Conference:  Black Hat Asia 2023

Authors: Vlad Babkin, Nate Warfield

2023-05-11

The global IT supply chain is under a heavy spotlight, amidst covid-impacted production shortages, work-from-home policies, geopolitical tensions, and an overall re-balkanization of technology design and production. The 2020 SolarWinds attacks brought the real-world risk of a supply chain attack to the forefront. More commonly overlooked, however, is the risk posed by enterprise devices and the firmware which controls them. These systems exist in highly privileged areas of the computing industry, and due to both their mission criticality and difficulty in patching are mostly forgotten - but not to attackers. We'll reveal new research which began with a ransomware group and ended with a significant coordinated disclosure effort to remediate vulnerabilities discovered at the top of the firmware supply chain. The vulnerabilities we found are in an industry-standard management API, easily exploitable but well-hidden, and it took a data exposure before they were discovered. The access afforded by the exploitation of these flaws can provide an attacker with permanent administrative access to millions of servers worldwide. We will discuss how low-level attacks, once relegated only to nation-states, are being added to the arsenal of cybercriminals and ransomware groups. The talk will also highlight the challenges posed to organizations in assessing their firmware risk and the importance of accountability for the modern technology supply chain.Please note that this will be a remote (virtual) presentation.