CHIPSEC Support Against Vault 7 Disclosure Scanning

Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society.

As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework that can be used to verify the integrity of EFI firmware executables on potentially impacted systems.

This work is based on many years of dedicated research conducted by the Advanced Threat Research team ( within the field of firmware security. CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low-level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X, and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual.

NOTE: This software is for security testing purposes. Use at your own risk. Read WARNING.txt before using.

The framework is available at this link:


The following outlines a method that can be used to scan system firmware to determine whether it has been modified. The example we present shows the UEFI rootkit found in the HackingTeam disclosure ( To test against the most recent disclosures, a known clean list of EFI executable binaries (whitelist) must be developed and can be checked.

Below is an example of using the new tools.uefi.whitelist module on a UEFI firmware image modified to include HackingTeam’s UEFI rootkit.

  1. Generate a whitelist of EFI executable binaries from a clean/original UEFI firmware image (file named “original” in the example below). The list is generated in “original.json.” (This step assumes that there’s a way to obtain a good clean image.) In our example, 276 EFI executables were extracted from the original UEFI firmware image.

# chipsec_main -i -n -m tools.uefi.whitelist -a generate,original.json,original



[x][ =======================================================================

[x][ Module: Simple whitelist generation/checking for UEFI firmware

[x][ =======================================================================


[*] reading firmware from ‘original’…

[*] generating a list of EFI executables from firmware image…

[*] found 276 EFI executables in UEFI firmware image ‘original’

[*] creating JSON file ‘C:\chipsec\original.json’…


  1. At a later time, one can verify the integrity of UEFI firmware extracted from flash ROM memory against this list of expected EFI executables. The previous step records hashes in the file efilist.json. In our example, we verify the integrity of another UEFI firmware image, named “unpacked.” Running the tools.uefi.whitelist module against this image with “original.json” containing the expected list (whitelist) of EFI executables yields the following output.


# chipsec_main -i -n -m tools.uefi.whitelist -a check,original.json,unpacked


[x][ =======================================================================

[x][ Module: Simple whitelist generation/checking for UEFI firmware

[x][ =======================================================================


[*] reading firmware from ‘unpacked’…

[*] checking EFI executables against the list ‘C:\chipsec\original.json’

[*] found 279 EFI executables in UEFI firmware image ‘unpacked’

[!] found EFI executable not in the list: d359a9546b277f16bc495fe7b2e8839b5d0389a8



ed0dc060e47d3225e21489e769399fd9e07f342e2ee0be3ba8040ead5c945efa (sha256)

[!] found EFI executable not in the list: 64d44b705bb7ae4b8e4d9fb0b3b3c66bcbaae57f



3a4cdca9c5d4fe680bb4b00118c31cae6c1b5990593875e9024a7e278819b132 (sha256)

[!] found EFI executable not in the list: 4a1628fa128747c77c51d57a5d09724007692d85



dd2b99df1f10459d3a9d173240e909de28eb895614a6b3b7720eebf470a988a0 (sha256)

[!] WARNING: found 3 EFI executables not in the list ‘C:\chipsec\original.json’


The tools.uefi.whitelist module found three additional EFI executable binaries, which were not present in the original firmware image. The “unpacked” firmware image has 279 EFI executable binaries including the 276 original executables and three executables injected by the HackingTeam’s UEFI rootkit (rkloader, Ntfs, and an unnamed EFI application).

The preceding example is just for illustration purposes and assumes you’ve extracted EFI firmware on your system prior to generating the whitelist and later before checking the firmware. This can be done with the CHIPSEC framework using the following command:

# chipsec_util spi dump firmware.bin

However, a separate step to dump the firmware image is not required when using the tools.uefi.whitelist module. It extracts EFI firmware from flash ROM memory automatically if the firmware file is not specified.

We recommend generating an EFI whitelist after purchasing a system or when you are sure it has not been infected:

# chipsec_main -m tools.uefi.whitelist -a generate

Then check the EFI firmware on your system periodically or whenever you are concerned, such as when a laptop was left unattended:

# chipsec_main -m tools.uefi.whitelist -a check

In the recent disclosures, another EFI firmware malware for Mac OSX systems, DarkMatter, has surfaced. It appears to include multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection. If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.

EFI firmware malware is a new frontier for stealth and persistent attacks that may be used by sophisticated adversaries to penetrate and persist within organizations and national infrastructure for a very long time. Use open-source CHIPSEC to defend from this threat and stay safe.


Additionally, the recent WikiLeaks disclosure referenced a vulnerability related to the Intel Security Stinger tool. We can confirm that the Stinger tool issue is no longer present in our current technology. Users downloading the Stinger today will not be subject to attacks using the suggested exploit scenario.

The post CHIPSEC Support Against Vault 7 Disclosure Scanning appeared first on McAfee Blogs.

Some hacked e-mails, documents from Putin advisor confirmed as genuine


Recently a cache of 2,337 e-mails from the office of a high-ranking advisor to Russian president Vladimir Putin was dumped on the Internet after purportedly being obtained by a Ukrainian hacking group calling itself CyberHunta. The cache shows that the Putin government communicated with separatist forces in Eastern Ukraine, receiving lists of casualties and expense reports while even apparently approving government members of the self-proclaimed Donetsk People's Republic. And if one particular document is to be believed, the Putin government was formulating plans to destabilize the Ukrainian government as early as next month in order to force an end to the standoff over the region, known as Donbass.

Based on reporting by the Associated Press's Howard Amos and analysis by the Atlantic Council's Digital Forensic Research Lab, at least some of the e-mails—dumped in a 1-gigabyte Outlook .PST mailbox file—are genuine. Amos showed e-mails in the cache to a Russian journalist, Svetlana Babaeva, who identified e-mails she had sent to Surkov's office. E-mail addresses and phone numbers in some of the e-mails were also confirmed. And among the documents in the trove of e-mails is a scan of Surkov's passport (above), as well as those of his wife and children.

A Kremlin spokesperson denied the legitimacy of the e-mails, saying that Surkov did not have an e-mail address. However, the account appears to have been used by Surkov's assistants, and the dump contains e-mails with reports from Surkov's assistants. The breach, if ultimately proven genuine, would appear to be the first major publicized hack of a Russian political figure. And in that instance, perhaps this could be a response to the hacking of US political figures attributed to Russia.

Read 6 remaining paragraphs | Comments

How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos

The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the public perception of the presidential candidates. Moreover, never before have the personal health histories of the candidates figured so prominently in efforts to qualify or disqualify them as fit or unfit to serve as president.

A report released this week by Intel Security reveals the ease by which nation-states, domestic political actors, corporations, or activist groups could steal and expose the medical records of political opponents in the same way that the disclosure of incriminating email messages, video recordings, private documents, and speech transcripts has already been used as a political weapon in 2016.

The market for your medical data

The report shows that huge caches of detailed medical records can be purchased for a mere $0.03 to $2.42 per record and browsed to identify the names of political candidates and their family members. Such records contain protected health information such as family names, mothers’ maiden names, social security numbers, payment card and insurance data, and patient addresses. But they also include more sensitive information such as medical histories, details of medical conditions, mental health issues, medications taken, and the state of treatment for a variety of perhaps embarrassing afflictions or addictions.

Intel Security suggest that cybercriminals already mine and analyze millions of such records, cross-reference them with data from other sources, and assemble profiles around individuals who appear to be the most viable targets for crimes such as fraud, data theft, extortion, identity theft, and blackmail. Such crimes have gone digital along with so many other things in our world, and it is not a stretch to foresee them going political in the near future (assuming they already have not).

The “weaponization” of medical records

Although this political season suggests nothing is truly disqualifying, just a couple of years ago former Florida Governor Jeb Bush was deemed disqualified as a presidential candidate on account of, among other things, his daughter’s very public drug addiction. The theft, identification, and public disclosure of data exposing such cases would constitute a political “weaponization” of personal medical records.

Such a disclosure or threat of disclosure targeting a close relative could certainly prove damaging or threatening enough to force a politician from an election contest, or even out of politics altogether.

In 2016, Republican candidate Donald Trump has been criticized for releasing an allegedly inadequate and unconvincing doctor’s letter attesting to his “tremendous” state of health. The health of Democratic candidate Hillary Clinton has been questioned following the release of a mere four seconds of video depicting her exhibiting dizziness. Though these two candidates are not known for quitting, consider that a disclosure of medical records challenging the “robust health” assertions of most campaign teams might prove pivotal in the final days of a contentious election.

Health care hackers-for-hire

 Nor is it a stretch to assert that cyber capabilities—hacking skills, tools, and infrastructure— are beyond the reach of political actors.

Recent press reports claim that around 500 million Yahoo email accounts appear to have been compromised by a mercenary cyber gang. Intel Security has identified cyber gang services available for hire specifically for the purpose of attacking health care organizations. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches.

In one case, a relatively non–technically proficient cyber thief purchased tools to exploit a vulnerable health care organization, and even leveraged free technical support to orchestrate his attack. The Intel research found that this actor extracted more than 1,000 medical records that the technical support provider said was worth as much as $15,564.

This data breach–enabling ecosystem is so developed that Intel Security was able to uncover the brazen efforts of cybercriminals to recruit as accomplices, through online ads and social media communications, health care industry insiders with workplace access to patients’ information.

Prognosis: unprecedented?

Intel Security’s report reveals how financial resources can command the technical means for launching cyber-attacks via a marketplace for health care hackers-for-hire and stolen medical data. All that remains is the motive, criminal or political, and the media opportunity to release damaging data through organizations such as WikiLeaks or press outlets.

To believe that such an event is unheard of, despite evident public disclosure of weaponized emails, video, and documents, would be to ignore that the 2016 US election season has entered the realm of the unprecedented..





The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee Blogs.

Russia-linked phishing campaign behind the DNC breach also hit Podesta, Powell

The spear-phishing e-mail received by Clinton campaign staffer William Rinehart matches messages received by both former Secretary of State Colin Powell and Clinton campaign chairman John Podesta. (credit: The Smoking Gun)

The breach of personal e-mail accounts for Clinton presidential campaign chairman John Podesta and former Secretary of State Colin Powell have now been tied more closely to other breaches involving e-mail accounts for Democratic party political organizations. Podesta and Powell were both the victims of the same form of spear-phishing attack that affected individuals whose data was shared through the “hacktivist” sites of Guccifer 2.0 and DCLeaks.

As Ars reported in July, the spear-phishing attack used custom-coded shortened URLs containing the e-mail addresses of their victims. The URLs appeared in e-mails disguised to look like warnings from Google about the victims’ accounts. These spear-phishing attacks were tracked by the security firm SecureWorks as part of the firm’s tracking of the “Fancy Bear” threat group (also known as APT28), a hacking operation previously tied to a phishing campaign against military and diplomatic targets known as Operation Pawn Storm.

As The Smoking Gun reported in August, one of these e-mails was sent to William Rinehart, a staffer with the Clinton presidential campaign. Rinehart’s e-mails were leaked on the DCLeaks site. DCLeaks also carried the e-mails of Sarah Hamilton, an employee of a public relations firm that has done work for the Clinton campaign and for the DNC. Hamilton's e-mails were offered to The Smoking Gun by someone claiming to be Guccifer 2.0 via a password-protected link on the DC Leaks site.

Read 1 remaining paragraphs | Comments