You’ve probably heard of rootkits, but have you ever heard of bootkits?
They’re basically all that is terrifying about rootkits – only taken a level deeper. Rather than inserting themselves into the root level of an operating system, they target the firmware that sits beneath the OS.
So at a time when most businesses are still trying to mature their software and hardware vulnerability discovery and remediation practices in isolation, bootkits target the intersection between the two.
Here are two more complicating factors:
- Most platform security solutions focus on ensuring an authenticated OS is booted but do not consider the underlying hardware and firmware in the system and its impact on security.
- Most types of secure boot processes may not help as they focus just on booting an authenticated OS.
What is MoonBounce?
MoonBounce is a sophisticated Unified Extensible Firmware Interface (UEFI) bootkit discovered by Kaspersky in late 2021 and disclosed publicly last week.
Here’s the issue in a nutshell:
- Problem #1: It embeds malicious code in UEFI firmware that most secure boot techniques are likely to miss since the insertion doesn’t modify the OS at all.
- Problem #2: Since it installs itself in serial peripheral interface (SPI) flash memory on the motherboard, reformatting (or even replacing!) the system hard disk won’t get rid of it.
What’s so unique about it?
Attacks targeting low-level firmware are not particularly new. In fact, in a 2021 survey conducted by Microsoft, over 83 percent of organizations reported having suffered at least one firmware attack in the preceding two years.
But MoonBounce and two other recent examples, LoJax and MosaicRegressor, raise the stakes substantially by targeting SPI flash instead of an EFI system partition on the device’s primary hard drive or SSD.
What actions should you take?
Verify your short-term detection and risk mitigation measures: In the short term, confirm that your host-based security tools of choice include UEFI scanning capabilities that will detect these types of attacks.
You also shouldn’t assume that just because a device is equipped with secure boot it is insulated against attacks like MoonBounce. Traditional UEFI secure boot mechanisms are unlikely to catch this latest crop of sophisticated firmware attacks since they don’t authenticate the platform firmware. It’s important to expand secure boot to the platform firmware as well using techniques such as Intel’s BootGuard.
Insist on a strategic approach to software and hardware vulnerability avoidance: Over the long run, the best way to mitigate risk is by building sound security features into the hardware and firmware itself to ensure the entire chain of trust is well managed.
Success with this requires a systematic process that:
- Specifies security requirements across hardware and firmware upfront
- VerifIes adherence to those requirements across both the hardware and firmware
- Provides a security sign-off confirming that products’ security requirements are effectively covered
As MoonBounce illustrates, remediating a firmware vulnerability after the fact can be extremely challenging, even if you’re fortunate enough to detect it. This becomes even worse if the firmware vulnerability is baked into an SoC chip as part immutable microcode.
If you’re shipping products with hardware and/or software, approach this challenge holistically within your company and with your partners since security is really about the entire system and not one specific link in the chain.
If you’re an enterprise or government agency, it’s important to challenge your suppliers on their hardware security programs to ensure you’re being provided with a platform with the highest levels of security assurance.