Robin’s Newsletter #129

6 December 2020. Volume 3, Issue 49
TrickBot is recovering from CyberCom, Microsoft takedowns, gains UEFI/BIOS capabilities. 'Cold chain' of COVID-19 vaccine targeted. Zero-click exploit in Apple iPhone.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

TrickBot malware gains firmware tampering capabilities

To date, capabilities to manipulate device firmware have been the preserve of nation-state affiliated actors. Two public examples are known: Russia’s Fancy Bear LoJax (vol. 1, iss. 15) and China’s MosaicRegressor (vol. 3, iss. 41) malware. This week a joint report from AdvIntel and Eclypsium says that the notorious TrickBot malware has gained capabilities to inspect and modify the UEFI and BIOS of devices it infects.

Device firmware - the UEFI and BIOS - sit in memory on the main motherboard of a device and control its boot-up process. By hiding in memory directly on the motherboard the malware can persist, even if the hard disk is replaced and a new operating system installed.
 The cybercrime ecosystem is a complex web of providers that have come to specialise in different aspects. Some focus purely on gaining network access, others on ransomware, more still on money laundering, and so on. Groups compete to offer ‘better’ products and services. Features, price, and service levels

It may be other ‘criminal-grade’ malware starts to offer these sorts of capabilities more widely. The ability to alter, or entirely wipe, a device’s firmware also makes it possible to ‘brick’ a device and render it inoperable: something that would be of interest to ransomware gangs looking to add jeopardy and increase pressure on victims.

TrickBot’s operations were dealt a blow in October when U.S. Cyber Command and Microsoft separately took action to kneecap the botnet (vol. 3, iss. 42). The action was attributed to preventing interference in the U.S. election, though it may also have disrupted efforts by the malware’s authors to catalogue which devices are vulnerable to firmware-based attacks.,,

Interesting stats

84.8% of the Alexa Top 100,000 websites rely on a single DNS provider 38% are served by just three companies: Cloudflare, AWS and GoDaddy, raising resilience concerns

4 years on average for a security vulnerability to be discovered in open source software components, it then takes… 1 month to issue a fix, according to GitHub’s State of the Octoverse report, who say that 17% of vulnerabilities are malicious, with 83% introduced by human error

Other newsy bits

Nation-states shift espionage to COVID-19 vaccine ‘cold chain’

Spear-phishing emails have been sent to organisations in the public-private GAVI, the Vaccine Alliance. The campaign marks a shift in espionage efforts of countries seeking information and advantage in the manufacture of a vaccine to help protect against the COVID-19 coronavirus. Instead of details of the vaccine itself, they are now targeting the ‘cold chain’ of temperature controlled manufacture, distribution and storage facilities, according to IBM’s threat intelligence team. The groups are likely seeking information on the development and distribution to aid their national interests, though concerns remain that attacks against the supply chain may also be on the cards. The logistics behind COVID-19 testing and vaccination are complex supply chains and are seen by many as critical infrastructure.,

iPhone ‘zero-click’ wifi exploit

Google Project Zero’s Ian Beer published details of his ‘lockdown project’ this week: an exploit in Apple’s iPhone software that allowed him to compromise devices within wifi radio range without any user interaction. It’s a remarkable piece of work, exploiting a buffer overflow in the driver for Apple Wireless Direct Link (used in things like AirDrop), to ultimately break out onto the device itself and retrieve personal data like photos. The bug was reported to Apple and fixed in iOS 13.5 (released over six months ago). It’s the sort of issue that would have been of particular interest to commercial exploit developers and, given how much technical info on the protocol is in his blog post, I expect AWDL to see a spike in security researchers looking for other issues.,

In brief

Attacks, incidents & breaches

  • OnePlus website breached and Javascript payment skimmer installed, upto 40,000 payment cards stolen in plaintext
  • Conti ransomware group attack industrial IoT chip manufacturer Advantech (who have a 34% global market share), steal data and make $12.6M ransom demand
  • Cayman Islands investment fund left files on public Azure blog exposing register of members, share certificates, director identities and even banking PINs, also…
  • U.S. health provider NTreatment left 109,000 patient records in an unsecured Azure server
  • … both of these are akin to ‘public Amazon S3 buckets’.
  • TransLink, Vancouver’s public transport agency, victim of Gregor ransomeware, customer’s unable to use Compass travel cards for two days
  • Global recruitment agency Randstad hit by Gregor ransomware

Threat intel

  • FBI warns of business email compromise (BEC) scammers using web-based email portals to setup auto-forward rules
  • Two NPM packages removed containing remote access trojan, spotted within a week, but volume of compromised packages is increasing
  • Oracle WebLogic vulnerability patched two months ago under active attack
  • New malware linked to APT32 / OceanLotus group targets MacOS users in Vietnam

Security engineering

  • Using Docker or Kubernetes? Check you’ve hardened your environment and aren’t unknowingly running crypto-currency mining malware

Public policy

  • U.S. Supreme Court to begin hearing on Computer Fraud and Abuse Act (CFAA) using three-decades old case to clarify what ‘unauthorised access’ really means,

Mergers, acquisitions and investments

  • Ivanti acquires MobileIron and Pulse Secure to add mobile device management and VPN capabilities
  • Kaspersky diversifying into anti-drone, election security after bans from U.K. and U.S. on cyber security products

And finally

Leonardo head of incident response under house arrest

Italian police have made arrests for the theft of 10GB of confidential information from defence company Leonardo. One was a consultant, employed by the firm and the second was the company’s incident response head, who is under house arrest after ‘misrepresenting’ the scope and scale of the attack and interfering with the investigation.,


  Robin's Newsletter - Volume 3

  Trickbot UEFI / BIOS Firmware Coronavirus (COVID-19) Supply chain Apple iPhone Apple Wireless Direct Link (AWDL) Leonardo