固件篡改是指攻击者通过修改设备固件破坏系统功能或阻止设备启动的攻击技术,常导致硬件永久性损坏。传统防御手段聚焦于固件完整性校验(如UEFI Secure Boot)、更新包签名验证、以及BIOS写保护机制,通过监控固件存储区域异常写入行为进行检测。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过仿冒合法固件格式与数字签名,使恶意代码具备官方认证特征。例如在合法更新劫持中构造符合版本号规范且带有有效签名的固件包,使得篡改行为在形式验证层面与正常更新无差异,实现攻击载体的"白名单化"伪装。
利用硬件休眠状态或固件更新流程等系统可信操作阶段实施攻击,使恶意行为与设备正常状态转换过程深度融合。例如休眠态持久化篡改将固件写入操作嵌入电源管理流程,规避运行时安全组件的监测。
采用固件代码动态解密、硬件协议加密通信等手段,隐藏恶意代码的真实意图。如固件级隐蔽通信植入使用物理层信号加密与动态调制技术,使传输内容无法被传统协议分析工具解析。
通过低频触发与持久化机制稀释攻击特征。例如在固件中植入定时逻辑炸弹,使破坏操作在设备运行数月后随机触发,或将篡改行为拆解为多个微操作分散在多次固件更新中完成。
| ID | Name | Description |
|---|---|---|
| S0606 | Bad Rabbit |
Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[1] |
| S0266 | TrickBot |
TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1046 | Boot Integrity |
Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. |
| M1026 | Privileged Account Management |
Prevent adversary access to privileged accounts or access necessary to replace system firmware. |
| M1051 | Update Software |
Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0001 | Firmware | Firmware Modification |
Monitor for changes made to the firmware for unexpected modifications to settings and/or data. [3] Log attempts to read/write to BIOS and compare against known patching behavior. |