Recently, the U.S. departments of Commerce and Homeland Security issued a report detailing critical weaknesses in technology supply chains. The report details a number of issues requiring immediate remediation, but separately calls out two top risks: the increasing use of open-source code, and the “single point of failure” represented by device firmware.
Firmware is core — it’s instructional code that’s shipped with every device, and acts as the digital glue binding all parts of technology supply chains. Gartner Inc. has estimated that every endpoint contains 15 to 20 firmware components, and every server contains 30 or more. As these numbers increase, so too will the potential entry points for adversaries.
The One-to-Many Infection Vector
Once only associated with sophisticated attacks — such as the widely publicized SolarWinds and Colonial Pipeline cyber espionage campaigns — the supply chain has slowly grown to become one of the most overly exposed to malicious actors. A Crowdstrike study found that 45% of organizations experienced at least one supply chain attack in 2021.
The rise in supply chain attacks can be attributed to new agile environments and aggressive development cycles. With the current global shortages and supply chain disruptions, original equipment manufacturers are outsourcing to third parties without having a longstanding history or visibility into the sub-suppliers’ cybersecurity hygiene. Yet the most luring factor is the one-to-many attack multiplier the supply chain presents. A supply chain attack has potential to disrupt national economies and put lives at risk.
Supply chains come in many forms, but the most instrumental is the information and communication technology supply chain. Every piece of ICT equipment is a combination of chips and components bound together by specialized code within a chain of vendors and suppliers. Combine that with the magnitude of ICTs available today: Every organization, large or small, uses cloud computing, the internet, software and an array of hardware to operate. If compromised, firmware allows the attacker to infiltrate an individual system and access a vast number of access points, including data, applications and services, on the device. Touch points only accumulate as the number of contributing vendors increases and their own supply chains are added to the mix.
Firmware’s Crucial Connection
Firmware is the first and often most-privileged code to run on a device, and instructs subsequent operating system actions. As the DOC and DHS report notes, “Firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.”
Adversaries abuse firmware to gain initial access into an organization, either directly breaching and infecting devices running vulnerable firmware, or through an implant or backdoor to infiltrate a product prior to its ever reaching the end customer. The attack method in this instance can be a malicious code that’s simply downloaded by the user.
That said, threat actors are constantly pivoting to find new weaknesses and becoming more creative in their attack methods, to be undetectable while causing the most damage. Over the past two years, ransomware gangs have focused on breaching embedded operating systems and firmware in enterprise network devices, including VPNs, switches, firewalls, routers and a wide range of traffic concentrators, gateways and delivery controllers. These infection vectors are both powerful and unprotected. Network devices like routers, VPNs, and file transfer appliances are some of the most strategically crucial devices within an organization, making them uniquely valuable in the context of a cyberattack.
Firmware attacks also allow adversaries to recover and continue accessing a device after the initial threat is detected, even if the device is completely wiped. In recent iLOBleed attacks, adversaries repeatedly reinfected HPE servers with ransomware after the threat was identified and the infected systems reimaged. This same level of evasion is seen when security tools fail to detect threats – a common downfall given most tools lack firmware intelligence.
Protecting Against Stealthy Infections
To mitigate these risks, organizations must secure firmware throughout all aspects of their business. Firmware security is an emerging discipline that combines new sub-OS technologies with best practices to identify, verify and fortify firmware throughout extended, remote enterprises. Essential steps include:
As supply chain breaches continue to reverberate through the industry, and ransomware’s vector-of-choice pivots to firmware, organizations will need to embrace firmware security to protect their supply chains. NIST, alongside Eclypsium, Dell, Intel and HP, hope to illuminate current blindspots and make defense easier through a recently released practice guide. It details ways that practitioners can validate not only the integrity of the devices in their complex supply chains, but the previously invisible firmware holding these chains together as well.
Yuriy Bulygin is co-founder and CEO of Eclypsium.
Timely, incisive articles delivered directly to your inbox.