Eclypsium on LoJax UEFI malware

Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/, Eclypsium has a new blog post on this malware:

UEFI Attacks in the Wild

Eclypsium research on SuperMicro BMC/Redfish vulnerability

Insecure Firmware Updates in Server Management Systems

Eclypsium presentations from Blackhat and DEF CON uploaded

Re: https://firmwaresecurity.com/2018/08/10/eclypsium-remotely-attacking-system-firmware/

https://github.com/HackingThings/Publications/blob/master/2018/DC26_UEFI_EXPLOITATION_MASSES_FINAL.pdf

https://github.com/eclypsium/Publications/blob/master/2018/BlackHat_USA_2018/BH2018_REMOTELY_ATACKING_SYSTEM_FIRMWARE_FINAL.pdf

Eclypsium: Remotely Attacking System Firmware

At BlackHat, Eclypsium gave a great talk with an overview of platform firmware security threats, focusing on network-based attacks, including poorly-tested OEM firmware update implementations.

https://threatpost.com/update-mechanism-flaws-allow-remote-attacks-on-uefi-firmware/134785/

https://www.blackhat.com/us-18/briefings/schedule/index.html#remotely-attacking-system-firmware-11588

 

Eclypsium: new Supermicro firmware research

Firmware Vulnerabilities in Supermicro Systems

https://www.bleepingcomputer.com/news/security/firmware-vulnerabilities-disclosed-in-supermicro-server-products/

[…]We have confirmed missing firmware storage access controls and insecure firmware updates on specific Supermicro systems. Many other systems are likely to have similar vulnerabilities, leaving them exposed to attacks targeting firmware and hardware. Since most organizations do not monitor at this deep level, these attacks may go unnoticed for an extended period. By providing this summary of the vulnerabilities, impacts, and mitigation strategies, we hope to assist organizations in understanding and defending against threats at this level.

I did not see any CVE yet, I hope SuperMicro has seen this.

Eclypsium on BloombergTV

Re: https://firmwaresecurity.com/2018/05/17/eclypsium-in-bloomberg/

Eclypsium was on BloombergTV today! Hmm, I can’t find the URL of the video, if you can, please add it as a Comment to this blog.

BlackHat cancels Intel/Eclypsium CHIPEC training

I notice that the Intel/Eclypsium training at Black Hat USA 2018 is no longer listed. Sounds like not enough people signed up?!

AFAIK, the next opportunity to get Eclypsium CHIPSEC training is at REcon (and REcon appears to have cheaper training rates than Blackhat):

https://recon.cx/2018/montreal/training/trainingfirmware.html

There’s also the training materials from older training from Intel ATR/CHIPSEC team, available here:

https://firmwaresecurity.com/2017/05/25/intel-atr-releases-uefi-firmware-training-materials/

 

Eclypsium in Bloomberg

System Management Mode Speculative Execution Attacks

 

Yuriy working on new CHIPSEC Spectre test

Nice to see some recent CHIPSEC activity, given all the recent related CVEs…
…But this is not from the CHIPSEC team, it is from ex-CHIPSEC team member Yuriy of Eclypsium.

Added new module checking for Spectre variant 2
The module checks if system is affected by Speculative Execution Side Channel vulnerabilities. Specifically, the module verifies that the system supports hardware mitigations for Branch Target Injection a.k.a. Spectre Variant 2 (CVE-2017-5715)

See source comments for more info.

https://github.com/c7zero/chipsec/commit/b11bce8a0ed19cbe1d6319ef9928a297b9308840

 

Eclypsium to offer firmware training at REcon

Defending From Platform Firmware Threats
Instructor: Yuriy Bulygin, Oleksandr Bazhaniuk
Dates: 29 to 31 January 2018
Price: 2625 EURO before January 1, 3500 EURO after.

A variety of attacks targeting system firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, OS loaders and secure booting. This training will detail and organize objectives, attack vectors, vulnerabilities and exploits against various types of system firmware such as legacy BIOS, SMI handlers and UEFI based firmware, mitigations as well as tools and methods available to analyze security of such firmware components. It will also detail protections available in hardware and in firmware such as Secure Boot implemented by modern operating systems against bootkits. The training includes theoretical material describing a structured approach to system firmware security analysis and mitigations as well as many hands-on exercises to test system firmware for vulnerabilities. After the training you should have basic understanding of platform hardware components and various types of system firmware, security objectives and attacks against system firmware, mitigations available in hardware and firmware. You should be able to apply this knowledge in practice to identify vulnerabilities in BIOS and perform forensic analysis of the firmware.

https://recon.cx/2018/brussels/training/trainingfirmware.html

https://www.eclypsium.com/

PS: Looking forward to when Eclypsium will release their ARM port of the GPL CHIPSEC project. They’ve been saying they’d release this since Black Hat. It would be nice if ARM OEMs could use it, not just Eclypsium clients.

 

Eclypsium funding news

Congratulations to Eclypsium for getting funded! Here’s some more recent news stories on this:

http://altolawgroup.com/2017/10/06/eclypsium-inc-closes-2-3-million-seed-round-financing/

https://www.nwinnovation.com/eclypsium_finds_funding_from_intel_for_security_software/s-0072416.html

http://www.oregonlive.com/silicon-forest/index.ssf/2017/10/intel_capital_boosts_startup_i.html

https://techcrunch.com/2017/10/19/data-is-the-name-of-the-game-as-intel-capital-puts-60m-in-15-startups-566m-in-2017-overall/

 

local press story on Eclypsium

https://www.bizjournals.com/portland/news/2017/10/04/former-intel-security-researchers-launch-firmware.html

Ekoparty presentation by Eclypsium available

https://github.com/abazhaniuk/Publications/blob/master/2017/Ekoparty13_2017/us-17-Bazhaniuk-Bulygin-BluePill-for-Your-Phone.pdf