Microsoft in a new report is sounding the alarm about the increasing rate of firmware attacks, saying business aren’t paying enough attention to the evolving attack method that targets where sensitive information like credentials and encryption keys are stored.
According to Security Signals Report, 83% of all businesses have experienced a firmware attack in the past two years, but only 29% of security budgets are allocated to protect firmware.
The report was assembled from interviews with ore than 1,000 enterprise security decision makers from industries across the U.S., UK, Germany, China and Japan.
Those surveys found that current investment is going to security updates, vulnerability scanning and advanced threat protection solutions, but organizations are concerned about malware accessing their system and detecting threats, which indicates that firmware is more difficult to monitor and control, Microsoft said in a blog.
Firmware, which lives below the operating system, is emerging as a primary target because it is where sensitive information like credentials and encryption keys are stored in memory. Many devices in the market today don’t offer visibility into that layer to ensure that attackers haven’t compromised a device prior to the boot process or at runtime bellow the kernel. And attackers have noticed.
If that’s not enough, the National Institute of Science and Technology (NIST) has shown more than a five-fold increase in attacks against firmware in the last four years, and attackers have used this time to further refine their techniques and get ahead of software-only protections.
Yet the Security Signals study shows that awareness of this threat is lagging across industries. Even with this onslaught of firmware attacks, the study shows that SDMs believe software is three times as likely to pose a security threat versus firmware.
According to Microsoft, the study found that security teams aren’t investing in hardware-based security features, as just 36% of business invest in hardware-based memory encryption and 46% invest in hardware-based kernel protections.
The report also found that teams aren’t spending enough time on strategic work, as just 39% of security teams’ time is spent on prevention.
“The lack of proactive defense investment in kernel attack vectors is an example of this outdated model,” the Microsoft Security Team said in a blog.
The report also identified concerns with attack vectors exposed by hardware, and the company cited several recent examples.
The recent ThunderSpy attack targeted Thunderbolt ports, leveraging direct memory access (DMA) functionality to compromise devices via hardware access to the Thunderbolt controller. Another flaw, this one unpatchable, was found in the T2 security chip used in many common consumer devices. Other major firmware attacks in the last year included the RobbinHood, Uburos, Derusbi, Sauron and GrayFish attacks that exploited driver vulnerabilities.
Microsoft says it is responding to these issues with a new class of devices designed to eliminate firmware attacks called Secure-core PCs that can provide more than twice the protection rom infection that non-secured-core PCs. The company also recently announced the extension of secured-core to servers and edge devices.