The backdoor to your firmware

Introduction

This short blog post series is dedicated to the less technical part of our readers. I want to share some thoughts on the exposure of the firmware vulnerabilities in the light of recent attacks, to highlight how important it is to prevent them. The second part of the series will cover reasons of the supply chain attacks and the list of necessary steps that may help us to protect our firmware against cybercrime.

Cyberattacks have become increasingly sophisticated and dangerous. Attackers are steadily looking for vulnerabilities, and in the last few years, the security of the supply chain in hardware has become of great importance. In Supply chain attacks, less-secure elements can become a backdoor to the sensitive data of targeted organizations. Cybercriminals typically tamper with the manufacturing process by installing a rootkit or hardware-based spying components, like the sonic screwdriver implant in Thunderbolt ports; tiny microchips connected to BMC (Baseboard Management Controller); UEFI implant - Mosaic Regressor.

The SolarWinds attack

One of the most significant Supply chain attacks reported in December 2020 was SolarWinds (SW) attack. To avoid detection, attackers used temporary file replacement techniques to execute their tools remotely. They modified a legitimate utility on the targeted system with the malicious one, executed it, and then replaced it with the original. The mean method was to seize a specific certificate used to forge other identities, access components, and allow the attackers to access some systems within SW’s infrastructure indirectly. The attackers performed the SW attack because they have used software security spots. Firmware is either not free from vulnerabilities. Malicious code can be ported in many ways:

  • tied directly to the hardware or hidden in a hard drive,
  • introduced into a product within the supply chain,
  • ported through a USB device.

As a consequence a firmware breach can easily allow an attacker to control how the system boots, patch the OS itself, read and collect privileged data from hardware or control resources. Besides, a firmware breach may also allow the attackers to compromise the hypervisor and the virtual machine layer in cloud resources when it comes to the network.

Orion platform

The Orion platform ingests and correlates massive amounts of data from various company technology sets, technology, and data. The attackers inserted the malicious code into the platform’s updates to stage and ship software updates to the customers. The trojanized component has been digitally signed and contained the backdoor communicating with third-party servers controlled by the attackers. The attack did compromise the automated software update system. However, it might be wrong to suppose that installing updates is risky. It’s a lot more dangerous to leave known vulnerabilities in your systems. According to the current knowledge, the SW attack was on software. Still, we can underline that the attackers could be using the low-level firmware vulnerabilities to either add persistence to their software attacks or to assist in triggering/conducting them. Another lesson that SW taught us is that organizations need to focus on enforcing multi-factor authentication. As mentioned above - seize a certificate was the first thoughtful step that attackers made. The SW scheme was based on certificates, so it’s worth mentioning the web of trust and usage of GPG signatures for source control and release process. The web of trust is a concept used to establish the binding between a public key and its owner. The GPG signatures - a suite of cryptographic software - can encrypt or sign data and communications to ensure its authenticity.

BIOS vulnerabilities

Another example of potential firmware vulnerability is BIOS, as in the case of Mebromi. The first real malware targeted at the BIOS system, containing a bit of a BIOS rootkit, an MBR rootkit, a kernel-mode rootkit, a PE file infector, and a Trojan downloader. In practice, an antivirus detects and cleanses the MBR infection, but still, it will be restored at the next system startup when the malicious BIOS payload overwrites the MBR code again. The solution must create and release BIOS updates and specific tools to update the BIOS code. The high-profile attack on SolarWinds and Mebromi rootkit make several things clear:

  • even the most secure government agencies can become victims of cyberattacks,
  • unsecured supply chains are be vulnerable to attacks,
  • the attackers avoid targeting governments or organizations directly. Their target is set on victims' platforms to gather information and data while staying unnoticed for a long period.
  • Access to some security systems in the organization’s infrastructure may be caused by the takeover of a particular identity certificate by attackers, allowing forging other identification and other data in the system.
  • On account of the extensible nature of the modern UEFI, malicious module can be added to the existing firmware and be delivered to the target PC via access into the company’s internal network (using vulnerabilities at other PC’s UEFI network-related components) or through access to a select PC.

In the next blog post I will cover reasons of the supply chain attacks and the list of necessary steps that may help us to protect our firmware against cybercrime.

Summary

If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to book a call with us or drop us email to contact<at>3mdeb<dot>com. If you are interested in similar content feel free to sign up for our newsletter


Anastazja Lapanova
Service and people oriented person. Second year student of criminology and a member of the Scientific Club of Forensics and Forensic Medicine - Dispecto. My goal is looking for solutions of security as much in cyberspace as in typical crime.