TID-201: Inadequate Bootloader Protection and Verification
Threat Description
Some devices utilize bootloaders that are either stored in writable memory or memory that can be made writable. It may then be possible for a threat actor to alter the contents of the device’s designated boot code storage locations to inject malicious code or modify the bootloader’s operation. This could allow the installation of a “bootkit”, which is loaded before the operating system and can undermine any security protections within the bootloader or operating system. Typically this is done through a vulnerability or lack of write protections in the bootloader loader/runtime environment.
Threat Maturity and Evidence
Observed Adversarial Behavior
ATT&CK Technique: Pre-OS Boot: Bootkit (T1542.003)
“Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.”
Detecting UEFI Bootkits in the Wild (Part 1)
“As UEFI boot systems are going mainstream, the bootkits are also shifting to an implementation of infecting firmware in a flash chip on the motherboard instead of the MBR/VBR on the hard drive. The first PoC of UEFI bootkits was presented in 2013 and the threats have been observed in the wild since 2018.”
LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group
“Sednit also known as APT28, Sofacy, Strontium and Fancy Bear – has been operating since at least 2004, and has made headlines frequently in the past years: it is believed to be behind major, high profile attacks. … this white paper details the first time this group is known to have used a UEFI rootkit.”
MosaicRegressor: Lurking in the Shadows of UEFI
“During an investigation, we came across several suspicious UEFI firmware images. A deeper inspection revealed that they contained four components that had an unusual proximity in their assigned GUID values, those were two DXE drivers and two UEFI applications. After further analysis we were able to determine that they were based on the leaked source code of HackingTeam’s VectorEDK bootkit, with minor customizations.”
TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT
“This new functionality, which we have dubbed “TrickBoot,” makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/ BIOS firmware of a device. “
CWE
CWE-693: Protection Mechanisms Failure (Pillar)
“The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.”
CWE-284: Improper Access Control
“The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.”