Hmatix Response to Supermicro Hack

UPDATE: We are giving free access to the Hmatix Edge solution to organizations that believe they may be affected by the allegations in the Bloomberg article. Info below.

Introduction

The allegations by Bloomberg journalists that Supermicro motherboards made in China were tampered with to install small chips with the aim to open backdoors in the servers of top US corporations are extremely serious, not only for our world economy but our general day to day emotional interactions with electronic devices.

Hmatix statement

Regardless of whether the claims in the Bloomberg article are true or not, this story brings to light the deep possibilities of vulnerability and its damaging consequences. As far as we know, this attack vector stayed dormant, but it could have affected huge swaths of our infrastructure. In many cases it could affect lives and livelihood. As an industry, we must be vigilant in protecting ourselves from compromise and attack.

Hmatix is committed to helping any company that is researching this story to evaluate their hardware for malicious activity.

Technical evaluation

We doubt that this sort of attack will be categorized as a CVE and put through the standard vulnerability process, since it’s not a vulnerability. As of 10/5/18 5:10pm PDT, we have not found any technical data beyond what was presented in the original article. Since we are by the nature of our industry a suspicious and technically curious group, we set out to create a plan for others to test their devices.

“Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code”

”American investigators eventually figured out who else had been hit. Since the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected.”

This is the first clue that the process requires network connectivity and there should be some network activity we can trace. Whether the above is a fact or simply hypothesis is not so clear to us but we will take the reporting at face value.

“The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off”

The next clue is the use of a BMC (Baseboard Management Controller). Most modern-day servers come with a dedicated management port and module which can be reached remotely even if the OS is down as long as there is electrical power. This runs independent from what is running on the server. However, if the hacker is using the BMC, it should have its IP address configured and be routable to the network. Additionally, it is not necessary to use the dedicated BMC ethernet port but in some cases the regular ethernet ports on the motherboard can be used as well.

The last technical detail is as follows:

“This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity. “The hardware opens whatever door it wants,” says Joe FitzPatrick, founder of Hardware Security Resources LLC, a company that trains cybersecurity professionals in hardware hacking techniques”

We probably would not want to take this statement at face value. This is a hypothetical and we would need to verify the possibility of taking over the BMC and altering code from BMC in the OS. However, it could possibly do what we call “eavesdropping”. We will wait for statements from the vendors for the possibility of actual code injection.


Case 1: Checking malicious traffic from regular ethernet port

  1. Download the HMX-OS Hybrid ISO image (created by Hmatix)

    1. Legacy (checksum)

    2. UEFI (checksum)

    3. Readme

    4. This image is based on Arch Linux with all network services disabled

    5. The ISO can be used with CD/DVD ROM or USB stick.

  2. Reboot the server with the bootable USB image

  3. This bootable image comes with DHCP enabled. However, if you don’t have DHCP then manually configure the IP. This could be as simple as:

    1. ip address add <ip address>/<prefix> dev <dev name>
    2. ip route add default via <gateway address>
    3. echo "nameserver <DNS IP>" > /etc/resolv.conf
# This step is also required in case the hacking tool looks for C&C using FQDN.

Case 2: Checking malicious traffic from the BMC management port

This step is vendor specific. The caveat is to configure the management IP address and DNS server

Monitoring traffic

Now, you can enable the port mirroring in the access switch and capture the traffic for the analysis but that is too cumbersome.

This is a perfect use case for the Hmatix Edge.

872F7DE20B44465F9DCADE3F8E312495.png

There is not much to learn since it is booting from custom OS from USB drive so we put the device into “Restricted” mode almost immediately after boot up.

1e337fa6-b331-47c1-97ab-aa9758943d17.png

On the Hmatix Console we can view and filter the network traffic and any anomalies detected.

We can keep the Hmatix service running indefinitely to continue to monitor network flows.


Free access to Hmatix Edge for researchers

If you or your organization believe you may have servers or devices that are affected by the allegations in the Bloomberg article, fill out the form below and we will send you Hmatix Edge free of charge to help identify malicious activity.

Name *
Name
Are you requesting this on behalf of an individual or company?
Do you believe you have potentially compromised hardware?
Any additional information you would like to add.

*Images used in this post are for illustrative purposes only and may not represent current or future products or offerings. All copyrights belong to their respective owners. Hmatix is not taking a stance on the veracity of the claims made in the Bloomberg article we aim simply to aid further research. Bloomberg article: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies.