Ensign Threat Advisory: Dell Hardware / Firmware Vulnerabilities
Multiple firmware vulnerabilities had been discovered in the Dell BIOSConnect feature available on multiple models of consumer and business laptops, desktops, tablets, including devices protected by Secure Boot and Secured-core PCs. Normally, this feature is used to update the system firmware or perform OS recovery, however vulnerabilities that exist, would enable an attacker to remotely execute code in the pre-boot environment.
Dell recommends that users disable and avoid using BIOSConnect firmware update, OS recovery, and HTTPS boot features manually from the BIOS setup menu or the Dell Command Control remote system management tool. When available, customers should apply the BIOS updates for their system via an executable from the OS after manually checking the hashes against those published by Dell other than BIOSConnect.
Firmware attacks targeting enterprises are up over the past two years and they have become a hot target for cybercrime as operating systems become more secure, attackers are increasingly shifting their attention to firmware, which is less visible, more fundamental and rarely well protected
The TrickBot malware which has been around since 2016, and evolving over time had in 2020, added a module to inspect devices for firmware vulnerabilities that could enable attackers to read, write, or erase the UEFI/BIOS firmware. In 2019, Asus computers were also targeted by hackers (now known as ShadowHammer) in the form of a malicious firmware update. In October 2018, a rare firmware rootkit was detected targeting diplomats and nongovernmental organisations. Russian advanced persistent threat group Sednit deployed the first firmware-level rootkit seen in the wild.
What we are seeing are attacks based on exploiting hardware designs and what differentiates this type of attacks is that consumers don’t have any control over the hardware design and manufacturing. The shift in attackers focus are becoming more prevalent as OS becomes more secure and firmware remains less visible and rarely well protected.
Ensign Posture & Monitoring
Ensign InfoSecurity provides a complete inventory and health check for enterprise firmware and hardware components.
In addition, with regular vulnerability scanning of these components, we enable any organisation to extend its visibility and security beyond the traditional endpoints.
Ensign has in place a well-defined enterprise security vulnerability management framework where configuration and patches are dutifully tested and rolled out as they become available.
Ensign has also stepped up monitoring operations and will advise clients of any anomalies detected from the monitored event logs.
- For those using Dell hardware that are not enterprise-managed:
- Immediately disable Dell BIOSConnect, OS recovery, and HTTPS boot features feature from the BIOS setup page
- Do not run “BIOS Flash Update – Remote” until the system is updated with a remediated version of the BIOS
- Patch Dell’s firmware via an executable from the OS after manually checking the hashes against those published by Dell
(Refer to Dell’s webpage for detailed info at https://www.dell.com/support/kbdoc/en-au/000188682/dsa-2021-106-dell-client-platform-security-update-for-multiple-vulnerabilities-in-the-supportassist-biosconnect-feature-and-https-boot-feature)
- For those using Dell hardware that are enterprise-managed:
- Inform respective IT team to see if you are affected and await further instructions for the fix
- Know your assets to increase your visibility into your network
- Use device discovery and find affected devices on your network for remediation/mitigation
- Put in place a hardware and software inventory tracking system
- Implement a stringent vulnerability and patch process especially for Internet connected systems
- Keep systems fully patched at all levels, OS, application and firmware
- Enable platform security features such as Secure Boot and BIOS Admin Password
- Regularly conduct vulnerability scanning
- Scan your environment for indicators of compromise (IOC) where available
Ensign will continue to provide updates on the incident and inform you of additional recommendations. We can help you to secure your firmware/hardware security. If you suspect that you have been compromised, you can contact us for digital forensic and incident response services. You can also take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at firstname.lastname@example.org for more information.