Derek B. Johnson
Trickbot, the notorious botnet and banking Trojan, has a new trick up its sleeve.
According to new research by Eclypsium and Advanced Intelligence, the malware now “makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write or erase the UEFI/BIOS firmware of a device.” A threat actor leveraging this capability could use it to attack weaknesses in the booting process to install backdoors, firmware implants or even brick targeted devices.
Eclypsium and Advanced Intelligence researchers say the findings represent an “important advance” in Trickbot’s ever evolving toolset, which is often used by other threat groups to gain an initial foothold into a targeted network before launching further attacks. The malware-delivering botnet has long tentacles – researchers have observed hundreds of thousands of newly infected devices over the past two months, peaking at 40,000 hijackings in a single day – and this new capability takes direct aim at vulnerabilities in the booting process, which is often overlooked within the cybersecurity ecosystem.
The researchers say it could substantially reduce the amount of effort it takes to find targets with softer security protocols around their UEFI/BIOS firmware. The code that supports the boot process are the first lines of code that gets executed on a system or device, meaning a compromise would give criminal hackers control over the operating system and even endure backup and recovery efforts after a successful attack.
“By adding the ability to canvas victim devices for specific UEFI/BIOS firmware vulnerabilities, TrickBot actors are able to target specific victims with firmware-level persistence that survives re-imagining or even device bricking capability,” the research states.
The vulnerability can be patched, but only on the manufacturer side. That means any device shipped without addressing it will be exposed during the booting process, and security teams will need to reflash or rip out and replace the motherboard entirely to ensure an attacker is truly flushed out of the system after backup and recovery. That’s less of a problem for top-tier vendors who have the resources and personnel to focus on boot security. It can be a real problem for smaller or mid-tier vendors where the efforts are much more uneven.
“There’s definitely different, varying levels of security maturity from the different manufacturers and because you’re depending on the manufacturer to provide these updates, it’s a lot more of a wide open field,” Jesse Michael, a principal researcher at Eclypsium, told SC Media in an interview.
Thus far the researchers have only observed Trickbot doing reconnaissance on firmware vulnerabilities, but warn “it is quite possible” that threat actors are already exploiting them in the wild against valuable targets.
Ransomware actors often offer to close the backdoors they used to compromise a victim organization after they pay. But if they’ve compromised the booting process, they “can show a victim that they have removed common forms of backdoors like webshells, accounts, remote admin tools, etc., but keep a covert UEFI implant on the system to awaken later,” the researchers wrote.
The researchers believe Trickbot’s new capability is reflective of a larger shift among hacking groups to move further down the stack to target the booting process, where detection and mitigation activities are more challenging compared to vulnerabilities in the operating system. Earlier this year, Michael and another Eclypsium researcher Mickey Shkatov discovered Boothole, another damaging and persistent vulnerability in the booting process that had the potential to put billions of Linux and Windows devices at risk of takeover.
But folding this capability into an operation like Trickbot could be especially impactful. The core operators have historically utilized a hybrid business model that offers its malware to as many as 50 different threat groups as either access as a service or commodity access to infected systems and devices. That means it has the potential to be swiftly weaponized by a large swath of partnering APT and cybercriminal groups in the near future.
“The future is the gravity and center of power along the lines of cyber defense will be shifting towards more firmware…because of the fact that firmware has not received much attention at all before,” Vitali Kremez, CEO of Advanced Intelligence, told SC Media.