SuperMicro and Pulse Secure have both issued advisories recently linking Trickboot to vulnerabilities discovered on certain products. TrickBoot is a new functionality within the TrickBot malware toolset capable of discovering vulnerabilities and enabling attackers to read/write/erase the device’s BIOS. When malware can write to BIOS, it can be nearly impossible for IT and Security personnel to detect or eradicate it.
SuperMicro explains there is an issue with “only with a subset of the X10 UP motherboards” naming the single socket Denlow motherboards the hardware in focus. They are currently working on patching the BIOS and should release an automatic update promptly. However it was explained this will only be released for products that have not reached end-of-life.
Pulse Secure released an out of circle advisory effecting two products, PSA5000 and PSA7000, emphasizing that the PSA-300 and PSA-3000 are not affected by this issue. The Pulse Connect Secure/Pulse Policy Secure device currently has a patch to mitigate the issue and the Pulse One On-Prem Appliance patch is in development.
Trickboot is a farely new technique used by Trickbot malware family reported in December 2020. Bootkits, including Trickboot, allow attackers to control the boot process of a given machine. It allows for complete control of the machine at high levels of access and can be a devastating addition to the attack chain, especially with Trickbot which leverages Active Directory. Luckily earlier this year Emotet which was used widely to spread Trickbot was taken down. Trickbot was also the subject of a law enforcement takedown in late 2020 but has since bounced back to operation.