You’re not imagining things; new firmware threats are appearing more often. The most recent is CosmicStrand, which exploits the Unified Extensible Firmware Interface (UEFI) to avoid detection.
The new UEFI rootkit, detailed in a blog post by Kaspersky Lab’s global research and analysis team, apparently targets the Intel H81 chipset. The researchers were unable to identify how the rootkit initially infects the firmware, but they did discern that the goal of the rootkit’s execution chain is to “deploy a kernel-level implant into a Windows system every time it boots, starting from an infected UEFI component.”
CosmicStrand: Durable Persistence
As detailed in the researcher’s post, the UEFI rootkit remains persistent in the firmware and provides an ongoing way for attackers to contact their command-and-control and insert the malicious payload. “CosmicStrand is a sophisticated UEFI firmware rootkit that allows its owners to achieve very durable persistence: The whole lifetime of the computer, while at the same time being extremely stealthy,” the researchers concluded.
Unfortunately, there’s no straightforward way to detect such attacks, which is why this UEFI rootkit may have been active and undetected in the wild dating back to at least 2016.
The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog contains nearly 200 actively exploited CVEs that contain firmware vulnerabilities.
What can enterprises do to protect themselves from attacks on firmware? It’s tough, at least for now. The UEFI Forum recommends organizations ensure that the minimum requirements outlined in the UEFI specification are implemented and that current UEFI implementations use security features such as UEFI Secure Boot, key signing and signature checking.
The UEFI Forum also advises organizations to incorporate industry-standard testing tools, such as CHIPSEC and automated code analysis, among other practices familiar to application security teams that include a secure review of the firmware.
Organizations would also ideally incorporate firmware security assessments into their product acquisition process and as part of their vulnerability assessment and management processes so that systems with out-of-date firmware, or firmware that have known vulnerabilities, are identified and remedied. Systems that are in use by executives or that manage highly valuable or regulated information should be prioritized.
Security teams should also monitor for known firmware vulnerabilities that would affect their endpoints and have processes to update such firmware when possible.
Security experts advise that good network access controls be in place to help mitigate the impact of successful firmware infection. Devices should also have services limited to only those needed and devices should be segmented onto virtual networks.
Finding Firmware Vulnerabilities
Unfortunately, firmware attacks are challenging to detect, as they are often imperceptible and deeply embedded. That doesn’t mean enterprises shouldn’t try.
Network and other endpoint monitoring tools are common ways to identify breaches that lead to the discovery of a firmware compromise. While these tools don’t detect the firmware compromise, they can often identify the next steps of the attack, such as attempts to move laterally within the enterprise’s IT environment.
Experts said organizations with strong configuration and update management capabilities can spot things like mismatched firmware signatures and will have much more success identifying issues than less mature organizations. Breach and pivot activity could also show up in the device logs themselves, just as with a traditional endpoint.
Despite the best efforts of enterprises, they will face successful firmware attacks. What’s the best way to clean breached systems?
The first thing to do is the most obvious and the most often overlooked: Back up the data on the device. From there, acquire a copy of the latest model-specific BIOS update, separate the hard drive(s) from the infected machine and boot directly from the BIOS update installation media. Then restore data and perform a complete and total reinstallation.
Unfortunately, a successful firmware compromise leaves devices irreparably damaged.
For now, until firmware detection capabilities improve, the best defense may be to identify these attacks as they’re initially underway with endpoint and network protection and anomaly detection. That’s certainly cold comfort for security teams.