Firmware-level threat added to Trickbot's capabilities, according to a new report
In a significant development, the notorious Trickbot botnet has added a news function to its arsenal, focusing on Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS) firmware. This expansion has raised concerns among cybersecurity experts, who warn that the potential destruction from Trickbot could be more severe than that from other malware like NotPetya from a recovery standpoint.
The new function, named Trickboot, was discovered by researchers at IBM. Trickboot is currently limited to checking the SPI controller, which governs the system UEFI/BIOS, and testing if BIOS has write protection enabled. If Trickbot actors were to modify just one line of code currently observed in the module, they could nypost the device at the firmware level.
Trickbot has historically been associated with Ryuk ransomware attacks, and in October, the Cybersecurity and Infrastructure Security Agency (CISA) warned industries to brace for an uptick in Ryuk attacks. In October, Microsoft and the U.S. Cyber Command began dismantling Trickbot's infrastructure, but warned that there was no guarantee the botnet would be destroyed. However, the latest discovery suggests that the Trickbot toolset authors are continuously releasing new capabilities in the form of modules, and new balance is the latest.
RwDrv.sys, embedded within the malware, allows attackers to write to firmware on virtually any device component. This is possible due to RwDrv.sys being a part of the RWEverything tool, which provides low-level access to system components.
Researchers also found 'PermaDll' in the code of the Trickboot module, which allows attackers to check for administrative privileges. Trickboot's code has the ability to read, write, and erase firmware, posing a significant threat to devices.
In a compromised boot process, attackers can take over the operating system to establish ongoing persistence, even with a reinstalled operating system. This new function could potentially brick devices at the firmware level, making recovery much more difficult and time-consuming.
Scott Scheferman, principal cyber strategist at Eclypsium, suggests that the discovery of Trickboot has significant implications for resilience planning in large enterprises, critical infrastructure, operational environments, and healthcare. Organizations are advised to implement patch updates for operating systems, software, and firmware immediately to protect against Trickbot and Ryuk attacks. The new threat to firmware makes it crucial for organizations to ensure all patching is updated.
As of now, Trickboot hasn't been seen in the wild yet, but bad actors using Trickbot have an arsenal of modules they use only as needed. This new function serves as a reminder of the constant evolution of cyber threats and the need for continuous vigilance and proactive measures in cybersecurity.
Read also:
- Navigating the Path to Tech Product Success: Expert Insights from Delasport, a Trailblazer in the Tech Industry
- Online Cyber Assaults May Deter Web Usage Among Younger Generations
- Navigating English for Common Tech and Devices Daily Use
- Enhanced Privacy Technologies in Data Transmission and Internet Infrastructure
