T1495 Firmware Corruption

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.

In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in Data Destruction.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-06.06 Vulnerability remediation Mitigates T1495 Firmware Corruption
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Checking the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification and updating firmware can mitigate risks of exploitation and/or abuse.
References
    PR.AA-05.02 Privileged system access Mitigates T1495 Firmware Corruption
    Comments
    This diagnostic statement protects against Firmware Corruption through the use of privileged account management and the use of multi-factor authentication.
    References
      DE.CM-09.01 Software and data integrity checking Mitigates T1495 Firmware Corruption
      Comments
      This diagnostic statement protects against Firmware Corruption through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
      References
        DE.CM-09.02 Hardware integrity checking Mitigates T1495 Firmware Corruption
        Comments
        This diagnostic statement provides protection from Firmware Corruption through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
        References
          ID.RA-01.03 Vulnerability management Mitigates T1495 Firmware Corruption
          Comments
          This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
          References
            DE.CM-09.03 Unauthorized software, hardware, or configuration changes Mitigates T1495 Firmware Corruption
            Comments
            This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
            References
              PR.PS-02.01 Patch identification and application Mitigates T1495 Firmware Corruption
              Comments
              This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. For example, patching the BIOS and other firmware can help prevent adversaries from overwriting or corrupting firmware.
              References
                PR.PS-01.03 Configuration deviation Mitigates T1495 Firmware Corruption
                Comments
                This diagnostic statement provides protection from Firmware Corruption through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify firmware and its configurations.
                References
                  PR.IR-01.06 Production environment segregation Mitigates T1495 Firmware Corruption
                  Comments
                  This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
                  References

                    NIST 800-53 Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    CM-06 Configuration Settings mitigates T1495 Firmware Corruption
                    CM-05 Access Restrictions for Change mitigates T1495 Firmware Corruption
                    SA-10 Developer Configuration Management mitigates T1495 Firmware Corruption
                    IA-07 Cryptographic Module Authentication mitigates T1495 Firmware Corruption
                    RA-09 Criticality Analysis mitigates T1495 Firmware Corruption
                    SI-02 Flaw Remediation mitigates T1495 Firmware Corruption
                    CM-08 System Component Inventory mitigates T1495 Firmware Corruption
                    SI-07 Software, Firmware, and Information Integrity mitigates T1495 Firmware Corruption
                    CM-02 Baseline Configuration mitigates T1495 Firmware Corruption
                    SA-11 Developer Testing and Evaluation mitigates T1495 Firmware Corruption
                    IA-02 Identification and Authentication (Organizational Users) mitigates T1495 Firmware Corruption
                    AC-02 Account Management mitigates T1495 Firmware Corruption
                    AC-03 Access Enforcement mitigates T1495 Firmware Corruption
                    AC-05 Separation of Duties mitigates T1495 Firmware Corruption
                    AC-06 Least Privilege mitigates T1495 Firmware Corruption
                    CM-03 Configuration Change Control mitigates T1495 Firmware Corruption

                    VERIS Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1495 Firmware Corruption
                    attribute.availability.variety.Destruction Destruction related-to T1495 Firmware Corruption
                    attribute.availability.variety.Interruption Interruption related-to T1495 Firmware Corruption
                    attribute.availability.variety.Loss Loss related-to T1495 Firmware Corruption

                    GCP Mappings

                    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                    google_secops Google Security Operations technique_scores T1495 Firmware Corruption
                    Comments
                    Google Security Ops is able to trigger an alert based off suspicious logs that could indicate tampering with the component's firmware (e.g., detects driver load from a temporary directory). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_driver_load_from_temp.yaral
                    References