CAPEC-638 Altered Component Firmware

CAPEC ID: 638

CAPEC-638 Metadata

Likelihood of Attack

Low

Typical Severity

Very High

Overview

Summary

An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased.

Prerequisites

Advanced knowledge about the target component's firmware Advanced knowledge about Master Boot Records (MBR) Advanced knowledge about tools used to insert firmware altering malware. Advanced knowledge about component shipments to the target organization.

Execution Flow

Step Phase Description Techniques
1 Explore [Select Target] The adversary searches for a suitable target to attack, such as government and/or private industry organizations.
  • Conduct reconnaissance to determine potential targets to exploit.
2 Explore [Identify Components] After selecting a target, the adversary determines whether a vulnerable component, such as a specific make and model of a HDD, is contained within the target system.
  • [Remote Access Vector] The adversary gains remote access to the target, typically via additional malware, and explores the system to determine hardware components that are being leveraged.
  • [Physical Access Vector] The adversary intercepts components in transit and determines if the component is vulnerable to attack.
3 Experiment [Optional: Create Payload] If not using an already existing payload, the adversary creates their own to be executed at defined intervals and upon system boot processes. This payload may then be tested on the target system or a test system to confirm its functionality.
4 Exploit [Insert Firmware Altering Malware] Once a vulnerable component has been identified, the adversary leverages known malware tools to infect the component's firmware and drop the payload within the component's MBR. This allows the adversary to maintain persistence on the target and execute the payload without being detected.
  • The adversary inserts the firmware altering malware on the target component, via the use of known malware tools.
  • [Physical Access Vector] The adversary then sends the component to its original intended destination, where it will be installed onto a victim system.

Potential Solutions / Mitigations

Leverage hardware components known to not be susceptible to these types of attacks. Implement hardware RAID infrastructure.

Related CAPECs

CAPEC ID Description
CAPEC-452 An adversary inserts malicious logic into hardware, typically in the form of a computer virus or rootkit. This logic is often hidden from the user of the hardware and works behind the scenes to achieve negative impacts. This pattern of attack focuses on hardware already fielded and used in operation as opposed to hardware that is still under development and part of the supply chain.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1542.002 Pre-OS Boot:Component Firmware

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.