The Situation
Multiple firmware vulnerabilities had been discovered in the Dell BIOSConnect feature available on multiple models of consumer and business laptops, desktops, tablets, including devices protected by Secure Boot and Secured-core PCs. Normally, this feature is used to update the system firmware or perform OS recovery, however vulnerabilities that exist, would enable an attacker to remotely execute code in the pre-boot environment.
Dell recommends that users disable and avoid using BIOSConnect firmware update, OS recovery, and HTTPS boot features manually from the BIOS setup menu or the Dell Command Control remote system management tool. When available, customers should apply the BIOS updates for their system via an executable from the OS after manually checking the hashes against those published by Dell other than BIOSConnect.
The History
Firmware attacks targeting enterprises are up over the past two years and they have become a hot target for cybercrime as operating systems become more secure, attackers are increasingly shifting their attention to firmware, which is less visible, more fundamental and rarely well protected
The TrickBot malware which has been around since 2016, and evolving over time had in 2020, added a module to inspect devices for firmware vulnerabilities that could enable attackers to read, write, or erase the UEFI/BIOS firmware. In 2019, Asus computers were also targeted by hackers (now known as ShadowHammer) in the form of a malicious firmware update. In October 2018, a rare firmware rootkit was detected targeting diplomats and nongovernmental organisations. Russian advanced persistent threat group Sednit deployed the first firmware-level rootkit seen in the wild.
What we are seeing are attacks based on exploiting hardware designs and what differentiates this type of attacks is that consumers don’t have any control over the hardware design and manufacturing. The shift in attackers focus are becoming more prevalent as OS becomes more secure and firmware remains less visible and rarely well protected.
Ensign Posture & Monitoring
Ensign InfoSecurity provides a complete inventory and health check for enterprise firmware and hardware components.
In addition, with regular vulnerability scanning of these components, we enable any organisation to extend its visibility and security beyond the traditional endpoints.
Ensign has in place a well-defined enterprise security vulnerability management framework where configuration and patches are dutifully tested and rolled out as they become available.
Ensign has also stepped up monitoring operations and will advise clients of any anomalies detected from the monitored event logs.
Our Recommendations
(Refer to Dell’s webpage for detailed info at https://www.dell.com/support/kbdoc/en-au/000188682/dsa-2021-106-dell-client-platform-security-update-for-multiple-vulnerabilities-in-the-supportassist-biosconnect-feature-and-https-boot-feature)
Ensign will continue to provide updates on the incident and inform you of additional recommendations. We can help you to secure your firmware/hardware security. If you suspect that you have been compromised, you can contact us for digital forensic and incident response services. You can also take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at marketing@ensigninfosecurity.com for more information.
References:
https://eclypsium.com/2021/06/24/biosdisconnect/