Cyberwar and the Weaponisation of Firmware
CISA's recent list of KEV's (Known Exploited Vulnerabilities) reveals an alarming trend: vulnerabilities in the supply chain of critical network and end-user devices are exploited in both state-sponsored and cyber criminal operations. While thousands of vulnerabilities are reported yearly, only 4% of them become actively exploited and device firmware has become one of the fastest growing vectors. Due to mission-criticality, patching complexity and complex supply chains, the exposure of vulnerable devices is measured in years rather than months for traditional application and OS vulnerabilities. This talk will highlight Eclypsium's research into the shift to this critical yet under-defended attack surface and will cover firmware attack campaigns targeting supply chain vulnerabilities, why attacking supply chain firmware vulnerabilities provide a high ROI and tactical advantage to adversaries and common attack-paths leveraged during exploitation.