQRW

— Brandon Edwards (@drraid) October 6, 2017

Congrats @c7zero and @ABazhaniuk I hope you achieve great success!https://t.co/OcIMk2oH7M

— 𝓡𝒊𝒄𝒉𝒂𝒓𝒅 𝓙𝒐𝒉𝒏𝒔𝒐𝒏 (@richinseattle) October 5, 2017

Ekoparty presentation by Eclypsium available

October 3, 2017 ~ hucktech ~ Leave a comment

Blue Pill for your Phone
SLIDES by @ABazhaniuk and @c7zero #MobileSecurity #AndroidSecurity https://t.co/CBtg22W8HX pic.twitter.com/jxnJMWix9M

— Mobile Security (@mobilesecurity_) October 3, 2017

#eko13 #ekoparty slides from our talk (in case of someone missed): https://t.co/R1v3xtM6SS (orig. from bh presentation)

— Alex Bazhaniuk (@ABazhaniuk) October 2, 2017

Click to access us-17-Bazhaniuk-Bulygin-BluePill-for-Your-Phone.pdf

Betraying the BIOS: slides available

July 29, 2017 ~ hucktech ~ Leave a comment

My slides "Betraying the BIOS: Where the Guardians of the BIOS are Failing" https://t.co/3blc71yduV #BHUSA @BlackHatEvents

— Alex Matrosov (@matrosov) July 28, 2017

https://github.com/REhints/BlackHat_2017