Saturday, October 23, 2021

3 Ways In Which An IC Board Can Be Hijacked & Used In A Cyberattack

 


The Solar Winds attack of recent highlighted one very important trend that is occurring now in the Cyber Threat Landscape:  Supply chain attacks.  When one first hears of this word, the images of Cyberattacks to logistics such as FedEx or UPS often come to mind. 

But what I really mean is that in these instances, the all the Cyberattacker needs to do is literally find  one weak spot, exploit that, and from there, deliver the malicious payload to thousands of victims.

In the case of Solar Winds, the Cyberattacker group was able to infiltrate through the weaknesses that persisted in one of their remote tools, and as the customers of it started to download the latest version, they were totally impacted by the malware. 

In fact there many victims in this scenario, ranging from some of the major agencies in the Federal Government to some of the largest of the Fortune 500 companies.

In fact, the finding of this increased trend has been further substantiated of a recent study that was conducted by the Identity Theft Resource Center, also known as the “ITRC”.  Their research project is entitled “ITRC 2020 Data Breach Report”, and it was discovered that there was at least a 42% increase in the total number of supply chain attacks in the first quarter of this year than ever before. 

But now that breaking into digital assets seems to be the norm now, and knowing that they are being more closely watched, the Cyberattacker of today is going after something that is not so well kept safe. 

According to this report, they are trying to infiltrate the actual hardware itself, focusing upon the legacy systems of Critical Infrastructure, on a scale of devastation that could far surpass that of the Colonial Gas Pipeline attack.

How is this being done?  It is being done in the firmware itself, and this has become technically known as “Extensible Firmware Interface”, or “EFI”, kinds of Cyberattacks.  Here are four plausible scenarios that are quite likely to happen:

*IC Cloning:

This merely refers to the integrated circuit boards that reside in your workstation, wireless device, or even your smartphone.  The good news here is that this sort of technology is advancing on a daily basis, and in fact, has really become quite complex in nature.  Thus, it makes no sense for the Cyberattacker to target these items, because once they figure that out, the technology has progressed to the next level of sophistication.  But this does not mean that the integrated circuit boards of legacy-based systems cannot be a target.  For instance, when the Critical Infrastructure was being built out in the 60’s 70’s and even the 80’s, the thought of a Cyberattack never crossed anybody’s mind.  Rather, the main security concern back then was upon the physical access side of things, such as an impostor gaining access to the controls.  Thus, there is really no security per se on these systems, which make them such an easy target.  Even if a company were to attempt to secure them from Cyberattacks, it is no easy proposition to undertake.  The integrated circuit boards are deeply embedded from the other hardware of the Critical Infrastructure, and because of that, you simply cannot rip them out and put new ones in.  Also, trying to implement newer layers of security tools on them is also a dicey issue, as there will have to be a very strong level of interaction between that and the integrated circuit board that is being used.

*The degradation of the signing key:

This is actually part of the encryption process, and it used widely in order to confirm that the message that has been sent from the point of origination to the point of destination has indeed remained intact, and it has not been altered or changed in any way, shape, or form. While this process is deemed to be secure enough, the keys that are used are still at grave risk being heisted by a Cyberattacker and compromised in such a way that a piece malicious software can still look to be legitimate and safe to the end user.  In fact, this is how in part, the Solar Winds attack actually took place.  This sort of integrity checking mechanism has traditionally been used for the protection of digital assets, but it can also be used for hardware components in the Critical Infrastructure also.  As a result, one of the fail safes that has been implemented is if one of the keys has been compromised in any way, then the other key that was used must be revoked, or put in simpler terms, should “self-destruct”.  However, this is rarely tested on a real time basis, and because of that, if it were ever to be used in an integrated circuit board setting, it could take a very long time (we are talking weeks here) before such a breach like this would ever be noticed.

*The threat of an insider attack:

I have written about this topic many a time before in previous blogs.  The bottom line is that this kind of Cyberattack is extremely hard to detect until it is too late.  You can screen and vet all of your employees as much as you think is necessary, but there is no guarantee that a disgruntled employee won’t cause serious damage to your legacy-based systems, especially your integrated circuit boards.  But of course, this also hinges om the fact that have to really know what they are doing, and are launching their attack in phases, in a covert manner.  Also, there is a huge fine line that has to be walked here, as you do not to spread paranoia in your company that “Big Brother” is watching.  Because of this, many firms are now opting for implementing the Zero Trust Framework, in which absolutely nobody can be trusted, until the are completely verified and authenticated.  In this regard, probably one of the best lines of defense that you can implement is to deploy a 24 X 7 X 365 hotline, in which suspicious or abnormal behavior can be reported in an anonymous fashion.

My Thoughts On This:

IMHO, attacks on Critical Infrastructure are only going to get much worse than what we have already seen.  We really need to take the time to deploy some sort of protective layers on them.  But this does not mean that we do things in haphazard fashion.  Every layer of security must first be tested in a sandboxed environment before is released into the production environment.

If this is not followed my more mayhem and fallout could happen because the interoperability simply did not exist, thus making a grave situation even worse, by giving the Cyberattacker newer avenues in which to infiltrate into the legacy based integrated circuit board.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...