Survey finds firmware a common attack vector against banks

Software vulnerabilities can occur at any level of the tech stack, from the operating system to programming languages to applications, but companies securing their systems against cyberattacks — particularly financial institutions — often overlook firmware, the most fundamental level of software.

An assessment from the Department of Commerce and the Department of Homeland Security that circulated earlier this year highlighted various vulnerabilities in the nation's supply chain, including firmware, which it called "a single point of failure" in devices and "one of the stealthiest methods" attackers can exploit. The departments also said firmware is "often overlooked" as an attack vector companies need to defend.

Separately, survey results released this week by the firmware and hardware security company Eclypsium reveal that firmware is a particular problem for the financial sector. The survey found that 88% of respondents had experienced a "firmware-related" cyberattack in the last two years, and 92% said cybercriminals are better equipped to attack firmware than their organization is to protect it.

Eclypsium worked with Vanson Bourne, a tech market research firm, to interview 350 IT security professionals at organizations in the financial sector. Countries represented in the survey included the U.S. (150 respondents), Canada (50) and other countries.

"There is a clear discrepancy between the state of awareness around firmware security and the perception of knowledge that IT departments have," the report says. 

Firmware is often defined as the permanent programs stored in a computer's read-only memory. However, contrary to what that definition might suggest, much firmware that has an impact on a company's cybersecurity can be upgraded or updated, presenting both an attack vector and a security measure.

In their overview of the security risks presented by firmware, Homeland Security and the Commerce Department pointed to the basic input/output system (BIOS) and its successor technology, unified extensible firmware interface (UEFI), as two notable examples of firmware. The two systems enable the computer to run an operating system, such as Linux distributions or Windows.

Infrastructure

The cybersecurity threat lurking in the GPS systems banks count on

Outages or disruptions of GPS signals — sometimes malicious, sometimes not — could quickly knock out computers, ATMs and card networks.

By Penny Crosman

January 29

A successful attack against firmware grants threat actors access to one of the most privileged positions within a computer. Attacks conducted using firmware can subvert operating system and hypervisor visibility, bypassing important security systems that firms use to monitor for malicious behavior on their servers and other devices.

Some devices support regular firmware updates, allowing companies to patch known vulnerabilities as they come to light. Other devices can receive only one update in their lifetime, or no updates at all. Often, the process to update firmware is complex, presenting another barrier to patching security holes.

Homeland Security and the Commerce Department are also increasingly concerned about ransomware operated at the level of firmware. In their assessment, the departments identified three examples of ransomware that exploited vulnerabilities in firmware.

One was a 2015 attack dubbed MosaicRegressor that entailed data gathering and espionage, another was a 2016 attack known as Petya that often propagated via infected email attachments, and the third was a 2020 attack called Thanos ransomware, whose alleged creator was recently charged by the Department of Justice with computer intrusion and conspiracy to commit computer intrusion.