The invisible threat: ‘below the OS’ cyber attacks revealed

During Easter 2015, a team of six broke into the vault of the Hatton Garden safe deposit, making off with an estimated £14 million in gold, cash and jewels.¹ Photographs released in the days after the raid showed that the huge vault door had been left untouched by the crew, who instead drilled through the concrete walls.

Those images provided a reminder that security systems are not defined by their strongest components – which can create a misleading sense of safety – but by the weakest link of the chain.

In the cyber world, rather than steel doors and time locks, we have threat intelligence, cloud, data and malware protection. But just like the criminals behind the Hatton Garden raid, hackers are constantly looking for ways to bypass these barriers.

The foundation of security

When you think of the programs run on your computer, you probably think of those you access once the operating system (OS) is running.

But before you reach that environment, software called the basic input/output system (BIOS), or its modern version, the unified extensible firmware interface (UEFI), initialises memory, configures the chipset on the motherboard and enforces customer-specific configuration settings.

The BIOS/UEFI boot process is the foundation on which all subsequent applications are built.

Going deeper underground

Attacks targeting firmware are called ‘below the OS’ attacks.² For an attacker, firmware is a high-value target, since short of taking the computer chip apart it’s the lowest level of the computer that can be manipulated. From the user’s side, two characteristics make these attacks particularly concerning.

First, antivirus and anti-malware has virtually no ability to scan the pre-boot environment, potentially allowing BIOS/UEFI malware to go undetected.³ Second, even if a firmware attack is suspected, the conventional fix of reformatting the hard drive or reinstalling the OS wouldn’t prevent the malware from reinstalling itself, since the firmware would remain unchanged.

Historically, below-the-OS attacks were thought to be rare, since attacks must be tailored for specific models of PCs.

However, Kapersky* research from 2022⁴ revealed that this assumption may be wishful thinking, with one malicious UEFI-based rootkit called CosmicStrand having existed since 2016, long before UEFI attacks were being publicly described. Microsoft* research from 2021⁵ found more than 80% of enterprises experienced at least one firmware attack in the past two years.

Cryptographic firmware verification

The possibility of compromised firmware creates a conundrum for computer security: how can integrity be verified if unauthorised changes are made before software protection is initiated?

The answer lies in a tightly controlled chain of events that begin as soon as a PC comes out of reset and continues until handover to the OS – each verified by a dedicated piece of hardware known as a trusted platform module (TPM). A TPM, which is one example of hardware-assisted security (HAS), comprises several capabilities, each defined by an international standard.⁶

While TPMs play several roles including digital rights management and enforcement of software licences, their primary function is to ensure the integrity of the pre-OS environment.

This is done by cryptographically verifying each step of the pre-OS process via either hashes (a one-way mathematical function creating an encrypted version of the input) or digital signatures (a code authenticated by public key encryption), restricting firmware changes to those digitally signed by a key recognised by the TPM.

End-to-end security

TPMs don’t by themselves ensure the security of a computer, but they can help maintain the foundation on which the wider security platform is built. Windows 11 requires a TPM 2.0 chip, which should help accelerate firmware protection.

In the battle against increasingly sophisticated cyber attackers – with 76% of organisations responding to one survey⁷ stating they were hacked at least once in 2021 – it’s clear firmware is an active target. And organisations are responding by investing in HAS: a 2022 Intel* study⁸ found 36% are making use of HAS, but 47% planned to adopt it in 2023.

As the operators of the Hatton Garden safe deposit discovered, it’s all too easy to have faith in an impenetrable door until an attacker finds another way in.

*For illustrative purposes only. Reference to a particular security is on a historic basis and does not mean that the security is currently held or will be held within an LGIM portfolio. The above information does not constitute a recommendation

1. Source: https://www.independent.co.uk/news/uk/crime/hatton-garden-heist-latest-brian-reader-terry-perkins-john-kenny-collins-daniel-jones-14-million-goods-safe-deposit-boxes-woolwich-crown-court-london-a8163101.html

2. Source: https://www.delltechnologies.com/asset/en-us/products/security/industry-market/dell-trusted-device-below-the-os-whitepaper.pdf

3. Source: Source: https://blog.designdata.com/unified-extensible-firmware-interface

4. Source: https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/

5. Source: https://www.microsoft.com/en-us/security/blog/2021/03/30/new-security-signals-study-shows-firmware-attacks-on-the-rise-heres-how-microsoft-is-working-to-help-eliminate-this-entire-class-of-threats/

6. Source: https://www.iso.org/standard/66512.html

7. Source: https://go.veeam.com/ransomware-trends-executive-brief-2022-emea

8. Source: https://www.intc.com/news-events/press-releases/detail/1538/intel-study-secure-systems-start-with-hardware