Patch System Image
Patch System Image [T1601.001]
Information
Introduction
Patch System Image (T1601.001) is a sub-technique categorized under the MITRE ATT&CK framework's "Modify System Image" (T1601) technique. This sub-technique involves attackers modifying system images—such as firmware, bootloader, or operating system images—to embed malicious code. By patching these critical images, adversaries can achieve persistent access, evade detection, and maintain control over compromised systems even after reboots or reinstalls. This method is particularly effective as it targets system-level components, making detection and remediation challenging for defenders.
Deep Dive Into Technique
Attackers employing the Patch System Image technique typically perform the following steps:
Acquisition of System Images:
Attackers obtain legitimate firmware, bootloader, or operating system images from official vendor sources, update repositories, or directly from compromised devices.
These images can be extracted through network interception, vendor website compromise, or direct access to the target's internal infrastructure.
Modification and Embedding Malicious Code:
Using specialized tools and techniques, adversaries modify the acquired system images to embed malicious payloads.
Common modifications include:
Injecting backdoors or rootkits into kernel modules or system binaries.
Altering bootloaders to execute malicious code at system startup.
Embedding persistence mechanisms within firmware updates to ensure malicious code survives firmware upgrades or system resets.
Repackaging and Distribution:
Modified images are repackaged to appear legitimate, often maintaining original signatures or bypassing signature verification mechanisms through exploitation or signing key compromise.
Distribution can occur via compromised vendor update servers, supply chain attacks, direct device compromise, or insider threats.
Execution and Persistence:
Once installed, the patched system images execute malicious code automatically during system startup or firmware loading processes.
Persistence is achieved due to the low-level nature of firmware and bootloader modifications, effectively surviving reboots, operating system reinstalls, and standard remediation methods.
When this Technique is Usually Used
Attackers typically employ the Patch System Image sub-technique in the following scenarios and attack stages:
Supply Chain Attacks:
Embedding malicious code into firmware or OS images distributed by vendors or third-party suppliers, ensuring wide-scale compromise of downstream users.
Advanced Persistent Threat (APT) Campaigns:
Targeting high-value organizations and critical infrastructure where stealth and long-term persistence are paramount.
Often used by state-sponsored actors to maintain prolonged covert access to sensitive systems.
Post-Exploitation Persistence:
After initial compromise, attackers modify firmware or bootloaders to maintain access even if defenders detect and remediate higher-level intrusions.
Used when attackers anticipate discovery and remediation attempts by defenders.
Espionage and Sabotage Operations:
Leveraged by threat actors aiming to monitor critical systems, exfiltrate sensitive data, or disrupt operations by embedding malicious payloads deeply within system infrastructure.
How this Technique is Usually Detected
Detection of the Patch System Image sub-technique involves multiple layers and approaches, including:
Integrity Verification:
Employ cryptographic hashing and digital signature verification on firmware, bootloader, and OS images to detect unauthorized modifications.
Regularly compare system images against known-good baselines provided by vendors.
Firmware and Bootloader Monitoring:
Use specialized tools and firmware analysis frameworks (e.g., CHIPSEC, Binwalk, UEFI Scanner) to inspect and analyze firmware images for anomalies.
Monitor boot processes and firmware behaviors for unexpected activities or deviations from normal operation.
Behavioral Analysis and Anomaly Detection:
Utilize endpoint detection and response (EDR) solutions capable of detecting suspicious kernel-level activities or unauthorized changes to system binaries.
Deploy host-based intrusion detection systems (HIDS) configured to alert on unexpected firmware or bootloader modifications.
Network-Based Detection:
Monitor network traffic for unusual firmware update downloads or communication patterns indicative of compromised update channels.
Implement network intrusion detection systems (NIDS) with signatures tailored to detect known malicious firmware distribution channels.
Indicators of Compromise (IoCs):
Unexpected changes in firmware or bootloader hashes.
Presence of unknown or suspicious kernel modules or drivers.
Unusual boot-time behaviors, such as increased boot duration or unexpected system restarts.
Detection of unauthorized firmware update processes or unexpected firmware images on endpoints.
Why it is Important to Detect This Technique
Detecting and mitigating the Patch System Image sub-technique is critical due to its severe impacts and persistent nature:
Long-Term Persistence:
Malicious firmware or bootloader modifications provide attackers persistent access that survives system reboots, OS reinstalls, and standard remediation procedures.
High-Level Privilege and Control:
Compromised firmware and system images operate at privileged system levels, allowing attackers complete control over affected devices, including kernel-level access and control over hardware components.
Stealth and Detection Evasion:
Modifications at firmware or bootloader levels are challenging to detect using traditional antivirus or endpoint security tools, allowing attackers to remain undetected for extended periods.
Operational Disruption and Damage:
Attackers can leverage compromised system images to disrupt critical operations, cause system instability, or even permanently brick hardware, leading to significant operational and financial impacts.
Data Exfiltration and Espionage:
Persistent, low-level access enables attackers to exfiltrate sensitive information continuously without detection, posing significant risks to intellectual property, national security, or organizational confidentiality.
Examples
Several real-world examples illustrate the use of the Patch System Image sub-technique in notable attacks:
ShadowHammer Attack (ASUS Supply Chain Attack, 2019):
Attackers compromised ASUS Live Update servers, distributing maliciously modified firmware updates to millions of users.
Malicious firmware updates contained embedded backdoors, selectively targeting specific users based on MAC addresses.
Impact included persistent access for attackers, data exfiltration risks, and significant reputational damage to ASUS.
LoJax UEFI Rootkit (APT28, 2018):
Russian threat actor APT28 (Fancy Bear) deployed LoJax, a malicious UEFI rootkit, by modifying legitimate firmware images.
Persistence achieved via firmware-level modifications, allowing attackers to maintain access even after OS reinstallation.
Demonstrated capability to persistently infect systems at the firmware level, significantly complicating detection and remediation efforts.
MosaicRegressor UEFI Bootkit (Chinese APT41, 2020):
Chinese threat actors leveraged MosaicRegressor, a UEFI bootkit, to modify firmware images and achieve long-term persistence.
Attackers embedded malicious payloads within firmware images distributed via compromised supply chains and targeted attacks.
Enabled persistent espionage activities, including covert data exfiltration and monitoring of sensitive targets.
Equation Group Firmware Implants (NSA-Linked, Disclosed 2015):
Equation Group developed sophisticated firmware implants capable of modifying hard drive firmware and system images.
Persistent implants survived system wipes and reinstallation, providing long-term espionage capabilities against targeted entities.
Highlighted the advanced capabilities of state-sponsored actors in leveraging firmware-level modifications for persistent access and espionage operations.
Last updated
Was this helpful?