Skip to content
InTechnology Podcast

#55 – Why Firmware Attacks Are Threat Groups’ New Go-To

Firmware-based attacks are some of the hardest to detect, which is what makes them so dangerous; once someone has control over your hardware, they can do just about anything. In this episode of Cyber Security Inside, CEO and founder of Eclypsium Yuriy Bulygin joins Tom and Camille to share his expertise on the topic, offering a comprehensive view of vulnerabilities and how threat groups exploit them.

 

They cover:

  • Why firmware attacks are so brutal, and how the known vulnerabilities are being exploited by threat groups
  • How people can tell if they’ve been a victim of a ransomware attack and/or if it’s gotten down to the firmware level
  • Whether or not ransomware attacks should be paid
  • How the new model of working from home during the pandemic has shifted the threat landscape
  • What advice companies should consider securing their platforms

… and more.  Tune in for some next-level insight.

 

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

Here are some key take-aways:

  • Firmware attacks have become more and more common as user and software protection have improved; adversaries needed to find a way of going undetected, which is why they began to target actual devices and equipment.
  • In fact, NIST reports that device vulnerabilities have increased five-fold in the past four years alone.
  • One of the biggest problems with firmware attacks is that that ransomware can come back even after a device has been cleaned because that’s how deeply embedded things are.
  • While it’s not good to incentivize successful ransomware attacks, there are certain cases where it becomes necessary; for example, a recent hospital attack led to the deaths of patients, and that would be a scenario where it would make sense to pay.
  • With more and more people working from home, remote endpoints have become a major target for threat groups.
  • It’s crucial to be able to authenticate users, have a strong understanding of devices, secure the applications and software stack used on remote endpoints, and protect the overall remote infrastructure to prevent attacks.
  • Bringing visibility into devices and equipment is essential to be able to make risk-based decisions.

 

Some interesting quotes from today’s episode:

“They started looking for other ways they could enjoy being hidden, being persistent, not being detected. And we started seeing a spike of attacks against devices, against the actual equipment and everything that comes with that equipment that organizations use.”

 

“I think we, as an industry, should be adopting a risk and threat-centric approach where we’re going to cover the fundamental pieces of devices or the software, firmware on those devices that are actually high risk for being attacked.”

 

“A very typical example is that a ransomware has attacked one of the companies that we’ve talked to, and they cleaned up that ransomware, but after a very short period of time, it came back.”

 

“They shifted and started exploiting the remote endpoints — the home devices that those remote endpoints are connected to and the network infrastructure that those remote devices are connecting through, like those VPN appliances and ADC appliances and so on and so forth.”

“There need to be new types of security solutions that protect those remote access infrastructure devices.”

 

“Some of these devices might need to be inspected for breaches even before they’re being used.”

Share on social:

Facebook
Twitter
LinkedIn
Reddit
Email

[00:41] Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me as usual is my cohost Camille Morhardt. How are you doing Camille?

[00:49] Camille Morhardt: Hi Tom. I’m doing well.

[00:52] Tom Garrison: Our guest today without giving out his name yet is focused on firmware and being able to detect whether firmware has been hacked or manipulated.
And that’s super critical. When you think about hardware platforms, are they, whether they be clients or servers or IOT devices, you want to make sure that the hardware is in the state that you expect, and hasn’t been subject to any firmware expo.

[01:20] Camille Morhardt: Yeah. And he gets into a little bit about how you make a threat model or a threat map, so that you’re encompassing all aspects that could affect the firmware and the hardware, as well as the software. He dives deep in that space.

[01:36] Tom Garrison: It’s important because when you think about security and we’ve, we’ve even talked about this before as well, you don’t want to think about the way. The firmware was designed to work. You want to actually look at it from kind of the opposite and test ways of exploiting the firmware in ways that was never designed to do so, you know, in the, in the conversation that we have, I think he gets into the details and I hopefully for the listeners, they start to get a better flavor for what’s really at stake.
When you talk about, do I really understand the state of my platform before I use it.
[00:02:16] Camille Morhardt: Yeah. And I also thought it was interesting that as a person who’s dedicated to the security of firmware and making sure that companies can monitor that and manage it effectively. He’s thinking of threats, both from kind of rogue actors and mistakes also. State actors or, you know, highly organized, uh, attacks. So he’s really kind of running this gamut of anything that could be coming at an enterprise.

[00:02:46] Tom Garrison: Yeah. And that, that’s a great point because when you think about the more sophisticated attacks, meaning the ones that are more likely to come from either professional criminals or nation states, Those are much more likely to be firmware based attacks at least in some way, shape or form.
And so while some people that may not live in the security world may think, oh, firmware, this is kind of a nerdy topic. Probably doesn’t relate to me. That’s, couldn’t be further from the truth. Firmware based attacks are, are some of the hottest classes of attacks that are out there mostly because. Well, first they’re very, very hard to detect.
And secondly, if you can successfully. Attack firmware. Now you have control of the hardware and when you have control the hardware, you can pretty much do anything. And so it is definitely on the forefront of security attacks and our guests company is one of the leading companies in this space about finding and then alerting customers to firmware that has been explored.

[00:03:53] Camille Morhardt: Yeah. I’m, I’m excited to listen.
[00:03:55] Tom Garrison: Yeah. So let’s go right into it and let’s go.

[00:04:05] Tom Garrison: Our guest today is Yuriy Bulygin. He is CEO and founder of Eclypseum the comprehensive cloud-based device security platform that protects enterprise devices all the way down to the firmware and hardware level. Headquartered here in Portland, Oregon a local company, (we’ve got to love that) this company was named to Fast Company’s annual list of the World’s Most Innovative Security Companies for 2020, the CNBC Upstart 100 list and Gartner’s Cool Vendor list for security, operations and threat intelligence.
So that’s quite a list of accomplishments. Yuriy, you and I have worked together for many years, and I know that when you left Intel, you did so to fill what you perceive to be a niche in the security environment. Can you talk about that niche and what the need was for your customer?

[00:04:58] Yuriy Bulygin: The whole paradigm of security and defense in-depth that we’ve been using as an industry and the last decade or so have been centered around the user–you know, protecting the user, identifying the user and authenticating user with now multifactor authentication–and protecting the user activity, web activity, email traffic, and application activity.
And the second component was really protecting this software that user interacts with–the applications, the behavior of those applications, patching, making sure that those applications don’t have vulnerabilities and properly patched, and they’re not malicious.
What was really changing is the adversaries that realize that we’re getting better at the software level, at the application level; we’re getting better at monitoring user; we’re getting better at monitoring behavior of the user, and then trying to find those outliers and, you know, deviations from normal behavior and stuff. And the attacks and breaches have started to be discovered faster and faster, sooner and sooner, and that mitigates the impact.
And so the adversary is starting with sophisticated nation states and then moving to sophisticated non-nation state adversaries, crimeware groups, threat groups. They started looking for other ways, other ways where they can, um, enjoy being hidden, being persistent, not being detected. And we started seeing a spike of attacks against devices against the actual equipment and everything that comes with that equipment that organizations use.
In fact, NIST has published the number of vulnerabilities in the device has increased five-fold in just the last four years. Uh, so that was a, that was really the turning point because what seemed to be lacking is the security controls and techniques that industry needed to protect those devices, to protect all the software that is coming with those devices developed by manufacturers in the complex supply chain.

[00:07:04] Camille Morhardt: So what was the gap that they were diving into? Was it actually going below that application layer?

[00:07:12] Yuriy Bulygin: Camille it’s below the operating system itself outside of the operating system. You know, we started seeing some of the advanced actors and nation states have, um, started going after, uh, the firmware layer. The firmware layer in those devices and the end points and the servers that is not really visible to the operating system and all the security controls inside the OS.
Uh, so they started either exploiting vulnerabilities or they started infecting the firmware layer to get persistence because they cannot get detected. So that was the beginning. And, um, most of the, uh, major nation state threat groups today have the capability, but that has been a few years ago. Now we’re seeing is, uh, just recently I spoke with one of the larger financial services organization and they’re a target of a trick bot, as an example. And that trick bot is, it’s a massive botnet infrastructure that the trick bot gang lends to a number of ransomware folks– to ?Conti? ?Ryuke? and others who has done a lot of damage in the last few years.
There was a joint industry effort to take down that trick bought infrastructure and yet they came back and adopted the same techniques that the nation state ABTS have been using in the last few years by exploiting the firmware below the operating system, in order for them to stay in the target infrastructure. So now we’re seeing that, uh, this has moved from nation state to crimeware folks.

[00:08:42] Camille Morhardt: So how do you even begin? I mean, if you’ve got to cover everything from application security to OS-level security, to below the OS, behind the iOS, around the iOS, I mean, how do you actually even begin?

[00:08:58] Yuriy Bulygin: I think we, as an industry are adopting gradually and should be adopting risk and threat centric approach, where we’re going to cover the fundamental pieces of devices or the software firmware on those devices that are actually high risk for being attacked. The risk may include the number of vulnerabilities are increasing in those layers and they to be patched more often and you know, the exploitability of those vulnerabilities gets easier, um, maybe because patches are delivered for quite a while. Or it becomes easier for administrators to, um, attack those layers. And so we need to, when we see that increase in risk, when we see that increase in attacks into those layers, that’s what we need to cover as a security solution.

[00:09:46] Tom Garrison: The challenge that our listeners may face is that we hear about these sort of theoretical attacks all the time—“oh, this could happen or that could happen.” But in reality, none of us really know or very rarely do we ever experience it ourself. And usually you don’t even know of people. But you may read a story here or there in the press, but you sort of lived it.
And I thought it’d be interesting if, if you could share a couple of examples– obviously, without names–of companies that did come under attack and what those attacks were like and how did those companies deal with the threat and then, you know, get past it.

[00:10:29] Yuriy Bulygin: You know, let me use an example of a study that Microsoft just published. What they found out is that more than 80% of businesses have experienced at least one attack in the past couple of years, that was targeting devices and the, the, the firmware code on those devices. That’s a huge one. Why sometimes we don’t hear about those attacks?
We hear a lot, you know, about some of the public exploitation of a VPN device. In fact, ransomware operators in network, ?maze? or ?RAL groups, they all moved to exploit firmware on the networking devices like VPN and ADC– Application Delivery Controllers–in just the last year, because we all now use VPM working remotely, but those are public.
And you know, quite a few of those, these are just small percentages. Tip of the iceberg. We don’t hear most of them because they don’t need to be reported.

[00:11:26] Tom Garrison: Yeah. And most companies don’t want to admit that they, they had something go back, right?

[00:11:31] Yuriy Bulygin: They don’t have to admit, too. They go unreported, yet when we talk to companies in public and private sector in almost every case, we hear a story from those companies that they experienced some sort of a breach or some sort of a issue related to the device, their devices that they rely on either in data centers or maybe networking infrastructure or on the end points. The very typical example is a ransomware has attacked one of the companies that we talked to and they cleaned up that ransomware. Now, after a very short period of time, it came back. That turned out to be that that ransomware has been using firmware implants and the implants that it was infecting. Uh, and, uh, that’s a very common theme or I’d say example of how those threats effects organizations. Because when they get into it persistence level into the firmware, all those devices, they can come back even after cleaning up.

[00:12:39] Tom Garrison: Yeah. So this particular example that you’re talking about, it wasn’t just a matter of somebody clicked on something and they shouldn’t have, and it loaded some software onto the machine. It literally went all the way down and embedded into the firmware. So even if you completely wiped out the machine and started over from scratch the ransomware is still on the machine because it’s in that lower level firmware code that’s on the machine. Is that right?

[00:13:05] Yuriy Bulygin: It’s exactly that. You know, the regional infection might’ve been someone clicked the link, you know, just like the, the other example I talked to about trick bots–it is delivered through email malicious spam campaign. But then even as they are in those devices, in the end points or in the networking, uh, appliances in their firmware than after cleaning that infection, they just come back up pretty well just because they’re persistent.

[00:13:31] Camille Morhardt: So at this point you’re beholden to them? They can turn it on or off whenever they want.
[00:13:35] Yuriy Bulygin: You’re now around some victim and the infrastructure can be brought down, disrupted. And that is a major concern for a lot of organizations that rely on data up time and, you know, making sure that their infrastructure stays up or they can be held for ransom multiple times, but multiple groups.

[00:13:56] Camille Morhardt: That’s what I was thinking. Yeah. How do you know if you’ve been a victim of ransomware how can you tell if it’s hit you at the firmware level? Is there a way to find that out?

[00:14:06] Yuriy Bulygin: Uh, so typically I don’t want to go into a full pitch mode, uh, as a CEO of a, of a company that builds technologies like that. But, uh, this is what we are trying to solve the type of visibility and the type of detection of those types of threats that we’re trying to help our customers with.

[00:14:26] Camille Morhardt: What would be your advice, just out of curiosity. I’ve heard different people in industry and public works or municipalities have different answers with respect to it. Do you think that ransomware should be paid? Do you think it depends? Is it black and white? What’s your take on it?

[00:14:45] Yuriy Bulygin: Uh, it’s a great question, Camille. Uh, I think it really depends. On the one hand, we absolutely don’t want to incentivize those ransomware operators to, um, make those attacks successful now and in the future can be increase their ROI of making those attacks. But at the same time, um, you know, in certain cases that ransomware is effecting, you know, critical functions. And, um, we had a recent, unfortunate incidents that involved, uh, death of, uh, patients in the, in the hospitals because of the ransomware attack.
Uh, in certain cases different decisions would need to be made in order to potentially save people’s life where lives were or save the infrastructure. From a firmware perspective these are very damaging attacks because, uh, we all remember the, uh, the old ?? attack, which was a kind of a ransomware slash wiper that caused a lot of damage to a number of organizations. It was actually attacking some of the, a bitloader firmware components outside of the OS and caused the damage through that.
But the similar type of attacks in the modern systems and the current environments can physically destroy infrastructure and physically destroy servers and data centers, physically destroy, you know, critical end points that companies rely on. That type of tech can physically destroy the infrastructure.

[00:16:10] Tom Garrison: So, these are known vulnerabilities that exist. So the bad guys know that these vulnerabilities exist and they are assuming that the IT administrators haven’t patched these various devices. So it’s a known attack and they’re just counting on people not having updated their machines.

[00:16:32] Yuriy Bulygin: Yeah, absolutely. In fact, they’re right, because those appliances are almost never patched and never have been patched. Now we’re seeing that some of the organizations are getting better at actually patching them because almost every month, we see the new vulnerability remotely exploited by a number of threat groups. As we speak there, the number of organizations being breached because of the old legacy selling FTA appliance, because of the very simple, old vulnerabilities.
Now, as an attacker, we’ve been used to, um, you know develop a very complicated exploit or an attack that needs to escape, multiple sandboxes that are built by our, um, applications and operating systems and escape detection by multiple end points security solutions and elevate, uh, privileges multiple times, or they can just remotely exploit a network appliance–a vulnerability of that is a network web vulnerability and the firmware of that network appliance that has never been secured in the last 15 years. Um, so as we speak, those campaigns are happening and, uh, they have been on a huge rise in the last, in the last year.

[00:17:43] Camille Morhardt: So, hey Yuriy, um, are, are you seeing–and maybe this is what you were alluding to–but as a lot of different organizations are moving into more of a hybrid model and people are working out of a home office, maybe perpetually now for a portion of the week, are you seeing a shift or are you expecting a big shift in the threat landscape?

[00:18:05] Yuriy Bulygin: It absolutely has shifted and the adversaries shifed immediately. Because they immediately realized that all those remote end points, they don’t have the traditional enterprise security controls anymore. They’re outside of a traditional enterprise security perimeter. They connect to whole bunch of devices. I’m talking in a corporate laptop that is connecting through a home router and connected to ?? and so on and so forth. That may be part of the route or botnet. That’s a, there are plenty of those in the last few years.
Uh, so absolutely they shifted and they started exploiting the remote endpoints– The home devices that those remote end points are connected to and the infrastructure, the network infrastructure that those remote devices are connecting through like those VPN appliances and ADC appliances and so on and so forth.
One of our customers before the current pandemic, they had very few fully remote end points. And as pandemic hits, they moved to 99% remote, just like everyone else. And every remote endpoint, remote laptop has become critical asset for the company. And that’s a very, a very typical scenario.

[00:19:19] Camille Morhardt: What do we do moving forward? I mean, do companies need to manage all of the different devices and endpoints that are in people’s homes or is there another kind of a solution for that?

[00:19:32] Yuriy Bulygin: Oh, I think from a remote, from securing remote work and remote workforce perspective, when need at least three components. One component is understanding who is connecting anything about the user authenticating the user, uh, making sure that a user behavior doesn’t exhibit any compromise or any attack.
The second component is really securing the applications and the software stack used on those remote endpoints. And I think we have a great solutions on the markets, you know, from traditional antiviruses to next generation ?ARSes?, endpoint security solutions and so on, uh, to do that; however, that is still user centric, very user centric because, uh, those are applications that typically a user interacts with. What we need to have is a component that understands the device that those users are connecting from, uh, the device, uh, including all of the firmware, including all the, uh, software developed by the manufacturers of that device and suppliers of components inside their device, to just really understanding if that device has been compromised has been tampered with or somehow infected.
And the fourth component I think what’s important is to extend that to the remote access infrastructure because remote access infrastructure involves a lot of networking equipment, a lot of servers that provide that access, including maybe cloud cloud-based servers and environments that provide that access. So that needs to be secured as well at the device level. And there are new users there. These need to be a new type of solutions, security solutions that protect those, uh, remote access infrastructure devices.

[00:21:18] Tom Garrison: So Yuriy, I guess maybe to wrap this up, you know, for the people that are listening to this podcasts who are involved in technology, but maybe don’t live every day in the security world, what advice would you give them? Maybe one or two or three max. words of advice when you think about securing your platforms, keeping your company safe, what advice would you give them?

[00:21:42 ] Yuriy Bulygin: The advice is fairly simple. They need to start looking in shedding light into pieces of that infrastructure that they did not have visibility and the actual equipment and the supply chain of that equipment you know, the third party suppliers that, uh, you know, provide those, um, all sorts of devices that we rely on is a, a very significant visibility gap. So bringing the visibility into the equipment, into the devices, into that type of infrastructure is the first step.
And based on that, organizations can make decisions informed by current risk, which devices need to be patched, which devices can be deferred, which devices need to be monitored closely for any sort of a compromise, which devices need to be monitoring for supply chain breaches. You know, some of these devices might need to be inspected for breaches even, even before they’re being used.

[00:22:49] Tom Garrison: Before we let you go. We like to do a, a fun, little exercise and activity of sharing, some pearls of wisdom or something you found really interesting lately that you think our listeners would find interesting as well. So I wonder, do you have anything on the top of your mind that you’d like to share with our listeners?

[00:23:11] Yuriy Bulygin: By now, I think we’re all fairly familiar with, uh, this gene editing tool, the Crisper cas9 that has been discovered in around 2012. And one of the Nobel Prizes in, in medicine was, um, two researchers discover and discovered it. Well, it wasn’t well known, I think is a red before the COVID pandemic started in March, our own Oregon OHSU had the first ever gene editing surgery done, uh, on a patient with a inherited blindness that was done on a patient, not on some DNA material or, or cells in the lab. That’s amazing.

[00:23:51] Camille Morhardt: And could the person see after that?

[00:23:54] Yuriy Bulygin: The results are still being evaluated. They plan for 18 patients to, um, do those trials on. Hopefully we’ll see the results soon in 2021.

[00:24:06] Tom Garrison: Wow. I had not heard about that. That’s cool. And it’s also interesting it’s happened right here in the backyard of, uh, OHSU. So that’s great. Uh, so thanks for sharing that. Camille, how about you and interesting things to share?

[00:24:18] Camille Morhardt: Well, this weekend, we celebrated my son’s birthday. And so I forgot to come up with a fun fact. So I’ve raced out of the room right before we started and asked my son, cause it is his birthday today. I said, “okay, you get to give me the fun fact, whatever it is, I’ll say it on the podcast.” And he said, “Crocodiles can’t stick out their tongues.” So I Googled it and it turns out that alligator can stick out their tongues, but crocodiles cannot; their tongues are secured by a membrane to the roof of their mouth and therefore they cannot stick out their tongue. So that is my fun fact for the day.

[00:24:58] Tom Garrison: That is impressive, you know? So there’s another little interesting fun fact. Is that your son and my daughter share birthday, uh, because today’s my daughter’s 21st birthday.

[00:25:12] Camille Morhardt: How about that? Yeah. That’s pretty cool. Yeah,

[00:25:17] Tom Garrison: That’s right. Um, so my fun fact was not that my fun fact is something now, by the time this podcast gets aired, this will be long since history, but, um, today is actually the day of the men’s basketball, uh, National Championship game. And so I thought in, you know, regards to, to that, it’d be fun to know what is the odds of picking the perfect bracket and, uh, the odds of picking the perfect bracket–so the winner in every one of those games leading up to the championship game is a staggering one in 9.2 Quintrillion.

[26:02] Camille Morhardt: Wow.

[26:03] Tom Garrison: So for those of us that know how big quintillion is, if we just measured it in seconds and we said, how many, how long would it take to do 9.2 quintillion seconds? It would be 292 billion years. So let’s just say it’s probably not gonna happen.

[00:26:30] Camille Morhardt: Can you help me understand what 292 billion years is?

[00:26:34] Tom Garrison: Yeah. It’s, uh, it’s pretty old. It’s pretty, pretty long, long lived, but that was kind of interesting now that’s, that’s assuming that you’d know nothing about basket. So you’re just literally, it’s like a coin toss. You’re just heads or tails. If you do know something about basketball, they’ve actually rejiggered the, uh, numbers and it turns out that’s still a staggering one in 120 billion to get a perfect bracket. And, uh, rest assured this year, I did not even come close to it the perfect bracket. Anyway, so there’s my fun facts of the day. Odds are you are not going to pick the perfect bracket, but you can still enjoy the games.

[27:17] Yuriy Bulygin: Um, so maybe next year.

[27:19] Tom Garrison: It can happen mathematically. We’re all mathematicians here at art, and we know it’s possible, which is probably not going to happen. But Yuriy, thank you again for joining us for the podcast. I thought it was interesting and insightful, and I hope our listeners feel the same way.

[27:34] Camille Morhardt: Thanks Yuriy.

[00:27:35] Yuriy Bulygin: Thank you, Tom. Thank you, Camille. It’s been a real pleasure.

More From