System Firmware

Information

• Name: System Firmware

• ID: T1542.001

• Tactics: TA0003, TA0005

• Technique: T1542

Introduction

System Firmware (T1542.001) is a sub-technique of the MITRE ATT&CK framework under the "Pre-OS Boot" technique category. This sub-technique involves adversaries modifying or compromising the firmware of a system, such as BIOS or UEFI, to achieve persistence, evade detection, and maintain long-term access. Firmware-level persistence can survive operating system reinstalls, hard drive replacements, and conventional security measures, making it particularly challenging to detect and remediate.

Deep Dive Into Technique

System firmware, including BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface), provides essential low-level control and initialization of hardware components before the operating system loads. Adversaries targeting firmware typically leverage specialized tools, exploits, or physical access to modify firmware images or settings.

Key technical details include:

• Firmware Modification Methods:

  • Exploiting vulnerabilities in firmware interfaces or management software.

  • Using legitimate firmware update utilities maliciously.

  • Direct hardware manipulation through physical access or specialized hardware interfaces (e.g., SPI flash programming).

• Persistence Mechanisms:

  • Implanting malicious code within firmware images to execute before OS boot.

  • Altering boot sequences to load attacker-controlled code or payloads.

  • Modifying firmware configuration settings to disable security features, such as Secure Boot.

• Real-World Procedures:

  • Attackers may compromise firmware update processes by intercepting and altering legitimate updates.

  • Adversaries can use custom firmware implants, rootkits, or bootkits tailored to specific hardware.

  • Firmware malware can hide from traditional OS-level antivirus and endpoint detection tools, making detection and remediation extremely complex.

When this Technique is Usually Used

Attack scenarios and stages in which firmware compromise typically appears include:

• Persistence Stage:

  • Establishing long-term persistence resistant to OS-level security protections, reinstallation, and hardware replacements.

• Privilege Escalation and Evasion:

  • Gaining higher-level privileges and bypassing security measures such as Secure Boot or TPM (Trusted Platform Module) protections.

• Advanced Persistent Threat (APT) Operations:

  • Nation-state or sophisticated cybercriminal groups performing espionage, sabotage, or long-term surveillance.

• Supply Chain Attacks:

  • Compromising firmware at the manufacturer or vendor level to distribute malicious firmware to end-users.

• Physical Access Scenarios:

  • Situations where adversaries have temporary physical access to hardware, allowing direct manipulation of firmware.

How this Technique is Usually Detected

Detecting firmware-level compromise is challenging but achievable through specialized methods, tools, and indicators:

• Firmware Integrity Verification:

  • Comparing firmware images against known good hashes or digital signatures.

  • Using UEFI Secure Boot and TPM measurements to verify firmware integrity during boot.

• Behavioral Analysis and Anomalies:

  • Observing unexpected system behaviors, such as unusual boot sequences, unexplained system crashes, or instability.

  • Identifying unexpected firmware update events or changes logged by firmware management tools.

• Hardware-based Detection Tools:

  • Utilizing specialized firmware scanning and analysis tools, such as CHIPSEC, Eclypsium, or Binwalk, to detect unauthorized firmware modifications.

  • Performing periodic hardware-level scanning and analysis for indicators of compromise.

• Indicators of Compromise (IoCs):

  • Unexplained firmware version changes or mismatches in firmware version reporting.

  • Presence of unknown or unauthorized EFI modules.

  • Detection of unrecognized bootloaders or firmware drivers.

  • Logs indicating unusual firmware update events or unauthorized access attempts.

Why it is Important to Detect This Technique

Detecting firmware compromise is critical due to the severe and persistent nature of potential impacts, including:

• Long-term Persistence:

  • Firmware-level implants can persist indefinitely, surviving OS reinstallations, hard drive replacements, and typical remediation processes.

• Stealth and Evasion:

  • Malware embedded in firmware is inherently stealthy, bypassing traditional security solutions operating at the OS level.

• High Impact and Damage Potential:

  • Firmware compromise can enable attackers to fully control hardware, allowing data exfiltration, sabotage, and espionage.

  • Potential for irreversible hardware damage or permanent denial-of-service scenarios.

• Supply Chain Security:

  • Firmware-based attacks can undermine trust in hardware manufacturers and vendors, causing significant reputational and financial damage.

• Early Detection and Response:

  • Timely detection allows organizations to isolate compromised hardware, limit damage, and implement remediation strategies before adversaries achieve their objectives.

Examples

Real-world examples of firmware-level attacks and incidents include:

• LoJax UEFI Rootkit (APT28/Sednit):

  • Attack Scenario:

    • APT28 compromised UEFI firmware to implant LoJax, a persistent rootkit.

    • LoJax persisted even after OS reinstalls, allowing attackers sustained access.

  • Tools Used:

    • Custom UEFI firmware implants.

    • Modified legitimate firmware update tools.

  • Impact:

    • Persistent espionage capability.

    • Difficulty in detection and remediation due to deep firmware integration.

• MosaicRegressor Framework:

  • Attack Scenario:

    • A Chinese-speaking APT group leveraged malicious UEFI firmware implants to target diplomatic and NGO entities.

  • Tools Used:

    • Custom firmware implants deployed via compromised firmware update mechanisms.

  • Impact:

    • Persistent surveillance and espionage capabilities.

    • Highly stealthy persistence that evaded traditional security solutions.

• MoonBounce Firmware Implant (Attributed to APT41):

  • Attack Scenario:

    • Sophisticated firmware implant embedded in UEFI firmware, discovered on targeted high-value systems.

  • Tools Used:

    • Custom UEFI implants exploiting firmware vulnerabilities.

  • Impact:

    • Persistent and stealthy malware execution.

    • Difficulty in detection, remediation, and attribution.

• TrickBoot Module (TrickBot Malware):

  • Attack Scenario:

    • TrickBot malware operators developed TrickBoot module to inspect UEFI firmware vulnerabilities and potentially implant malicious firmware.

  • Tools Used:

    • TrickBoot module designed to analyze firmware for vulnerabilities.

  • Impact:

    • Potential for large-scale firmware compromise and persistence.

    • Increased threat level due to TrickBot’s widespread distribution and modular capabilities.