In previous blogs we have taken a look at how attackers can target an organization’s most critical devices with firmware rootkits installed remotely or through “evil maid” attacks. However, devices can also be compromised in the supply chain before they are ever deployed in the enterprise. This type of attack can be incredibly difficult for most organizations to detect given that even the earliest baselines of a device are already compromised. Of course, a physical attack isn’t necessarily required for this. Vulnerabilities in firmware, such as failure to authenticate updates to UEFI or Baseboard Management Controller (BMC) firmware, can also enable attacks within the supply chain.
Recent reporting suggests that malicious actors were able to infiltrate over 30 companies using devices compromised in the supply chain. Even with the details of the recent news in dispute, we can see that supply chain risks are quickly becoming a top priority across the industry. NIST recently updated its Framework for Improving Critical Infrastructure Cybersecurity to include a Supply Chain Risk Management (SCRM) category, while greatly improving the guidance for related to SCRM throughout the framework. Likewise, the UK’s NCSC Cyber Threat to UK Business report highlighted the recent increase in supply chain attacks as a major area of focus moving forward. Additionally, in Gartner’s recent Top 6 Security and Risk Management Trends for 2018, the firm highlighted the importance of “origin over pricing” when evaluating technology purchases and the need to carefully consider the upstream and downstream relationships of all technology suppliers.
These are clear signs that a shift is underway in the industry. For many years the notion of firmware and hardware-level attacks in the supply chain may have seemed far-fetched. But now, both research and real-world evidence shows that these threats are here. For example, if attackers leveraged the BMC as described in the article, then an understanding of how BMC firmware can be subverted is the key to detection and an informed defense.
This knowledge is forcing organizations to evolve a more modern approach to how they handle the security of their devices, because they can be compromised remotely, via physical access, or as we see now, in the supply chain. As a result, it is increasingly critical that security teams have the tools and visibility to understand this new attack surface, actively manage any vulnerabilities, and defend themselves from attacks. We, at Eclypsium, look forward to helping to build this critical phase of enterprise security.