Supermicro and Pulse Secure released patches to protect against TrickBot malware attacks

Supermicro and Pulse Secure have issued warnings that some of their motherboards are vulnerable to the TrickBot malware infection module UEFI.

Recall that last year, in a joint report, experts from Advanced Intelligence (AdvIntel) and Eclypsium presented the technical details of the new TrickBot component.

TrickBoot is an intelligence tool that checks for vulnerabilities in the UEFI firmware of an infected device. Currently, the malware’s ability to analyze device firmware is limited to specific Intel platforms (Skylake, Kaby Lake, Coffee Lake, Comet Lake).

The new module checks activity of UEFI/BIOS write protection, using the RwDrv.sys driver from RWEverything (a free utility that provides access to hardware components). If protection is disabled, the malicious program gains the ability to read, write, and delete firmware. Thus, malware can block the device, bypass operating system security controls, or reinfect the system even after a complete reinstallation.

“BIOS/UEFI write protection is available on modern systems, but this feature is often not active or configured incorrectly, which allows attackers to modify the firmware or remove it to lock the device. The consequences associated with obtaining such persistence on a device by an attacker are extremely dangerous, especially in the case of TrickBot. In addition to using UEFI implants as leverage in negotiations to increase the ransom price, cybercriminals can retain access to machines even after the victim pays them to access compromised systems”, – said information security specialists.

Supermicro has warned that some of the X10 UP motherboards are vulnerable to TrickBoot malware and have released a BIOS update to enable write protection. Supermicro released BIOS 3.4 to address the vulnerability, but only released it publicly for the X10SLH-F motherboard.

Vulnerable X10 UP (“Denlow”) motherboards include X10SLH-F, X10SLL-F, X10SLM-F, X10SLL + -F, X10SLM + -F, X10SLM + -LN4F, X10SLA-F, X10SL7-F, X10SLL-S/-S … Owners of motherboards that have reached the End of Life (EOL) should contact Supermicro to access the new BIOS.

Pulse Secure has also issued a recommendation because the Pulse Secure Appliance 5000 (PSA-5000) and Pulse Secure Appliance 7000 (PSA-7000) appliances run on vulnerable Supermicro hardware. Pulse Secure has now released a BIOS patch for devices running Pulse Connect Secure or Pulse Policy Secure. Pulse Secure warns that a device reboot will be required to install the patch.

Let me also remind you that I said that though 94% of the TrickBot malware infrastructure is shut down, but it is still active.

Exit mobile version