Merlin Labs Memo -- Week of May 29-June 2

Government Agencies Aren’t Maintaining FedRAMP Standards for Authorized Vendors

The Government Accountability Office (GAO) recently completed an audit across 4 large government agencies (Treasury, Labor, Homeland Security and Agriculture) and fifteen FedRAMP (Federal Risk and Authorization Management Program) authorized systems in use across those agencies. The audit revealed that only 4 of the 15 systems were fully in compliance with the FedRAMP program’s requirements. The findings also showed deficiencies related to both the implementation and continuous monitoring requirements around the FedRAMP controls baseline. -- Via: FedScoop

Our Take: Cybersecurity is a hot topic. Damage and losses caused by a lack of adequate cybersecurity is an even hotter topic with the average cost of a data breach exceeding the $4 million dollar mark according to a study by IBM and the Ponemon institute. In response to these disruptive trends, government regulatory agencies such as NIST and OMB have invested considerable effort into defining baseline standards and issuing prescriptive guidance to help organizations mitigate the associated risks. FedRAMP is one resulting program and aims to mitigate risk associated with the government’s use of cloud solutions by requiring those solutions to meet the high standards of FedRAMP’s cybersecurity control baselines. In December 2022 the White House passed the FedRAMP Authorization Act, codifying the program into law. One of the tenets of the law is that a FedRAMP authorization means a “presumption of adequacy” thereby allowing authorized cloud solutions to be used by any federal agency without further validation or assessment. This audit shines a cautionary spotlight on the concept of presumption and tells us there is a lot more work to do related to program improvement, as well as in our collective fight against threat actors and cyber criminals. The takeaway here is twofold. First, cybersecurity controls standards are only effective if they are expertly implemented and diligently adhered to. Second, maintaining a cybersecurity posture that consistently meets said standards requires a focused and ongoing commitment. It’s not a one-and-done type of effort. It’s not easy. It’s a continuous learning journey for all involved. Finally, it’s not the time to point fingers, rather it’s the time to learn from this audit and make the changes necessary to do better tomorrow than we did yesterday. -- Sarah Hensley

Additional Reading:

• Understanding Baselines and Impact Levels in FedRAMP (FedRAMP.gov)
• Reforming FedRAMP: A Guide to Improving the Federal Procurement and Risk Management of Cloud Services (itif.org)
• GAO: 4 Federal Agencies Fall Short of Implementing Key Cloud Security Practices (ExecutiveGov)
• GAO: FedRAMP implementation lacking in government agencies (SC Magazine)
• FedRAMP Reform Measures Enacted as Biden Signs NDAA Into Law (FedScoop)

Lets talk Supply Chain – Gigabyte Boards Are Now Your Vector of Choice

Motherboards are providing the entry point into an organizations infrastructure. Gigabyte motherboards are the latest to be actively exploited via their management utility for UEFI bios updates.

Cybersecurity firm Eclypsium discovered

• “ detected firmware on Gigabyte systems that drops an executable Windows binary that is executed during the Windows startup process.
• This executable binary insecurely downloads and executes additional payloads from the Internet.”

There are mixed reports of active exploitation of the UEFI update process however Gigabyte was breached in 2021 and 2022 and thier UEFI update via App Center has minimal security applied to it. -- Via: Eclypsium

Our Take: While its Gigabytes turn to be the target of the day, the difficulty of updating a systems motherboard has been around for years. In 2022 it was AMI motherboards within BMC Servers and there have been a others over the last few years. The issue stems from the innate difficulty in updating the Motherboard for a systems BIOS. Doing so requires extensive permissions for the updating software at the system level, direct machine level access, and administrative rights at the OS level for the BIOS updater to accommodate the needs. This creates a security hole within the system that if not locked down properly leaves the consumer open to an attack. The problem for the manufacturers is the BIOS utilities that are used must be able to be used by a normal consumer as well as expert IT support teams. Thus the lowest common denominator of simplicity for the tools.

If breached, ridding an environment of the UEFI infection is a long term task and will usually require direct access to the infected system.

How to Mitigate at the Enterprise level?

• Using an Endpoint privilege manager to limit the accessibility of the GigaByte App Center update tool
•  Scan and verify the signature of the UEFI download
•  Only allow the BIOS update from Software deployment managers
• In the Short term block these URLs from Gigbyte and centralize the update policy for your organization at least until a better strategy appears

Is this a moment for panic? No it is not, however it is an powerful argument for supply chain monitoring to know whether potential systems are within you’re environment and if you are vulnerable to these types of attacks. As the industry moves forward we should be a greater need for supply chain monitoring and mitigation. -- Jeremy Newberry

Additional Reading:

• Security Flaws in AMI BMC Can Expose Many Data Centers, Clouds to Attacks (SecurityWeek)
• Gigabyte Firmware Component can be Abused as a Backdoor (CSO Online)
• Millions of Gigabyte PC motherboards Backdoored? What's the Actual Score? (The Register)

Return to a Spotlight on OT – Russian Focuses on the Energy Sector from Industroyer to CosmicEnergy

“CosmicEnergy was created to target a communication protocol commonly used in the electric power industry in Europe, the Middle East, and Asia. This protocol facilitates the exchange of data between control centers and various devices, including remote terminal units (RTUs), that are essential for operating and controlling electric transmission and distribution systems.” -- Via: The Record

“The malware specifically targets IEC-104-compliant remote terminal units (RTUs) commonly used in electric transmission and distribution operations across Europe, the Middle East, and Asia.” -- Via: Bleeping Computer

Our Take: For Cyber defenders Ukraine continues to be the proving ground for new attack methods and vectors targeting the energy sector. While in thise case is specifically attributed to Russia, the are not the only aggressor that targets OT infrastructure.

• COSMICENERGY: COSMICENERGY is a modular malware that can be used to steal data, disable systems, or cause physical damage. It is believed to have been developed by the Russian government's GRU intelligence agency.
• Industroyer: Industroyer is a destructive malware that is designed to cause physical damage to ICS systems. It was used in a cyberattack against a Ukrainian power plant in 2016 that left hundreds of thousands of people without power.

Ramifications: The use of COSMICENERGY and Industroyer malware strains poses a serious threat to critical infrastructure. These malware strains are capable of causing widespread damage to power grids, water systems, and other critical systems.

What can be done to mitigate the risk? There are a number of things that can be done to mitigate the risk of attack by COSMICENERGY or Industroyer malware strains. These include:

• Implementing strong security measures on ICS systems. This includes using strong passwords, keeping software up to date, and implementing firewalls and intrusion detection systems.
• Training employees on cybersecurity best practices. Employees should be aware of the risks of cyberattacks and how to spot and report suspicious activity.
•  Working with security vendors to stay up-to-date on the latest threats. Security vendors can provide information on new malware strains and how to protect against them. -- Jeremy Newberry

Additional Reading:

• New Russian-Linked CosmicEnergy Malware Targets Industrial Systems (BleepingComputer)
• COSMICENERGY Malware Targets OT and ICS (Cyware)
• CosmicEnergy Malware Emerges, Capable of Electric Grid Shutdown (DarkReading)

Readers of our Newsletter: What’s working, what’s not, and what’s on your mind? Leave a comment below or email labs@merlincyber.com. Thank you!