SuperMicro and Pulse Secure have both issued advisories recently linking Trickboot to vulnerabilities discovered on certain products. TrickBoot is a new functionality within the TrickBot malware toolset capable of discovering vulnerabilities and enabling attackers to read/write/erase the device’s BIOS. When malware can write to BIOS, it can be nearly impossible for IT and Security personnel to detect or eradicate it.
SuperMicro explains there is an issue with “only with a subset of the X10 UP motherboards” naming the single socket Denlow motherboards the hardware in focus. They are currently working on patching the BIOS and should release an automatic update promptly. However it was explained this will only be released for products that have not reached end-of-life.
Pulse Secure released an out of circle advisory effecting two products, PSA5000 and PSA7000, emphasizing that the PSA-300 and PSA-3000 are not affected by this issue. The Pulse Connect Secure/Pulse Policy Secure device currently has a patch to mitigate the issue and the Pulse One On-Prem Appliance patch is in development.
Trickboot is a farely new technique used by Trickbot malware family reported in December 2020. Bootkits, including Trickboot, allow attackers to control the boot process of a given machine. It allows for complete control of the machine at high levels of access and can be a devastating addition to the attack chain, especially with Trickbot which leverages Active Directory. Luckily earlier this year Emotet which was used widely to spread Trickbot was taken down. Trickbot was also the subject of a law enforcement takedown in late 2020 but has since bounced back to operation.
Analyst Notes
It is important to be vigilant with firmware updates. Subscribe to manufactures’ mail lists regarding security advisories and updates to stay informed of important notifications. While it may not be possible to patch every machine the minute a flaw is announced, awareness is most important and can be one of the defining factors mitigating vulnerabilities. A strong Threat Intelligence team coupled with active Threat Hunting is essential for large enterprise given today’s environment with so much of the workforce at home, using tools such as Pulse Secure and other VPN solutions. Binary Defense offers both of these services with teams manned by seasoned researchers working 24/7 to provide the defense necessary to combat the risks of compromise.
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44712
https://www.supermicro.com/en/support/security/trickbot
