Given that this looks to be just a particular build of Supermicro server, I wonder what mechanism the malware uses to achieve persistence such that a reformat or FS restore wouldn’t take care of it. Does anyone know if these devices have supermicro IPMIs on them? Those are notoriously insecure (like most lights out managers) and a great place to hide malware persistently.
This points out a major issue with IPMI and "management engine" components on motherboards. If a vulnerability is found at the lower levels, you may have to replace the hardware. Vendors may be more reluctant to put that stuff in if it leads to legal liability.
IPMI firmware can be patched, as can the BIOS which contains the microcode that is loaded. Once the OS boots, updating the running microcode included is trivial (in Linux and I believe also FreeBSD?) and can be done before the system's network interfaces come up.
If your IPMI is in any way exposed to anyone other than your administrators, then you have other problems. These interfaces should be segmented away from all other networks, irrespective of any vulnerabilities they could have.
That's great and all, but if there was a known barracuda OS vuln that allowed attackers to gain root access, then they could gather information about the hardware, which includes the ability to interact with the IPMI (which runs it's own separate OS) to update the firmware or whichever way they're able gain persistent access to the IPMI device's OS.
If you are halfway competent, you do not use inband IPMI at all. IPMI belongs on a separate ethernet jack or at least a separate VLAN, connected only to a separate secured admin network. Which sysadmins can connect to, but which doesn't have connectivity to other parts of your network or the internet.
But I agree that you should filter all the relevant ports in all networks, just in case somebody screws up.
The writeups I’m reading suggest that the malware was specifically designed to maintain persistence via firmware (i.e. rootkits), typically attributable to state actors.
That article captured the imagination of the public, but has been derided by any and every cyber security professional worth their salt almost from day dot.
Despite this, Bloomberg have refused to retract it or supply any credible sources, presumably because and continues to draw traffic.
And yet "do we have any backdoored supermicro hardware" is a common question from non technical management, even today. It's infuriating that it hasn't been retracted as I'm still talking about it. It's also at the forefront of insurance questions
Easily solved by said security professionals auditing the security of the devices, refuting the claims in the Bloomberg article, and throwing it all up on a blog with catchy “No, china didn’t backdoor servers headed to US gov datacenter racks” title.
It would get awkward when they find the US backoor built in to every server headed everywhere ... I guess technically outside the scope of the headline so you can just leave it out.
The point is, if the original article is bogus and full of lies it should be trivial for the security community to debunk any back door claims and set the record straight, yet that isn’t being done while still calling for the original article lacking any proof be taken down.
Someone on one of these sides needs to provide evidence to support their claims. Clearly the authors of the original article have no intention or it would have been done already.
Edit: Typo.