Thursday, December 17, 2020

assume that the threat actor has deployed further persistence mechanisms.

So, anyway, today CERT released an excellent alert about the SolarWinds compromise. It's full of good advice, but my favorite sentence is the one I used as a title.

I will be shocked, if, in the fullness of time, we don't discover that they modified firmware, in order to achieve persistence.

In order to do that, all they need to do is this:

(1) Create a driver capable of reading and writing firmware. This is not easy, but there are examples, such as Chipsec, and don't bother arguing that these perps are not smart enough to do it.

(2) Such a driver would need to be signed, but they already proved they can sign stuff.

(3) Get the driver on the target system. That's what SunBurst (their downloader) can already do.

(4) Modify the right bit of code in the firmware. Remember, there are between 200 and 1,000 compiled C programs, in Windows format, and Bad Guys have been modifying compiled C programs for a long time now. They know how to do that. Oh, and remember that although they are cryptograpically signed, the signature is only checked at flash time.

(5) Remember, it's in the UEFI spec that the firmware can download anything from anywhere using HTTP or FTP, and the firmware has its own network stack.

(6) Once the firmware is modified, SunBurst is perfectly capable of cleaning up such evidense.

My second favorite sentence in the alert is the one about forensically imaging the systems. This is good, but I don't think any forensics kits currently capture firmware.

Folks, everyone needs to start to watch their firmware. You maybe confident that "they" are.

2021 is saying "Hold my beer".

No comments: