Supply chain attacks have been a growing threat for years. For any growing business, a dependence upon partners allows for the business to focus on their core mission. In many cases, this can typically involve either making technology partnerships or adopting technology platforms through mergers and acquisitions. Any of these changes require analysis to determine what new risks may be incurred. This week we’re focusing on recent news related to supply chain attacks, and the risks of adopting new technology through adoption or acquisition.
Third-party kernel drivers are becoming a more appealing target for attackers and an important area of research for security analysts. A vulnerability in a signed third-party driver could have a serious impact: it can be abused by attackers to escalate privileges or bypass driver signature enforcement—without requiring discovery and use of a Windows 0-day.
Computer manufacturers usually ship devices with software for device management. This software contains components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel.
Microsoft recently traced some anomalous behavior to a device management driver, PCManager, developed by Huawei. They found a lapse in the design that led to a vulnerability that could allow local privilege escalation. Huawei has come under major fire from critics as allegedly being an espionage arm of the Chinese government. Huawei has been pursuing plans to roll out a 5G network that the Five Eyes (FVEY) reportedly are working against as it could impact their ability to collect intelligence signals.
Microsoft reported the vulnerability (CVE-2019-5241) to Huawei. On January 9, 2019, Huawei released a fix. Windows Defender will now detect successful privilege escalation exploiting the HwOs2Ec10x64.sys watchdog vulnerability as demonstrated in the screenshot on the Microsoft Vulnerability Research blog.
Huawei wasn’t the only manufacturer catching press last week. Researchers discovered that a threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.
The trojan utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The threat actor even made sure the file size of the malicious utility stayed the same as that of the original one. Just, wow. The level of access they had here is insane.
According to Kaspersky researchers, it was distributed to about one million people total. The cybercriminals behind it were not interested in all of them, however — they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility. My first thought was: Surely there are better ways to hack 600 specific machines than trying to scoop them into a net of a million. Interesting technique here.
There is obviously a lot more to this story. If you want to check if you’re the target of this mystery, Kaspersky released a MAC checking service rather than just giving us the 600 MAC addresses. I’m sure they’ll leak out at some point.
In addition to ASUS, the same techniques were used against software from three other vendors. Those vendors were not disclosed at this time. Update the ASUS Live Update Utility if you use it or just consider burning your ASUS.
Please allow me to put on my tin foil hat. With all these vulnerabilities baked in by manufactures (that are actively being used on a large scale by a sophisticated actor) it is almost like this is not a coincidence. It is almost like there is an objective to infiltrate organizations through their technology.
In similar news from a different source, a little bird tells me that Razer Laptops have a vulnerability affecting all current laptops where the SPI Flash is set to full read/write and the Intel CPU is left in Manufacturing Mode. This allows for attackers to safeguard rootkits with Intel Boot Guard, downgrade the BIOS to exploit older vulnerabilities such as Meltdown, and many other things. According to the report, “[Razer] have yet to look into getting a CVE assigned, saying it isn’t necessary.”
Based on all of this suspicious activity, is it really hard to imagine that Bloomberg got their recent story reporting right? They have never retracted this story. They stand by this story of Supermicro hardware supply chain being infiltrated to plant some rogue technology. According to their reports, “the attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.”
Based on Bloomberg’s reports, it was Amazon that discovered the implant during acquisition due-diligence of startup Elemental Technologies to help with a little streaming video service you may have heard of, Amazon Prime Video.
Nested on Elemental Technologies’ servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. According to Bloomberg, “Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.”
This report by Bloomberg has been denied, but (tinfoil hat) that may be because this breach was too large and too impactful to be confirmed. If Bloomberg got it right, then the Five Eyes are right to be concerned about Chinese government efforts to use private Chinese companies as an espionage arm to implant backdoors to infiltrate organizations and governments on a global scale.
We have reported on the security risks of mergers and acquisitions in the past, like what happened to Marriot and Starwood where data of 500 million customers was breached. Perchy recommends security monitoring before, during, and after M&A activity to protect against infiltration.