Dangerous Trickbot evolves to target UEFI/BIOS firmware

New functionality discovered in Trickbot enables malicious actors to inspect the UEFI/BIOS firmware of targeted systems for well-known, unpatched vulnerabilities that, if exploited, would enable them to cause extremely disruptive, or even destructive cyber attacks.

That is according to researchers at Eclypsium and Advanced Intelligence (AdvIntel), who have described the developments – dubbed Trickboot – as a critical risk to organisational and national security.

“Our research uncovered Trickbot performing reconnaissance for firmware vulnerabilities,” wrote the research team in their disclosure announcement. “This activity sets the stage for Trickbot operators to perform more active measures such as the installation of firmware implants and backdoors, or the destruction of a targeted device.

“It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets. Similar UEFI-focused threats have gone years before they have been detected. Indeed, this is precisely their value to attackers.”

Trickboot is especially dangerous because, as with similar attacks, subverting the boot process lets attackers gain control over the system’s operating system and establish ongoing persistence.

More specifically, if the process is compromised by writing to the SPI flash memory chip that begins the boot process, malicious actors can: brick a device at the firmware level via a remote malware or ransomware campaign; reinfect a device that has undergone a system restore; bypass or disable security controls that the operating system and software relies on; chain exploits of other device components; and roll back firmware updates patching previous vulnerabilities.

The new capabilities are a significant step in the evolution of Trickbot and massively increase the danger it poses. The team said that given the links between the Trickbot toolset and active advanced persistent threat (APT) groups in Russia and North Korea – possibly even government-backed groups – and its use in the past to hit sectors such as education, financial services, healthcare, telecoms and other critical national infrastructure, defenders should be on high alert because most will not be tooled to mitigate such a threat.

“Adversaries leveraging Trickbot now have an automated means to know which of their victim hosts are vulnerable to UEFI vulnerabilities, much like they tooled up in 2017 to leverage EternalBlue and EternalRomance vulnerabilities for worming capabilities,” the researchers wrote. “Security teams should take action to mitigate this risk.

“Given the size and scope of Trickbot, the discovery of a module specifically targeting firmware is troubling. These threat actors are collecting targets that are verified to be vulnerable to firmware modification, and one line of code could change this reconnaissance module into an attack function.”

The team added: “Like other in-the-wild firmware attacks, Trickbot reused publicly available code to quickly and easily enable these new firmware-level capabilities. At a time when geopolitical events and a global pandemic have upended life across the globe, Trickbot is digging into the hidden area of firmware that is often overlooked.

“This presents a greater risk than ever before because the scale of Trickbot, which has previously brought highly disruptive ransomware, now brings firmware attacks to many more organisations that are likely unprepared for such techniques.”