After examining the depths of device firmware and hardware security for many years, yesterday’s publication of FinSpy bootkit activity comes as no surprise. This development is simply one more reason why firmware is the new battleground for cybersecurity. The nature of firmware is to be invisible, which makes it a natural target for attacks.
The toolkit FinSpy (a.k.a. FinFisher and Wingbird) was revealed by Kaspersky to include bookit capabilities for modern UEFI-based boot loaders as well as the older “legacy boot” mechanism using the Master Boot Record (MBR). The FinSpy bootkit capability uses this persistence mechanism to alter code as it is loaded and executed during the boot process. True to form, they split up the infection process into multiple payloads that enable specific targeting and avoid systems that are likely to be used for malware analysis.
WHY IS THIS HAPPENING?
Over recent decades, the world has steadily increased its attention on the security of operating systems, applications, and networks. However, the firmware that inherently makes all of this work as we expect has remained invisible. No one wants to think about each component on a motherboard when powering on a device, and since firmware usually works, we don’t have to. The consequence, however, is that firmware did not get the same level of attention as cybersecurity became an important aspect of everything we do. Now, the people who monitor and protect systems often lack basic visibility into firmware and hardware. As a result, attackers move their activities to these invisible places to make detection and response more difficult.
WHAT CAN I DO TO PROTECT MY SYSTEMS?
Eclypsium researchers (in partnership with a great community of others) have been working on these challenges for a long time. Since this technique is not even close to the first of its kind, there are some easy defense mechanisms that organizations can apply to their systems. Defenders simply need to know they exist and ensure that they are working correctly.
Find out the report here!