CAPEC-638: Altered Component Firmware
An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased.
Last updated
Overview
CAPEC-638 (Altered Component Firmware) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Select Target] The adversary searches for a suitable target to attack, such as government and/or private industry organizations.
- Conduct reconnaissance to determine potential targets to exploit.
- Step 2Explore
[Identify Components] After selecting a target, the adversary determines whether a vulnerable component, such as a specific make and model of a HDD, is contained within the target system.
- [Remote Access Vector] The adversary gains remote access to the target, typically via additional malware, and explores the system to determine hardware components that are being leveraged.
- [Physical Access Vector] The adversary intercepts components in transit and determines if the component is vulnerable to attack.
- Step 3Experiment
[Optional: Create Payload] If not using an already existing payload, the adversary creates their own to be executed at defined intervals and upon system boot processes. This payload may then be tested on the target system or a test system to confirm its functionality.
- Step 4Exploit
[Insert Firmware Altering Malware] Once a vulnerable component has been identified, the adversary leverages known malware tools to infect the component's firmware and drop the payload within the component's MBR. This allows the adversary to maintain persistence on the target and execute the payload without being detected.
- The adversary inserts the firmware altering malware on the target component, via the use of known malware tools.
- [Physical Access Vector] The adversary then sends the component to its original intended destination, where it will be installed onto a victim system.
What the attacker needs
Prerequisites
- Advanced knowledge about the target component's firmware
- Advanced knowledge about Master Boot Records (MBR)
- Advanced knowledge about tools used to insert firmware altering malware.
- Advanced knowledge about component shipments to the target organization.
Skills required
- High skill: Ability to access and reverse engineer hardware component firmware.
- High skill: Ability to intercept components in transit.
- Medium skill: Ability to create malicious payload to be executed from MBR.
- Low skill: Ability to leverage known malware tools to infect target system and insert firmware altering malware/payload
Resources required
- Manufacturer source code for hardware components.
- Malware tools used to insert malware and payload onto target component.
- Either remote or physical access to the target component.
Consequences
What a successful CAPEC-638 attack can achieve.
Gain Privileges, Execute Unauthorized Commands, Bypass Protection Mechanism, Hide Activities
Affects: Authentication, Authorization
Read Data, Modify Data
Affects: Confidentiality, Access Control
How to mitigate it
Defenses that reduce the risk of CAPEC-638.
- Leverage hardware components known to not be susceptible to these types of attacks.
- Implement hardware RAID infrastructure.
How to detect it
Indicators that this attack may be underway.
- Output observed from processes, API calls, or Self-Monitoring, Analysis and Reporting Technology (SMART) may provide insight into malicious modifications of MBRs.
- Digital forensics tools may produce output that indicates an attack of this nature has occurred. Examples include unexpected disk partitions and/or unusual strings.
Examples
In 2014, the Equation group was observed levering known malware tools to conduct component firmware alteration attacks against hard drives. In total, 12 HDD categories were shown to be vulnerable from manufacturers such as Western Digital, HGST, Samsung, and Seagate. Because of their complexity, only a few victims were targeted by these attacks. [REF-664]
Terminology & mappings
Mapped taxonomies
- ATTACK: Pre-OS Boot:Component Firmware (1542.002)
Frequently asked questions
Common questions about CAPEC-638.
- What is CAPEC-638?
- An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased.
- How does a Altered Component Firmware attack work?
- It typically unfolds over 4 phases. It begins with: [Select Target] The adversary searches for a suitable target to attack, such as government and/or private industry organizations.
- How do you prevent CAPEC-638?
- Leverage hardware components known to not be susceptible to these types of attacks.
- How severe is CAPEC-638?
- MITRE rates CAPEC-638 as Very High severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-638
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.