Supermicro and Pulse Secure Issue Advisories Regarding 'TricBoot' Assaults

 

Supermicro, a U.S.-based information technology firm and VPN provider Pulse Secure have released their advisories regarding the vulnerabilities of their motherboards to the TrickBot malware’s Unified Extensible Firmware Interface (UEFI) firmware-infecting module, called Trickboot. 

Last year, cybersecurity companies Advanced Intelligence and Eclypsium launched a joint report regarding a new malicious firmware-targeting ‘TrickBoot’ module delivered by the well-known TrickBot malware. When the TrickBoot module is executed, it will examine a gadget’s UEFI firmware to determine if it has ‘compose defense’ disabled. If it is, the malware contains the performance to check out, compose, and remove the firmware.

This might allow the malware to execute numerous destructive activities, such as bricking a gadget, bypassing operating system security controls, or reinfecting a system even after a complete reinstall. 

To examine if a UEFI BIOS has 'write protection' enabled, the module utilizes the RwDrv.sys chauffeur from the RWEverything energy.

Cybersecurity firms Advanced Intelligence and Eclypsium released a joint statement reading – “All requests to the UEFI firmware stored in the SPI flash chip go through the SPI controller, which is part of the Platform Controller Hub (PCH) on Intel platforms. This SPI controller includes access control mechanisms, which can be locked during the boot process in order to prevent unauthorized modification of the UEFI firmware stored in the SPI flash memory chip.”

“Modern systems are intended to enable those BIOS write protections to prevent the firmware from being modified; however, these protections are often not enabled or misconfigured. If the BIOS is not write-protected, attackers can easily modify the firmware or even delete it completely,” it further reads.

The malware’s ability to examine a gadget’s firmware is presently limited to specific Intel platforms, including Skylake, Kaby Lake, Coffee Lake, and Comet Lake. 

In an advisory released by Supermicro and Pulse Secure, they are alerting that some of their X10 UP motherboards have susceptibilities to the TrickBoot malware and have actually launched a ‘vital’ BIOS upgrade to enable write protection.

The susceptible X10 UP-series (‘Denlow’) motherboards are noted below.

1. X10SLH-F (will EOL on 3/11/2021)
2. X10SLL-F (EOL’ed since 6/30/2015)
3. X10SLM-F (EOL’ed since 6/30/2015) 
4. X10SLL+-F (EOL’ed since 6/30/2015) 
5. X10SLM+-F (EOL’ed since 6/30/2015) 
6. X10SLM+-LN4F (EOL’ed since 6/30/2015)
7. X10SLA-F (EOL’ed since 6/30/2015) 
8. X10SL7-F (EOL’ed since 6/30/2015) 
9. X10SLL-S/-SF (EOL’ed since 6/30/2015) 

Supermicro has actually launched BIOS variation 3.4 to repair the vulnerability but has only released it openly for the X10SLH-F motherboard. Pulse Secure likewise issued an advisory as their Pulse Secure Device 5000 (PSA-5000), and Pulse Secure Device 7000 (PSA-7000) gadgets operate on susceptible Supermicro hardware.