This particular vulnerability was externally reported to Zyxel in April 2023 by an independent third party. The vulnerable service was software implementing IPSec and exploited over UDP port 500 using a “specially crafted” IKEv2 packet. Rapid7 reverse-engineered the patch and provided details. 

Digging Into The Supply Chain

I reviewed Rapid7’s analysis of the vulnerability as they went through the trouble of reverse engineering the patch. The vulnerability lies in the binary included in the Zyxel firmware called “sshipsecpm”. Many years ago I implemented a few different IPSec-based VPNs for organizations I worked for at the time. IPSec is a complex suite of protocols and something (in my opinion) you would not want to write your own implementation, but instead rely on a third party and perhaps license this functionality (or rely on an open-source implementation). In either case, the supply chain vulnerabilities in this library or service could trickle down and, if left unchecked, pose a threat to the entire system and all customers.

I looked up details on the “sshipsecpm” binary, essentially just Google searching for its name. While not many results were present, there are references to third parties that may be responsible for distributing this software. Some examples are listed below:

DFL-1660:/> about

D-Link Firewall 2.30.01.06-15906
Copyright Clavister 1996-2011. All rights reserved
QuickSec SSHIPSECPM version 2.1 library 2.1
Copyright 1997-2003 SafeNet Inc
Build: May 12 2011

Reference: https://forum.dlink.ru/viewtopic.php?f=3&t=150560

gateway:Clavister SG 51
ver: CorePlus 8.90.10.01-13428
QuickSec SSHIPSECPM version 2.1 library 2.1
Copyright 1997-2003 SafeNet Inc
Build : Feb 4 2010

Reference: https://vpn-help.shrew.narkive.com/jgswdHCx/tunnel-seems-to-be-up-but-cant-get-traffic-trough 

It appears as though the software is called “Quicksec SSHIPSECPM” and is likely included with both D-Link (a name you likely recognize) and Clavister firewalls (a name you may not recognize as Clavister is a Swedish vendor who sells firewalls and other security appliances). A quick search on “Safenet” shows that this company was sold a couple of times and is now owned by Thales. It is difficult to determine exactly where the software came from, but evidence points to Zyxel deciding not to implement its own IPSec stack.

Potential Impact

While the vulnerability in question was disclosed by Zyxel and the patches provided, the story goes a bit deeper and points to a supply chain issue. This particular IPSec software, and its associated vulnerability, seems to be present in other products although the threat could have been mitigated in other implementations. 

Generally, there is less attention paid to third-party software products, especially for IT infrastructure devices such as firewalls. We tend to trust our vendors to develop products securely. But as this example of the Zyxel firewall shows, attackers do pay attention and take advantage of the complexities of our IT infrastructure supply chain.

Eclypsium provides organizations with supply chain intelligence so that they can assess the risk of IT products—even before bringing them on board. We’ve already done the deep analysis of hardware, firmware, and software components so that you can evaluate risk before purchase, or understand what risk you have present in your environment. In addition, our supply chain security platform helps you to continuously monitor and remediate these threats in your production assets, including for network devices such as firewalls, ADCs, and VPNs. 

Further Reading

• White paper: Network Infrastructure on the Front Line
• Blog: A New Approach to Defending Network Infrastructure from Ransomware Groups and APTs
• Product tour: Eclypsium Guide to Supply Chain Security

The post Zyxel Firewall Vulnerabilities Reveal the Complexity of the IT Infrastructure Supply Chain appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Show Notes

Watch

Subscribe

The post BTS #17 - Protecting The Digital Supply Chain - Yuriy Bulygin appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Portland, OR – November 14, 2023 – Eclypsium, the digital supply chain security company protecting critical hardware, firmware, and software in enterprise IT infrastructure, today announced its collaboration with Intel to provide enhanced visibility into supply chains with the Eclypsium Supply Chain Security Platform. The new offering helps businesses improve mean-time-to-detection and bolster security posture, lower hardware costs by extending the life cycle of devices, achieve regulatory compliance by easily implementing security controls for device integrity and firmware security, and reduce supply chain risk by making better IT procurement decisions and quickly assessing the impact of threats.

The globalization of digital supply chains, coupled with the complexities of modern manufacturing logistics, make it increasingly difficult for businesses to trace the origin and safety of the components within their devices. With reports of firmware attacks rising rapidly in recent years — more than 500% since 2018, according to the National Institute of Standards and Technology (NIST) — supply chain risk is a growing concern for organizations globally. Without a firmware upgrade plan in place, organizations are at high risk for breach due to vulnerabilities, largely because current supply chain practices are limited to screening out counterfeit components, particularly when it comes to products containing many subsystems. Endpoint security and vulnerability management tools do not adequately capture foundational vulnerabilities, including those in firmware, BIOS, and microcode. 

“Businesses need assurance that their data center suppliers can provide tamper-proof supply chains, from the manufacturing facility all the way into the hands of the end user,” stated Yuriy Bulygin, CEO and cofounder of Eclypsium. “But when the 2022 Verizon Data Breach Investigations Report says the supply chain is responsible for nearly two-thirds of system intrusion incidents, we know this isn’t happening. Organizations need the ability to validate the authenticity and integrity of components and software from their suppliers. Eclypsium’s partnership with Intel fills a void in existing supply chain security practices, tracking vulnerabilities and ensuring the integrity of critical device components and software. Our goal is to create trust in the infrastructure supply chain through transparency.”

Digital supply chains are a complex web of products that rely on a myriad of components sourced from a network of ever-changing suppliers, who in turn rely on their own networks of sub-suppliers. This creates an inherent level of invisible risk for every device-user along the chain, with a single weak link able to compromise the entire system. Eclypsium fortifies businesses against supply chain threats, from the foundational hardware and firmware to cloud infrastructure, enabling them to quickly implement crucial security controls, asset inventory, vulnerability management, and threat detection across their entire digital supply chain. 

“Intel® Endpoint Cloud Services offers a set of innovative and advanced insights for vulnerability management and supply chain risk. Insights from Intel® Transparent Supply Chain and Intel® Device Health enable organizations to proactively protect against emerging vulnerability and supply chain threats,” said Anand Pashupathy, vice president and general manager of Intel’s Security Software and Services Division. “Our work with Eclypsium delivers these insights within an enterprise-class solution, enabling decision makers to act with the most detailed and up-to-date information possible.”

Intel® Endpoint Cloud Services include Intel® Transparent Supply Chain, a set of tools, policies, procedures, and data capture that extend from motherboard production, through the manufacturing factory floor, to the data center, enabling users to verify the authenticity of components, installed firmware, and the configuration of their systems. The services also include Intel® Device Health, which automates the identification and targeted patching of foundational vulnerabilities found in BIOS and UEFI, CPU microcode, Intel® Management Engine, and other types of firmware. 

To learn more about the Eclypsium Supply Chain Security platform and Intel® Endpoint Cloud Services, visit Eclypsium.com/Intel, or email sales@eclypsium.com.

ABOUT ECLYPSIUM

Eclypsium’s cloud-based and on-premises platform provides digital supply chain security for critical software, firmware and hardware in enterprise infrastructure. Eclypsium helps enterprises and government agencies mitigate risks to their infrastructure from complex technology supply chains. For more information, visit eclypsium.com.

ABOUT INTEL

Intel (Nasdaq: INTC) is an industry leader, creating world-changing technology that enables global progress and enriches lives. Inspired by Moore’s Law, we continuously work to advance the design and manufacturing of semiconductors to help address our customers’ greatest challenges. By embedding intelligence in the cloud, network, edge and every kind of computing device, we unleash the potential of data to transform business and society for the better. To learn more about Intel’s innovations, go to newsroom.intel.com and intel.com.

The post Eclypsium Collaborates With Intel to Provide Enhanced Visibility Into Infrastructure Supply Chains appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The U.S. National Security Agency (NSA) recently published a cybersecurity information sheet (CSI) that provides a deeper dive into the Device pillar. This is timely guidance because the device level is where attackers are increasingly active yet also where Zero Trust programs are typically the weakest. This is because most organizations lack deep technical insight into their actual devices. Most endpoint security products work at the application/OS level yet lack insight into the supply chain elements such as hardware, physical components, firmware, boot processes, and the other low-level systems and configurations that govern how an asset actually does its job. And of course, many devices such as network and IoT devices can’t support an endpoint agent at all. 

With this in mind, let’s briefly take a look at some of the lessons from the recent NSA doc titled, Advancing Zero Trust Maturity Throughout the Device Pillar.

Trust Below the OS

First and foremost, the NSA doc defines what the device pillar entails, specifically calling out the critical components and code that sit below the operating system.

This ZT device pillar CSI prescribes mechanisms to shield devices from low-level, persistent threats over their entire lifecycle. Adoption of a ZT mindset enables organizations to never assume devices within an established environment are secure or that actors cannot hide from defenses in the OS or applications by delving into hardware and firmware. 

This focus on hardware and firmware is consistent across the entire document. Threat examples focus on firmware implants, malicious bootloaders, and exploits against device components. Vulnerability and device management calls out firmware, server BMC configurations, TPM certificates, and similar low-level resources below the operating system. This is important because these are precisely the areas where many organizations place the most blind trust. 

Device Inventory and the Supply Chain

The NSA doc says that Zero Trust for devices needs to go beyond just listing out the assets in inventory. Organizations need to dig deeper to audit the low-level components within those devices and across the complete technology lifecycle. This specifically calls out the need for processes and tools to proactively verify the integrity of the supply chain. The document calls out the following phases of maintaining a device inventory.  

• Procurement: Identify criteria governing device purchases…may involve the need for specific Trusted Platform Module (TPM) certificates, firmware configuration, or component part revisions. Vendors may list multiple variants or configurations of the same device, but only some may have the necessary components and capabilities.
  
• Acceptance Testing: NIST SP 800-161 calls for enterprises to adopt acceptance testing as a mechanism to audit supply chain integrity. Software Bill of Materials (SBOM), Reference Integrity Manifest (RIM), and TPM Platform Certificate provide artifacts that establish an auditable chain of custody from the production factory to the receiving organization.
  
• Deprovisioning: Devices may store protected data within components other than the storage drive. Plan to securely erase storage media, factory reset firmware, securely erase TPM NVRAM memory, reset Baseboard Management Controller (BMC) configurations, remove UEFI Secure Boot modifications, and clean up other organization-specific customizations before retiring a device. Inventory should support status records necessary to ensure safe and secure deprovisioning.

This guidance reveals how device-level security and supply chain security are intertwined. An organization simply can’t understand the security of its assets if they don’t know precisely what should be inside those assets, what actually is inside them, and where they come from.

Controlling Access Based on Measured Risk

A core tenet of Zero Trust is that access should never be granted by default, but based on active evaluation of an asset’s risk. In the context of the device pillar, this means that organizations must have the prerequisite ability to determine device-level risk in the first place. This could be ensuring that all critical code is properly updated or that the integrity of that code has not been altered. Naturally, risk will also need to incorporate any signs of known threats or abnormal behavior. Furthermore, Zero Trust recognizes that security is not a static state and that a device that was verified in the past can’t be blindly trusted in the present. This means that assessing the risk of a device can’t be a one-time event, but must be a continuous process that can identify new risks as they develop.

Ultimately, organizations will need to put this risk context into action. Security teams will need to establish the criteria for what should and should not be allowed on an organization’s network. It could be an overall risk score for a device or based on the presence of a critical hardware or firmware vulnerability. The appropriate policies and responses will naturally vary based on the risk tolerance of each enterprise or agency. 

Automated Vulnerability and Patch Management

Most every organization spends considerable effort scanning for vulnerabilities and applying patches. However, the CSI calls out the importance of the system and component vulnerabilities that vulnerability management teams often miss. The document calls out the following: 

Organizations must maintain awareness of firmware patches below the software layer. These patches may not be delivered via OS patch managers or other automated patching solutions. Some patches may come from the system vendor, while others may be specific to an individual component manufacturer (e.g., SSD firmware provided by the storage vendor – not the system vendor). There are two general realms of device-specific patches:

1. Fixed System firmware: System vendors collaborate with soldered component vendors to deliver patches to customers. CPU microcode and NIC (network interface card) firmware is usually shared by the device’s manufacturer.

2. Component firmware: Most frequently applies to components with standardized connectors such as storage drives or graphics processors. Individual component vendors provide firmware updates for their specific products.

This highlights multiple important points. First, the complex nature of technology supply chains can make it hard to know exactly where important firmware updates will come from, if at all. For example, from one laptop vendor or model to another, an update may be handled by the OS, be delivered as firmware updates from the OEM, from the chipset vendor, or may need to be downloaded and applied individually by the customer. This makes it very easy for organizations to overlook critical updates unless they have a consistent way of auditing the supply chain security and posture across all their vendors and models. 

Secondly, these same issues extend down to the individual hardware and software components within a system. In addition to keeping the system BIOS or UEFI firmware up to date, teams must be able to find and address weaknesses in a device’s SSD, network controller, PCIe controller, or dozens of other components. This is again an area that will almost certainly be missed by traditional scans and will need to be handled by a supply chain security platform.

Threat Detection and Response

With all this focus on securing the device layer, it is important to remember why it has become such a priority. In short, attackers have recognized the device layer as the weak link in many organizations. Adversaries have targeted network devices as initial access vectors that can then be used to spread within an organization. On laptops and servers, low-level implants and backdoors can be used to maintain long-term persistence while evading more traditional protections. The device pillar CSI calls out the following:

In addition to the more common high-level threats to operating systems and application software, ZT capabilities must defend systems from persistent and hard-to-detect threats against devices. Past examples of low-level, persistent threats include:

• LoJax boot rootkit 
• MosaicRegressor firmware implant
• UEFI Secure Boot bypasses BootHole and BlackLotus
• Side channel vulnerabilities such as Spectre, Meltdown, Fallout, ZombieLoad, NetSpectre, Downfall, and Inception
• SSD over-provisioning malware

This is yet another area where organizations can have gaps. Most security teams lack any visibility into threats on non-traditional devices such as network devices, security appliances, or server BMCs. And while traditional EDR/XDR tools can look for threats, they often rely on the host operating system for information. A threat residing below the OS can easily provide false information up to the OS or disable protections entirely. Yet another area where firmware and supply chain security tools can close a critical gap.

These are some of the key ways that Zero Trust intentions turn into Zero Trust practices at the device level. And as the NSA doc calls out, the device pillar of Zero Trust requires organizations to dig deeper into their devices than they may have in the past. The good news is that new security tools are available that can make this a simple, highly automated process. That is our mission at Eclypsium, and if you would like to learn more, please contact the team at info@eclypsium.com.

For further reading please check out the following assets:

• Eclypsium Zero Trust for Endpoints solution
• Zero Trust for Devices solution brief

The post NSA Guidance Calls Out What Your Zero Trust Strategy is Probably Missing appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Join Eclypsium as we discuss new strategies for assessing the risk of new IT products such as PCs, servers, network equipment, IoT devices, and software applications.

Register Now >

The post DON'T PANIC! How to Manage IT Product Risk with Supply Chain Intelligence appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Read More >

The post Supply Chain Intelligence appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The Universe of Digital Supply Chain

Imagine you are offered a drink. You don’t know what it is or what’s in it. It’s unlikely you’d drink it unless you trust the person giving it to you or some third-party attesting that its contents are safe to drink, perhaps through some certification label with ingredients listed. Yet this type of blind trust is exactly what we do when it comes to the external technology, both hardware and software, we use in our organizations.

Every modern organization depends on products from hundreds of vendors and suppliers. In the age of global interconnected digital supply chains, every product is built using components from many other suppliers, from software and hardware vendors to open-source developer communities.

Software supply chain security or more generally digital supply chain security is an important topic of conversations. Software is everywhere—from every application, to every device and its components. Fundamentally, we can view the entire digital supply chain security space as having two distinct and complementary parts: application software supply chain security and infrastructure supply chain security.

The application software supply chain security part helps software developers and vendors protect their software development environment and applications they build which typically includes source code analysis, analysis of third-party and open-source dependencies, and securing the CI/CD and delivery pipelines. For an overview of solutions focusing on the developer side of software supply chain security, I recommend reading Software Supply Chain Vendor Landscape research.

In this post I will focus on the other part of the digital supply chain security landscape: Infrastructure Supply Chain Security, or solutions which help organizations secure the supply chain of external products they use in their IT infrastructure.

Enterprise IT infrastructure combines multiple types of products such as user devices (endpoints), servers in corporate IT and data centers, network devices in network infrastructure, the software and hardware stack powering cloud infrastructure, and other types of infrastructure which are rapidly developing like enterprise IoT.

Infrastructure is what runs critical applications and workloads and is therefore fundamental to their security. If the infrastructure is vulnerable or compromised, all applications and workloads handling sensitive data are impacted.

Let me start with a simple example.

A typical PC is built by 65 direct suppliers, with another 200 upstream suppliers based in 39 countries who build the components and develop the underlying code. A popular HP Pavilion 550 desktop has over 4,500 models with various configurations of components and versions of motherboards. Each Pavilion 550 has multiple components from CPU to graphics cards to network adapters to storage devices to management chips—each of these components runs their own software or firmware code, from Linux-based OSes to equally complex firmware architectures like UEFI to proprietary code developed by suppliers of these components or their third-party suppliers. 

The Modern “Cybersecurity” Problem Is a Supply Chain Security Problem

Do we want to trust all of our vendors and all of their suppliers? Are we confident that each one of them will build secure software and hardware according to the security practices our organizations require? Have any of our suppliers been compromised by threat actors? These components could be altered or have backdoors, introduced by suppliers or external threat actors. All of these components have security vulnerabilities which are going to be used to compromise organizations using these products.

This is just one example: a PC such as the one you might be using to read this article. The problem grows exponentially larger when you consider other parts of your IT infrastructure, such as servers running critical workloads, network devices, and software technologies powering cloud infrastructure. Every time we blindly trust these products and components from the outside, we are accepting a substantial amount of risk.

A server may have anywhere between 50 and 100 of these components. A network device from Cisco, F5 Networks, HPE Aruba, or other vendors are similarly complex systems running their own network OS. Components like the Apache Log4J software library are used by both software applications and network devices, and thus were impacted by the Log4Shell vulnerability. As I write this, organizations across the globe are being targeted via the CitrixBleed vulnerability in Citrix NetScaler devices.

We don’t have easy ways to check the millions of lines of code and the risks of the technology that we consume. We have to stamp out this blind trust with new tools that can assess digital technology products by understanding their ingredients, how they’re configured, and if they have been altered in any way.

Gartner currently estimates $215 billion will be spent on cybersecurity in 2024, up 14% from 2023, but few of us have confidence that this will meaningfully affect outcomes. That’s because current cybersecurity controls don’t understand this complexity of modern digital supply chains and are thus incapable of addressing the root problem of digital supply chain security. Endpoint security tools are hopefully good at what they do—discovering malware on user endpoints. They have not been designed to deal with the risks of underlying components and ingredients within hardware and software products.

The network scanning tools we use to discover vulnerable network assets similarly have not been designed to understand these devices and software they run “from within,” with visibility into the ingredients devices are made of. They perform surface scans and can’t see deep enough within these assets to understand if they’ve been compromised, and often overwhelm security teams with “critical findings.”

Supply Chain Attacks Are Soaring

If we dive into root causes of most breaches today, we see that incidents involving vulnerabilities in software or hardware products are soaring. Akamai reported that ransomware groups are shifting tactics from phishing and stolen credentials to exploiting vulnerabilities, and said that this shift drove a 143% increase in ransomware victims from Q1 2022 and Q1 2023. Palo Alto Networks Unit 42 has found 48% of ransomware attacks start by exploiting software vulnerabilities.  

In 2023 alone, ransomware groups like LockBit, ALPHV, BlackCat, and FIN8, compromised many organizations by targeting vulnerable hardware devices and essential IT software like VMWare ESXi. Hotel and entertainment giant MGM spent $110 million cleaning up after the ALPHV ransomware group compromised its ESXi infrastructure. The Russia-linked LockBit recently added Boeing to the 1,800 victims it has claimed since 2019, claiming to have hacked the aerospace giant by exploiting a zero-day vulnerability. LockBit is known to target IT infrastructure such as F5 Networks and Fortinet appliances and ESXi infrastructure.

Security incidents with wide impact in 2023 have highlighted serious weaknesses in the digital supply chain, such as: vulnerabilities in MOVEit by Progress Software; firmware backdoor capabilities in Gigabyte systems; vulnerabilities in remote management components used by most major server manufacturers; hardware vulnerabilities like Downfall, Zenbleed, and other vulnerabilities in CPU components.

Additionally, ransomware groups also breached major infrastructure vendors including TSMC, MSI, Western Digital, exposing sensitive information about their products, such as signing keys and source code, that could be used by attackers to develop further supply chain attacks.

While ransomware groups threaten serious financial pain for the private sector, state-sponsored threat actors target national infrastructure. BlackLotus, Volt Typhoon, and BlackTech threat actors took aim at the supply chain of PCs, servers, and network devices by multiple manufacturers as initial access vector and to establish persistence. 

Geopolitical risks continue to drive concerns of dependency on critical technology developed by foreign manufacturers like Huawei and ZTE. Recently, disk drive components used in U.S. government agencies were found to be manufactured by a company with ties to the PRC’s PLA.

The security of the digital supply chain has taken center stage in U.S. national strategy. Two of the five pillars of the U.S. National Cybersecurity Strategy released in March 2023 are designed to strengthen the transparency and security of software and infrastructure supply chains. Following Executive Order 14028: Improving the Nation’s Cybersecurity, federal authorities including DHS, CISA, NIST, and the NTIA have been driving regulations and guidelines aimed at improving supply chain security.

Introducing the Eclypsium Guide to Supply Chain Security

It can all seem overwhelming. How can we, as an industry, stop placing blind trust in the digital supply chain and start managing the risk, both in applications and infrastructure? How are organizations supposed to demystify complex supply chains that are constantly changing with hundreds of suppliers and sub-suppliers, across dozens of technology vendors? 

The first step in this journey starts with supply chain intelligence. Returning to our drink analogy, most of us don’t have a portable kit to test the ingredients in the drink offered. But we would be more likely to accept a drink if we had third-party attestation to the ingredients included, nutritional facts, and any possible risk. Until now, there were no tools available to verify the ingredients in the digital products we use and assess their risk to our infrastructure. 

Today we are launching “the standard repository for all knowledge and wisdom” in digital supply chain security. Eclypsium created the Guide to help you begin to navigate the depths of this universe of external digital products and components. We want to arm our customers’ IT and security teams with intelligence and tools to verify the risk and integrity of every hardware, software, and cloud product they use in their infrastructure. 

Take a Tour of the Guide

We believe that organizations no longer need to blindly trust hardware and software from their suppliers or treat them as black boxes. Every organization should be able to see and verify what technology is made of before it’s used and after it is deployed. Every organization should be able to understand and control the risk that technologies bring throughout their lifecycle. We believe that securing the Infrastructure Supply Chain is the foundation of every organization’s security. Everything else is built on top of it. 

This will change how we manage cyber risk from our suppliers of technology. Assumptions and blind trust will be replaced by verification. At Eclypsium, we are committed to making this a reality together with our customers and partners.

We are starting an early access program for the Guide. If you are interested in getting access and helping us improve it, please let us know.

Don’t Panic!

The post Don’t Panic: Trust Your Tech with Supply Chain Intelligence appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Portland, OR – November 7, 2023 – Eclypsium^®, the digital supply chain security company protecting critical hardware, firmware, and software, today announced the industry’s first solution that measures the risk of IT infrastructure, including laptops, desktops, servers, network equipment, IoT devices, and software. CIOs, CISOs, and supply chain leaders can use the Eclypsium Guide to Supply Chain Security to make more cost-effective and risk-based purchase decisions, as well as assess their exposure to new supply chain cybersecurity incidents. 

“Digital supply chain security is a board-level concern for many organizations, and there is an urgent need to provide a central repository for organizations to assess IT product risk,” says Eclypsium CEO and Co-founder Yuriy Bulygin. “Eclypsium is able to provide this supply chain intelligence because we have the deepest and broadest library of third-party hardware, firmware, and software component risk data.”

According to Gartner, by 2025, 60% of supply chain risk management leaders plan to use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements. The new Eclypsium Guide meets the need for more quantifiable data during supply chain risk assessments.

“Supply chain threats exploit the intricate network of trust inherent in the technology ecosystem we rely on today. Within this ecosystem, every piece of equipment, application, and cloud service is a culmination of highly specialized, interdependent components sourced from various suppliers,” says Ramy Houssaini, a senior Digital Trust executive and chair of The Cyber Poverty Line Institute. “It is crucial for us to have a full stack view of the vulnerabilities inherent in this complex ecosystem and to take proactive measures by utilizing technology that can provide risk intelligence on IT infrastructure.”

Already in 2023, there have been a number of supply chain incidents that affect IT infrastructure:

• Ransomware groups, including ALPHV, BlackCat, FIN8, and LockBit, targeted vulnerabilities in network infrastructure devices and virtualization infrastructure. 
• BlackLotus, Volt Typhoon, and BlackTech threat actors took aim at the firmware supply chain of PCs, servers, and network equipment by multiple manufacturers as an initial access vector and to establish persistence.
• Ransomware gangs breached major infrastructure vendors, including TSMC, MSI, and Western Digital, exposing sensitive information about their products that could be used by attackers to develop supply chain attacks.
• Security incidents with wide impact highlighted serious weaknesses in the enterprise infrastructure supply chain, such as: a vulnerability in MOVEit by Progress Software; firmware backdoor capabilities in Gigabyte systems; vulnerabilities in remote management components used by most major server manufacturers; network infrastructure vulnerabilities like Citrix Bleed; hardware vulnerabilities like Downfall, Zenbleed, and other vulnerabilities in CPU components; and disk drive components used in U.S. government agencies manufactured by a company with ties to the PRC’s PLA.

The Eclypsium Guide will equip IT, security, and procurement teams to track these types of supply chain risks and incidents and see if products that they use or are considering purchasing are affected. At launch, the Guide includes verified details about products and components of hardware and software vendors, including Dell, HP, Lenovo, HPE, Cisco, Intel, AMD, NVIDIA, and others. It will be available as a standalone SaaS offering that is complementary to and integrated with the Eclypsium Supply Chain Security Platform. 

To schedule a demo of the new Eclypsium Guide or the Eclypsium supply chain security platform, visit www.eclypsium.com or email your Eclypsium representative at sales@eclypsium.com.

ABOUT ECLYPSIUM

Eclypsium’s cloud-based platform provides digital supply chain security for critical software, firmware and hardware in enterprise infrastructure. Eclypsium helps enterprises and government agencies mitigate risks to their infrastructure from complex technology supply chains. For more information, visit eclypsium.com.

MEDIA CONTACT:

pr@eclypsium.com 

The post Eclypsium Launches Guide to Supply Chain Security for Enterprise Infrastructure appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

This datasheet provides details on Eclypsium’s capabilities for clients, servers, and network devices.

Read More >

The post Eclypsium Platform Datasheet appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Learn about the evolution of UEFI, various aspects of supply chain security surrounding UEFI, and the interactions between links in the supply chain that ultimately end up delivering you a computer or server.

Show Notes

Watch

Subscribe

The post BTS #16 - UEFI & The Digital Supply Chain - Dick Wilkins appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Low-level threats have allowed attackers to burrow beneath the OS and its traditional protections at scale, ensuring their malicious code runs first and runs at the most fundamental levels that the OS and all applications depend on. It fundamentally changes the when and where the battle takes place on a given device. 

Supply chain threats likewise change the when and where of cyberattacks, but on an even more profound level. Instead of attacking an enterprise directly, supply chain attacks shift the fight to the vendors, suppliers, and software repositories that underpin all enterprise technology. This can include software, firmware, and hardware. Thus, in many if not most cases, firmware attacks can be seen as a subset of supply chain attacks. They end up being very interrelated ideas. Firmware attacks go to the root of how technology works, and supply chain attacks go to the root of where technology comes from.

Drawing Inspiration from MITRE ATT&CK

Cybersecurity leaders and professionals have limited time and resources, so it is important that their efforts and decisions are informed by the tactics and techniques that attackers use in the real world. The MITRE ATT&CK framework has proven to be one of the most powerful industry tools in this regard. The framework identifies more than 200 attacker techniques that are categorized under 14 different high-level tactics. The tactics can largely be thought of as phases of an attack beginning with reconnaissance, progressing through various phases of an intrusion, and culminating in a theft or destructive impact.  

Given the sudden popularity of supply chain and firmware threats, it makes sense to take a deeper look at these areas in the context of ATT&CK. Of course, ATT&CK does cover some of the basics of threats in these areas. But at the same time, it’s important to appreciate how broadly these areas apply to the lifecycle of attack. Many of the same issues that are often applied to operating systems and applications can apply to hardware and firmware. They will have their own vulnerabilities, provide their own infection vectors, and allow for some of the most powerful forms of persistence and defense evasion.

With that in mind, let’s take a deeper look at some of the ATT&CK tactics in the context of supply chain and firmware threats. While we don’t go into the details of every technique, we have compiled the following table to highlight some of the most important techniques within eight ATT&CK tactics.

Reconnaissance

Reconnaissance involves a variety of active and passive adversary techniques to identify target assets and vulnerabilities. Almost any reconnaissance effort that can be applied to software will likewise apply to firmware, and the same techniques applied to enterprises can be applied to the supply chain. This can include: 

• Actively scanning for flaws within software and firmware
• Looking for artifacts in publicly available update code and update processes
• Identify any open-source dependencies related to firmware and hardware technology stacks 

Ultimately, the supply chain provides a great avenue for attacker reconnaissance since there are many suppliers and sub-suppliers (or even logistics partners) who could have code available or that may unintentionally expose sensitive information that could be used later in an attack. 

Resource Development

Resource Development allows an adversary to acquire infrastructure that will support active phases of an attack. 

• Acquiring servers or implanting firmware backdoors in networking devices such as switches or bare-metal cloud services through:
  • Directly manipulating source code repositories used by supply chain vendors to introduce malicious code or vulnerabilities
  • Manipulate a vendor or supplier’s software or firmware update processes
  • Coerce developers or manufacturing staff to introduce malicious code within a product 

Initial Access

Supply chain and firmware attacks truly change the game when it comes to initial access. Instead of a direct assault on an enterprise, supply chain threats arrive in the guise of trusted vendor products and code. 

• Targeting any of the dozens of suppliers and subcontractors that work on a product prior to delivery to the customer
• Directly inserting implants in vendor code, manipulating update processes, attacks on vendor signing processes
• Changing low-level device configurations
• Manipulating code in transit or delivery
• Targeting a variety of vulnerable components such as device management protocols (e.g. IPMI, Redfish, etc), debug interfaces, or management web interfaces

It is important to note that VPNs, routers, and security appliances have become some of the most common initial access vectors for advanced adversaries and virtually all major ransomware operators. 

Execution

Attackers have many ways to gain code execution through firmware or supply chain attacks. Any implants inserted during the manufacturing process can instantly give an attacker code execution under the guise of valid code. Likewise, Direct Memory Access (DMA) injection or attacks against System Management Mode (SMM) can give attackers code execution below the level of the operating system. Firmware or supply chain vulnerabilities can also often be remotely exploitable. And as with all types of code, attackers can use social engineering to trick users into running the attacker’s code to exploit firmware vulnerabilities or trick them into performing malicious firmware updates.

Persistence

Persistence has always been a key driver behind supply chain and firmware attacks. 

• Supply chain attacks by nature will compromise code that an enterprise considers to be “valid” or trusted. If the supply chain is compromised, an organization’s reimaging efforts may only serve to reinfect a given device. 
• Firmware code is integrated into system components themselves, instead of residing on traditional storage drives. This not only hides the attacker’s code from traditional security scans but also ensures the code will persist even if a system’s drives are completely erased, re-imaged or even replaced. 
• Attackers can establish persistence by gaining control of a device’s boot process to ensure their malicious code is always run during startup. Firmware rootkits and vulnerabilities such as BootHole can allow an attacker to execute their code before the operating system is even loaded.

Privilege Escalation

IT infrastructure products from PCs to virtualization software rely on a wide range of highly privileged code, options, and settings that control the fundamental nature of how a given asset works. 

• A kernel-level rootkit can give attackers access to the most trusted layer of the operating system known as Ring 0. 
• Malicious bootloaders can allow attackers to gain control of the boot process to load an attacker-controlled OS or patch an existing OS to disable protections. 
• Gaining control of System Management Mode (SMM) can allow attackers to run malicious code at runtime that is completely invisible to the higher-layer operating system. 
• Attackers can escape from VMs to access the underlying host.  

These are just a few of the ways that attackers can abuse low-level vulnerabilities to gain unexpected privileges that can be very hard to detect with traditional security controls. 

Lateral Movement

As covered earlier, network devices have proven to be incredibly popular targets for attackers. In addition to initial access, these assets provide attackers with the ability to spread to other hosts and areas of the network. This can allow ransomware operators to spread from a single device to hundreds or thousands. Attackers have also used IoT devices as a way to easily move across a network. This is because IoT devices and network devices both often lack the ability to support local security agents. 

Attackers can also use a vendor’s management capabilities in order to spread from asset to asset. For example, attackers can target BMCs, IPMI, or Redfish as a way to control and spread across servers in cloud or datacenter environments. On laptops, attackers can likewise abuse diagnostic and management interfaces such as Intel Active Management Technology (AMT), a feature offered as part of Intel ME and CSME (Converged Security and Manageability Engine). 

Impact

Attacks are ultimately about the impact, and once again, this is another area where supply chain and firmware threats are in a class by themselves. One important factor is that supply chain attacks are often massive in scope by their nature. Instead of infecting devices one by one, attackers can use the supply chain itself to deliver malicious code to thousands of devices. From an enterprise perspective, this can mean that entire fleets of devices could be compromised. The low-level nature of supply chain and firmware code also provides the ideal conduits to steal data or cause direct damage. The same ability to sit below the OS and to use or abuse networking or management interfaces can provide stealthy mechanisms for data exfiltration. Access to firmware either at the system or component level can allow attackers to permanently disable devices.

Hopefully, these examples have helped to illustrate some of the big picture around the importance of the below-the-OS attack surface and supply chain security. Supply chain and firmware attacks are not individual techniques or discrete attacks. They are fundamental security disciplines that cut across all types of devices and assets and across virtually all phases of the attack lifecycle. This is why it is imperative to have a lifecycle approach to supply chain security. At Eclypsium, this is our specialty, and if you would like to learn more, please drop us a line at info@eclypsium.com.

Further reading:

• Check out our full ATT&CK whitepaper to learn more about how Eclypsium protections apply to the ATT&CK framework.

• Read our whitepaper, Network Infrastructure on the Front Line for a deeper analysis of recent attacks on network infrastructure and how to defend against them. 

The post Applying ATT&CK Methodology to Hardware and Firmware appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

“We’re excited to be a member of this coveted group of winners. As supply chains have grown significantly in both size and complexity, the attack surface has expanded exponentially with the increased reliance on third-party vendors, products and components,” says Eclypsium CEO and co-founder Yuriy Bulygin. “Supply chain vulnerabilities were responsible for over 60% of breaches last year, while ransomware exploiting third-party vulnerabilities increased 143% this year. It’s not surprising that increasing numbers of organizations are looking to thwart these types of attacks with purpose-built supply chain security solutions. This award speaks to the depth and breadth of Eclypsium’s coverage of supply chain risks.”

Organizations today run third-party software all across their infrastructure. External software is so ubiquitous that it powers endpoints, servers, network, and cloud infrastructure and in many third-party applications running on this infrastructure. It also poses greater security risk to organizations as suppliers introduce vulnerabilities in their software, firmware, and hardware products, and are targeted by threat actors who compromise their products.

Eclypsium’s supply chain security platform protects hardware, firmware, and software within enterprise infrastructure and devices. It verifies the integrity and supply chain risk of software and firmware inside infrastructure devices, verifies that it’s authentic and hasn’t been tampered with at any point in the supply chain and in operations, down to components level. It also provides capabilities to quickly respond to supply chain vulnerabilities and incidents or establish compensating controls. Providing end-to-end and continuous protection for the underlying components of enterprise infrastructure and devices, Eclypsium’s platform equips organizations with the tools and insights needed to secure their digital supply chains against third-party compromise and vulnerabilities.

The company also recently announced supply chain integrity and threat detection capabilities for network infrastructure. The new coverage ensures the continuous integrity verification of software and firmware in network infrastructure devices, including those from Cisco, F5 Networks, Fortinet, Citrix NetScaler, and more, to discover threat actors looking to compromise and establish persistence in network devices. 

“We scoured the globe looking for cybersecurity innovators that could make a huge difference and potentially help turn the tide against the exponential growth in cybercrime. Eclypsium is worthy of being named a winner in these coveted awards and consideration for deployment in your environment,” said Yan Ross, Editor of Cyber Defense Magazine.

Learn more about Eclypsium’s Supply Chain Security Platform for Enterprise Infrastructure.

ABOUT ECLYPSIUM

Eclypsium’s cloud-based platform provides digital supply chain security for critical software, firmware and hardware in enterprise infrastructure. Eclypsium helps enterprises and government agencies mitigate risks to their infrastructure from complex technology supply chains. For more information, visit eclypsium.com.

The post Eclypsium Named Most Innovative Software Supply Chain Security Company in Coveted Top InfoSec Innovator Awards for 2023 appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.