It’s a scary Halloween! Researchers uncovered a long-running campaign that used a UEFI implant based on the stolen and leaked 2015 Hacking Team code to bring this class of such powerful, evasive, and persistent threats back into focus and concern. Fear not, as our researchers are discussing how MosaicRegressor and other UEFI implants can be treated, and our CEO Yuriy Bulygin and Principal Cyber Strategist Scott Scheferman are hosting a webinar highlighting this discovery, its effects and mitigation the risk involved.
In the meantime, the NSA advises that attackers continue to use exposed and vulnerable firmware on VPN devices from different manufacturers. We decided to blog about it.
If that’s not scary enough, check out this blog on how to identify and mitigate the latest vulnerabilities in Intel’s Trusted Platform Module (TPM) and out-of-band (OOB) management components.
An eerie tip from CISA and the FBI warns Russian and Iranian actors lurking in government agencies trying to influence the US elections. Another CISA report explains how, just a few weeks after their publication, Chinese MSS actors are constantly searching for and using up-to-date CVEs in vulnerable firmware of devices with an Internet connection.
Finally, we have a hardware vulnerability in a two year streak of Apple Macs that is so bad that it breaks Apple’s entire trust in the device and breaks security controls like FileVault2 and Find My features. Worse still, it cannot be fixed and will haunt users of these devices for many Halloween to come.
Protect your organization from MosaicRegressor and other UEFI implants
Kaspersky researchers recently unveiled a new UEFI implant for use in the wild, called the MosaicRegressor. This type of implant has been used in targeted attacks to gain a foothold in target organizations and evade most detection controls while delivering malicious payloads to compromised systems. We have confirmed that Eclypsium will detect MosaicRegressor and similar threats even before they are publicly discovered or used in the wild, with no signatures or associated IOCs. Read blog post>
Detect and mitigate critical Intel vulnerabilities (INTEL-SA-00241, INTEL-SA-00404)
Corporate devices contain a variety of components that are critical to the security of the device. Out-of-band management components and Trusted Platform Modules (TPM) to protect cryptographic keys on the device are two such examples. Two recent Intel Security Advisories, INTEL-SA-00241 and INTEL-SA-00404, help us understand the risk of these vulnerabilities, as well as identify and mitigate them in a real-world environment. Read blog post>
Crouching tiger, hidden danger: an unrecoverable hardware vulnerability in Apple T2 chip devices
Because this vulnerability breaks Apple’s root of trust for affected devices, critical security controls to protect the data on those devices are also significantly weakened. From Apple’s FileVault2 full disk encryption to the core components of the operating system, everything is affected, as are the application-level controls that typically make Apple devices suitable for remote workers, such as the workforce. It is also important to note that this has been a security breach since 2018, well before the current home relocation and associated travel restrictions came in. As such, business travelers may have been affected for the past two years without ever knowing, and devices sent to unsuspecting victims may be the absolute shortest path for any adversary to targeting today’s work-from-home workforce . An end user who generates or enters MFA (Multi-Factor Authentication) tokens on an affected device can also be a “game-over”.
THREATS IN THE WILD
Protecting your organization from MosaicRegressor and other UEFI implants
Join Yuriy Bulygin, Founder and CEO of Eclypsium, and Scott Scheferman, Principal Strategist, for this webinar discussing the recent discovery of the MosaicRegressor spyware. The latest in an ongoing trend of UEFI implants observed in the wild. These threats are particularly powerful because their malicious code runs before the operating system and replaces it. At the same time, the threat can persist in the firmware even after a system is re-imaged. The implant code itself is universal and easy to create, and the UEFI file system format is largely unchanged by individual OEMs. This creates a relatively low barrier to entry for attackers, making it likely that this type of ability will show up in other campaigns. Take part>