For months now, I’ve joined the voices sounding the alarm about how bad actors compromise our computers before the operating system is loaded. I have observed computers compromised before initial boot fresh out the box. Vulnerabilities exist on various component devices attached to computer motherboards and smart phone circuit boards that can allow for compromise before delivery to the end customers. Current malware attacks often can exploit the hardware, including memory modules, peripheral card option ROMs or USB devices changing them into antennas for two-way wireless near band RF communications. Malware can now enter through a PC’s hardware, not the software–thus allowing it to bypass protections from even the most robust virus software. The implications of this are enormous. Affected computers can be taken over and theoretically be exploited to turn off alerts, sensors, and cooling systems to trigger fires and explosions in refineries, food plants, and critical infrastructure.

Current attack vectors and news reports remind me of the last time the NSA experienced a breach of their Cyber Weapons Cache, leaving the backdoors built into Microprocessors vulnerable to exploitation by our adversaries reported on by the New York Times, and Wall Street Journal back in 2016 and 2017. History repeats itself once again, with the breakdown of encryption security measures not keeping pace with the present.

Given all of the uptick in cyber outages, as I researcher, I have been trying to get to the root of the problem.

Last week after reading ESET well written write up on the latest in the wild Nation State Malware, Black Lotus, I performed some online searches. ESET’s security researcher Martin Smolár, detailed how malware can gain persistence by flashing the SPI chip that stores the BIOS and UEFI. The Serial Peripheral Interface (SPI) is a synchronous serial communication interface specification used for short-distance communication, primarily in embedded systems.

SPI is the initial chip that controls what encryption platform and software signing keys are aloud to run on the microprocess and is the earliest storage space addressed by smartphones, computers and other modern Microprocessor driven computing devices. Malware is now able to bypass UEFI secure boot and take over devices by exploiting side channel attacks on AES 256 encryption. Weak or now compromised digital encryption software signing certificates, still broadly trusted by many computing devices, are vouching for malware allowing it to root and take over computing devices. Free and low cost tutorials now place Nation State hacking within the reach of teenage hackers and criminal enterprises.

I searched github.com for source code that attempts to alter the SPI chip in an effort to locate source code related exploits of the SPI.

My searches of github.com lead me to the following repository. Releases · Push3AX/GrabAccess (github.com). https://github.com/Push3AX/GrabAccess/releases. GrabbAccess reports the ability to bypass Windows Bitlocker encrypted drives. My analysis of some of the source code shows that the malware attempt to read the location of where GRUB (GRand Unified Bootloader) the initial boot loader is located in memory and initialize the SPI.

https://github.com/Push3AX/GrabAccess/blob/998d87e2e802a5050b08795c923ee1b9252431b5/GrabAccess_SourceCode/Grab2/include/grub/arm/coreboot/kernel.h

The code later overwrite the SPI. https://github.com/Push3AX/GrabAccess/blob/998d87e2e802a5050b08795c923ee1b9252431b5/GrabAccess_SourceCode/Grab2/grub-core/bus/spi/rk3288_spi.c

This exploit software code was posted August 26, 2022, shortly after Russia launched cyber attacks on Ukraine’s nuclear and power facilities.

GrabAccess exploits known vulnerabilities that allow for software code to take over computing devices.

Further searches for GrabAccess revealed many other github.com clones of the source code. Many of these repositories reference the Chinese language.

andrey888888 · GitHub https://github.com/andrey888888

https://github.com/CaledoniaProject/awesome-opensource-security/blob/master/firmware-tools.md

https://www.opensourceagenda.com/projects/grabaccess

GrabAccess appears to exploit the Windows Platform Binary Table which can allow for a less secure signing certificate to inject code into the SPI chip that contains the UEFI and BIOS in modern day computers.

I observed a second project that appears to contain NSA’s project Ant related code that uses wireless communications to communicate with nearby devices. USBAirbourne GitHub – Push3AX/USBAirborne: USBAirborne Firmware is an Ant project that utilizes radio frequency communications to communicate with other devices nearby.

It appears that this new version of the ANT Project source code was dated March 13, 2022.

Oshwhub.com, a website launched in 2000 that has various hacking devices available to compromise various electronic device. The site also offers competitions and awards to winners that compete on hacking various analog and digital devices for the presumed benefit of China.

The Ant Project related code posted to github.com appears to have connections to https://oshwhub.com/pusheax/album/ANT-Project this page.

Album details page-Jialichuang EDA open source hardware platform (oshwhub.com)

USBAirborne allows for the takeover of USB devices turning them into transmitters and receivers.

My review of the referenced website oshwhub.com indicates that the source domain is based out of Beijing China.

The website contains references to the NSA’s Tailored Access group related source code.

The website also appears to offer to train students to meet China’s needs in the area of computers and electronics. (aka Cyber Warfare)

Oshwhub.com appears to have been first captured by the WayBackMachine archive.org on April 4th, 2020.

This website appears to be an information hub and vehicle for China to attain dominance over hacking hardware, computers and providing scholarships to aspiring engineers.

My review of the GrabAccess code that attempts to alter the SPI contents showed that the Verisign certificate “VeriSignG5.cer” is used to sign the malware and write to the SPI. This certificate needs to be revoked by default on new computers to stop this type of exploitation. Microsoft could be a big help here!

GrabAccess/VeriSignG5.cer at main · Push3AX/GrabAccess · GitHub

https://github.com/Push3AX/GrabAccess/blob/main/GrabAccess_Release/bin/VeriSignG5.cer

—–BEGIN CERTIFICATE—–
MIIFmjCCA4KgAwIBAgIKYRmT5AAAAAAAHDANBgkqhkiG9w0BAQUFADB/MQswCQYD
VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe
MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQDEyBNaWNyb3Nv
ZnQgQ29kZSBWZXJpZmljYXRpb24gUm9vdDAeFw0xMTAyMjIxOTI1MTdaFw0yMTAy
MjIxOTM1MTdaMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIElu
Yy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShj
KSAyMDA2IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkx
RTBDBgNVBAMTPFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkgLSBHNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAK8kCAgpejWeYAyq50s7Ttx8vDxFHLsr4P4pAvlXCKNkhRUn9fGtyDGJ
XSLoKqqmQrOP+LlVt7G3S7P+j34HV+zvQ9tmYhVhz2ANpNje+ODDYgg9VBPrScpZ
VIUm5SuPG5/r9aGRwjNJ2ENjalJL0o/ocFFN0Ylpe8dw9rPcEnTbe11LVtOWvxV3
obD0oiXyrxySZxjl9AYE75C55ADk3Tq1Gf8CuvQ87uCL6zeL7PTXrPL28D2v3XWR
MxkdHEDLdCQZIZPZFP6sKlLHj9UESeSNY0eIPGmDy/5HvSt+T8WVrg6d1NFDwGdz
4xQIfuU/n3O4MwrPXT80h5aK7lPoJRUCAwEAAaOByzCByDARBgNVHSAECjAIMAYG
BFUdIAAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYwHQYDVR0OBBYEFH/T
ZafC3ey78DAJ80M5+gKvMzEzMB8GA1UdIwQYMBaAFGL7CiFbf0NuEdoJVFBr9dKW
cfGeMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9w
a2kvY3JsL3Byb2R1Y3RzL01pY3Jvc29mdENvZGVWZXJpZlJvb3QuY3JsMA0GCSqG
SIb3DQEBBQUAA4ICAQCBKoIWjDRnK+UD6zR7jKKjUIr0VYbxHoyOrn3uAxnOcpUY
SK1iEf0g/T9HBgFa4uBvjBUsTjxqUGwLNqPPeg2cQrxc+BnVYONp5uIjQWeMaIN2
K4+Toyq1f75Z+6nJsiaPyqLzghuYPpGVJ5eGYe5bXQdrzYao4mWAqOIV4rK+IwVq
ugzzR5NNrKSMB3k5wGESOgUNiaPsn1eJhPvsynxHZhSR2LYPGV3muEqsvEfIcUOW
5jIgpdx3hv0844tx23ubA/y3HTJk6xZSoEOj+i6tWZJOfMfyM0JIOFE6fDjHGyQi
KEAeGkYfF9sY9/AnNWy4Y9nNuWRdK6Ve78YptPLH+CHMBLpX/QG2q8Zn+efTmX/0
9SL6cvX9/zocQjqh+YAYpe6NHNRmnkUB/qru//sXjzD38c0pxZ3stdVJAD2FuMu7
kzonaknAMK5myfcjKDJ2+aSDVshIzlqWqqDMDMR/tI6Xr23jVCfDn4bA1uRzCJcF
29BUYl4DSMLVn3+nZozQnbBP1NOYX0t6yX+yKVLQEoDHD1S2HmfNxqBsEQOE00h1
5yr+sDtuCjqma3aZBaPxd2hhMxRHBvxTf1K9khRcSiRqZ4yvjZCq0PZ5IRuTJnzD
zh69iDiSrkXGGWpJULMF+K5ZN4pqJQOUsVmBUOi6g4C3IzX0drlnHVkYrSCNlA==
—–END CERTIFICATE—–

Virustotal.com details on this evil certificate can be found at VirusTotal – URL – 670bfa79cbc2c2ebac7bb6ad7afb159a550b472408fb23d63f5b58adad01394a https://www.virustotal.com/gui/url/670bfa79cbc2c2ebac7bb6ad7afb159a550b472408fb23d63f5b58adad01394a/details

Please flag this as bad on virustotal.com. https://www.virustotal.com/gui/url/670bfa79cbc2c2ebac7bb6ad7afb159a550b472408fb23d63f5b58adad01394a/details