Attackers with access to your server holds your company in their hands – and it's not hard for them to abuse their power and brick the server from anywhere, researchers report.
Most people view firmware attacks, and other attacks that cause permanent damage, as physical in nature. Analysts at Eclypsium sought to demonstrate how it's possible to remotely brick a server and disrupt infrastructure by exploiting vulnerabilities in the baseboard management controller (BMC) and system firmware. The result would spell enterprise disaster.
The idea of bricking systems is not new, says John Loucaides, vice president of engineering at Eclypsium. While the concept has been around for a while, and security experts have discovered the vulnerabilities that could lead to this level of compromise, few have shown it. Eclypsium's goal in documentation published today is to help improve understanding of the remote attack vector, which can be performed at scale with enormous potential damage.
"It's a fairly significant impact," Loucaides points out. Recovery for most malware involves wiping affected systems and restoring good data. Recovery for this type of attack would require opening each affected server and physically connecting to deliver new firmware. It's a slow, technical process that's beyond the abilities of most IT staff and current enterprise systems, Loucaides explains. "This is an area that normal security technologies are missing," he says.
It doesn't take a sophisticated actor to pull this off, he notes. Many people will think of this as a nation state-level attack, he continues, but open source toolkits exist on the Internet that can give attackers the access they need to render a target system inoperable. Eclypsium's demonstration marks the first time it's using this specific method and technique, and it emphasizes the low barrier to entry for launching a successful attack of this nature.
Similar threats have been seen in the wild, Loucaides explains. Attackers have replaced server components with corrupted firmware, for example, or firmware that doesn't work. Eclypsium's method, which leverages past BMC research, bricks a server by remotely exploiting a BMC. If you're not familiar, the BMC is an independent computer within the server. It's used to remotely configure the system without relying on the host operating system or applications.
How It Plays Out
Step one is getting a foot in the door. "The first thing we're doing is assuming you have some sort of compromise," Loucaides explains. Perhaps the system got infected with malware; perhaps credentials were lost and picked up by the wrong person.
In Eclypsium's demonstration, researchers then used normal update tools to pass a malicious firmware image to the BMC. No special authentication or credentials are required to do this, and the firmware update contains additional code which, once triggered, erases the UEFI system firmware and essential components of the BMC firmware itself, analysts say in a blog.
Why target the BMC? You could target any part of the server and get a similar result, says Loucaides, but the BMC "is the most understandable and the most obvious." In a ransomware attack or other major-impact scenario, the BMC is used to recover the system.
Step three is when the BMC boots to the attacker supplied image. Because the BMC handles system management and recovery, it can install components into any part of the system. Researchers could use the malicious capability they installed in the BMC to corrupt system firmware; by corrupting the BMC, they leave no path for a system operator to recover it.
There is an arbitrary amount of time between stages three and four, in which the code executes, Loucaides explains. Attackers could launch malicious code as soon as they gain access via credential compromise, or they could install a component in the BMC and leave it there for as long as they like. "It doesn't all have to happen at the same time," he adds. The final payload could be triggered by a timer or external command and control.
The window between stages three and four depends on the attacker's goals. If they're going for maximum damage and disruption, Loucaides says, he would likely want to take his time and infect as many components as possible before bringing it all down at once. In step five, the BMC reboots the server, which is now unusable.
What You Can Do
Existing security defenses don't focus on firmware or hardware, says Loucaides, but there are ways to stop this type of attack. It starts with preventing initial compromise, which goes back to basic cyber hygiene: protecting credentials, for example, and using multifactor authentication.
"You can't do everything perfectly," he admits. "Something is going to go wrong. The trick is to be assessing the integrity of different components in your system."
Updates get plenty of attention at the application and operating system level, he continues, but not many people pay attention to firmware updates. Security teams should be running scans and monitoring infrastructure for anomalies, and interrupting the process before it's complete.