Component Firmware

Information

• Name: Component Firmware

• ID: T1542.002

• Tactics: TA0003, TA0005

• Technique: T1542

Introduction

Component Firmware (T1542.002) is a sub-technique of the MITRE ATT&CK framework under the technique "Pre-OS Boot," which involves adversaries modifying or replacing firmware components within a system to establish persistent access. Firmware, which is software embedded in hardware components such as BIOS, UEFI, network interface cards (NICs), and storage controllers, typically executes before the operating system loads. Attackers leveraging firmware modifications can achieve stealthy persistence, evade traditional security tools, and maintain control even after system reinstallation or disk wiping.

Deep Dive Into Technique

Attackers targeting component firmware exploit the inherent trust systems place in firmware code, which executes at a privileged level before the operating system boots. Such firmware includes:

• BIOS/UEFI firmware

• Network Interface Card (NIC) firmware

• Storage device firmware (e.g., SSD controllers, HDD controllers)

• Peripheral device firmware (e.g., video cards, keyboards, mice)

Attackers can modify firmware using several methods:

• Firmware flashing tools: Attackers employ legitimate firmware update utilities or custom firmware flashing tools to overwrite or modify existing firmware images.

• Supply chain compromise: Firmware tampering can occur during manufacturing or distribution phases, embedding malicious code into hardware components before reaching the end-user.

• Exploiting vulnerabilities: Attackers exploit known or zero-day vulnerabilities in firmware update mechanisms, bypassing integrity checks and security validations.

Technical mechanisms include:

• Persistence: Malicious firmware code runs before the OS boots, allowing attackers to maintain persistence even after OS reinstallation or complete disk formatting.

• Stealth: Firmware modifications remain hidden from typical OS-level security tools, as these tools rarely inspect firmware-level code.

• Privilege escalation: Firmware has direct hardware access and can execute code at the highest privilege levels, bypassing operating system protections and security controls.

Real-world procedures often involve:

• Extracting legitimate firmware, injecting malicious payloads, and re-flashing compromised firmware onto targeted devices.

• Leveraging firmware rootkits to intercept critical system functions, modify boot sequences, or disable security mechanisms.

• Conducting espionage or sabotage through persistent firmware implants that enable remote command-and-control (C2) communications or data exfiltration.

When this Technique is Usually Used

Attackers commonly use Component Firmware modification in various scenarios and stages, including:

• Initial Access and Persistence:

  • Establishing persistent footholds in high-value targets to maintain long-term access.

  • Ensuring persistence survives OS reinstallation, disk wiping, or hardware resets.

• Advanced Persistent Threat (APT) campaigns:

  • Nation-state actors targeting critical infrastructure, government agencies, or sensitive corporate environments.

  • Espionage operations requiring stealth and long-term undetected access.

• Supply Chain Attacks:

  • Compromising firmware during manufacturing or distribution phases, embedding malicious code into hardware components before deployment.

• Sabotage and Destructive Attacks:

  • Deploying firmware implants that can disable or destroy hardware components, rendering systems inoperable or causing physical damage.

How this Technique is Usually Detected

Detection of Component Firmware compromise is challenging due to limited visibility into firmware-level operations. However, several methods can be employed:

• Integrity Verification:

  • Periodically verifying firmware integrity through cryptographic hashes and digital signatures provided by hardware vendors.

  • Comparing firmware images against known-good baseline versions.

• Firmware Analysis Tools:

  • Specialized firmware analysis utilities (e.g., CHIPSEC, UEFITool, Binwalk) to inspect and analyze firmware images for anomalies, unauthorized modifications, or suspicious code segments.

• Behavioral Indicators:

  • Unexpected behavior during boot sequences, unusual hardware behavior, or unexplained system crashes.

  • Anomalous network activity originating from firmware-level code, indicating possible firmware implants communicating with external C2 servers.

• Hardware-Based Security Features:

  • Leveraging Trusted Platform Module (TPM) and secure boot mechanisms to detect unauthorized firmware modifications.

  • Utilizing hardware root-of-trust solutions to monitor firmware integrity continuously.

Indicators of Compromise (IoCs) include:

• Unexpected firmware versions or build numbers not matching vendor-provided versions.

• Firmware images containing suspicious code segments or embedded executables.

• Unusual network traffic patterns originating from firmware-controlled hardware components.

• Unauthorized firmware update attempts or log entries indicating firmware modification.

Why it is Important to Detect This Technique

Detecting Component Firmware modifications is critical due to the severe impacts of firmware-level attacks, including:

• Persistent Compromise:

  • Firmware implants provide attackers with long-lasting, stealthy persistence, surviving OS reinstalls, disk wipes, and hardware resets.

• High-Level Privileges:

  • Firmware code executes at the highest privilege levels, allowing attackers unrestricted access to hardware resources, data, and system operations.

• Stealth and Evasion:

  • Firmware-level attacks evade traditional OS-level security mechanisms, antivirus software, and endpoint detection and response (EDR) tools, making detection difficult without specialized tools.

• Supply Chain Risk:

  • Firmware compromises introduced via supply chain attacks can affect numerous organizations simultaneously, amplifying the potential damage and compromise scope.

• Potential for Sabotage:

  • Malicious firmware can disable critical hardware components, disrupt operations, or cause permanent hardware damage, leading to significant downtime and financial loss.

Early detection and response are essential to mitigate these risks, prevent widespread compromise, and maintain organizational security posture.

Examples

Real-world examples of Component Firmware attacks include:

• LoJax UEFI Rootkit (APT28/Sednit):

  • Attack Scenario: Russian-linked APT28 group deployed LoJax, a UEFI rootkit, targeting government and diplomatic entities. LoJax infected UEFI firmware, ensuring persistence even after OS reinstallation.

  • Tools Used: Modified versions of legitimate firmware tools (RWEverything, AMI firmware utilities), custom UEFI malware implants.

  • Impact: Persistent espionage capabilities, stealthy data exfiltration, and long-term compromise of targeted systems.

• Equation Group HDD Firmware Malware:

  • Attack Scenario: Discovered by Kaspersky Lab, Equation Group (linked to NSA) compromised hard disk drive firmware from multiple vendors, embedding malicious code that persisted through disk formatting and OS reinstallations.

  • Tools Used: Custom-developed firmware implants (e.g., "EquationDrug," "GrayFish") capable of infecting HDD firmware.

  • Impact: Persistent espionage, data theft, and long-term undetected access to targeted systems globally.

• Thunderstrike and Thunderstrike 2 (Mac Firmware Attacks):

  • Attack Scenario: Demonstrated firmware attacks targeting Apple Mac systems, infecting EFI firmware via malicious Thunderbolt devices or remote exploits.

  • Tools Used: Custom firmware implants delivered via physical Thunderbolt devices or remote exploits, compromising EFI firmware.

  • Impact: Persistent compromise, stealthy backdoor access, and difficulty removing the infection without specialized tools.

• TrickBoot Module (TrickBot Malware):

  • Attack Scenario: TrickBot malware operators developed TrickBoot, a module capable of inspecting and potentially modifying UEFI firmware, enabling persistent compromise.

  • Tools Used: TrickBot malware framework, custom firmware inspection and modification capabilities.

  • Impact: Potential for persistent compromise and stealthy operations, raising concerns about widespread firmware-level infections.

These examples highlight the severe implications and persistence capabilities of firmware-based attacks, emphasizing the importance of robust detection, prevention, and mitigation strategies.