Microsoft warns of inadequate preparation for increasing firmware attacks

According to a March 2021 Security Signals report commissioned by Microsoft to the Hypothesis Group, 80% of companies have experienced firmware attacks in the last two years, while 3 security budgets are devoted to firmware protection. It is said that it is less than one-third. Firmware attacks are a nuisance. In 2018, a state-sponsored hacking group, APT28 (aka Fancy Bear), used the Unified Extensible Firmware Interface (UEFI) rootkit to attack Windows PCs. There were also attacks that exploited hardware drivers such as “Robbin Hood,” “Uburos,” “Derusbi,” “Sauron,” and “Gray Fish,” and “ThunderSpy,” which targeted devices with Thunderbolt ports. In 2019, Microsoft announced a “Secured-core PC” that prevents system tampering and attacks by advanced malware at the firmware level. In addition, the “Microsoft Defender ATP” is equipped with a UEFI scanner so that malware can be found by scanning the firmware file system. However, according to a Microsoft research report, companies are not taking firmware attacks seriously. “Surveys show that current investments are directed at security updates, vulnerability scanning, and advanced threat protection (ATP) solutions,” the company points out. “Nevertheless, many organizations are concerned about the difficulty of malware accessing the system and detecting threats, suggesting that firmware monitoring and control is more difficult. Lack of awareness and lack of automation exacerbate firmware vulnerabilities. ” The firmware is under the OS, which is invisible to antivirus software, and the credentials and encryption keys are stored in memory. “Many devices on the market today do not visualize that layer so that an attacker does not compromise the device during device boot or kernel execution, but the attacker seems to have noticed it.” The company’s Security Signals report found that 36% of companies are investing in hardware-based memory encryption and 46% are buying hardware-based kernel protection. The security team also focused on a security “protection and detection” model, revealing that the team spends only 39% of its time on prevention. According to Microsoft, this model is an outdated example of poor investment in predictive defense against kernel attacks. Many (82%) of the 1,000 security decision makers in the companies surveyed found that they lacked the resources to handle high-impact security operations: patching, hardware upgrades, internal and external. He said it was because he was busy mitigating his vulnerability.