For months now, I’ve joined the voices sounding the alarm about how bad actors compromise our computers before the operating system is loaded. I have observed computers compromised before initial boot fresh out the box. Vulnerabilities exist on various component devices attached to computer motherboards and smart phone circuit boards that can allow for compromise before delivery to the end customers. Current malware attacks often can exploit the hardware, including memory modules, peripheral card option ROMs or USB devices changing them into antennas for two-way wireless near band RF communications. Malware can now enter through a PC’s hardware, not the software–thus allowing it to bypass protections from even the most robust virus software. The implications of this are enormous. Affected computers can be taken over and theoretically be exploited to turn off alerts, sensors, and cooling systems to trigger fires and explosions in refineries, food plants, and critical infrastructure.
Current attack vectors and news reports remind me of the last time the NSA experienced a breach of their Cyber Weapons Cache, leaving the backdoors built into Microprocessors vulnerable to exploitation by our adversaries reported on by the New York Times, and Wall Street Journal back in 2016 and 2017. History repeats itself once again, with the breakdown of encryption security measures not keeping pace with the present.
Given all of the uptick in cyber outages, as I researcher, I have been trying to get to the root of the problem.
Last week after reading ESET well written write up on the latest in the wild Nation State Malware, Black Lotus, I performed some online searches. ESET’s security researcher Martin Smolár, detailed how malware can gain persistence by flashing the SPI chip that stores the BIOS and UEFI. The Serial Peripheral Interface (SPI) is a synchronous serial communication interface specification used for short-distance communication, primarily in embedded systems.
SPI is the initial chip that controls what encryption platform and software signing keys are aloud to run on the microprocess and is the earliest storage space addressed by smartphones, computers and other modern Microprocessor driven computing devices. Malware is now able to bypass UEFI secure boot and take over devices by exploiting side channel attacks on AES 256 encryption. Weak or now compromised digital encryption software signing certificates, still broadly trusted by many computing devices, are vouching for malware allowing it to root and take over computing devices. Free and low cost tutorials now place Nation State hacking within the reach of teenage hackers and criminal enterprises.
I searched github.com for source code that attempts to alter the SPI chip in an effort to locate source code related exploits of the SPI.
My searches of github.com lead me to the following repository. Releases · Push3AX/GrabAccess (github.com). https://github.com/Push3AX/GrabAccess/releases. GrabbAccess reports the ability to bypass Windows Bitlocker encrypted drives. My analysis of some of the source code shows that the malware attempt to read the location of where GRUB (GRand Unified Bootloader) the initial boot loader is located in memory and initialize the SPI.
This exploit software code was posted August 26, 2022, shortly after Russia launched cyber attacks on Ukraine’s nuclear and power facilities.
GrabAccess exploits known vulnerabilities that allow for software code to take over computing devices.
Further searches for GrabAccess revealed many other github.com clones of the source code. Many of these repositories reference the Chinese language.
GrabAccess appears to exploit the Windows Platform Binary Table which can allow for a less secure signing certificate to inject code into the SPI chip that contains the UEFI and BIOS in modern day computers.
I observed a second project that appears to contain NSA’s project Ant related code that uses wireless communications to communicate with nearby devices. USBAirbourne GitHub – Push3AX/USBAirborne: USBAirborne Firmware is an Ant project that utilizes radio frequency communications to communicate with other devices nearby.
It appears that this new version of the ANT Project source code was dated March 13, 2022.
Oshwhub.com, a website launched in 2000 that has various hacking devices available to compromise various electronic device. The site also offers competitions and awards to winners that compete on hacking various analog and digital devices for the presumed benefit of China.
The Ant Project related code posted to github.com appears to have connections to https://oshwhub.com/pusheax/album/ANT-Project this page.
USBAirborne allows for the takeover of USB devices turning them into transmitters and receivers.
My review of the referenced website oshwhub.com indicates that the source domain is based out of Beijing China.
The website contains references to the NSA’s Tailored Access group related source code.
The website also appears to offer to train students to meet China’s needs in the area of computers and electronics. (aka Cyber Warfare)
Oshwhub.com appears to have been first captured by the WayBackMachine archive.org on April 4th, 2020.
This website appears to be an information hub and vehicle for China to attain dominance over hacking hardware, computers and providing scholarships to aspiring engineers.
My review of the GrabAccess code that attempts to alter the SPI contents showed that the Verisign certificate “VeriSignG5.cer” is used to sign the malware and write to the SPI. This certificate needs to be revoked by default on new computers to stop this type of exploitation. Microsoft could be a big help here!
GrabAccess/VeriSignG5.cer at main · Push3AX/GrabAccess · GitHub
Virustotal.com details on this evil certificate can be found at VirusTotal – URL – 670bfa79cbc2c2ebac7bb6ad7afb159a550b472408fb23d63f5b58adad01394a https://www.virustotal.com/gui/url/670bfa79cbc2c2ebac7bb6ad7afb159a550b472408fb23d63f5b58adad01394a/details
Please flag this as bad on virustotal.com. https://www.virustotal.com/gui/url/670bfa79cbc2c2ebac7bb6ad7afb159a550b472408fb23d63f5b58adad01394a/details