In the Shadow of Sunburst: Hunting for Firmware Persistence in the Context of Supply Chain Attack IR>
Security Boulevard – Eclypsium
In the wake of the Sunburst attack, IR and threat hunting are more important than ever, and firmware should be a key part of these efforts. As organizations continue to uncover the magnitude of these events, it is time to consider persistence and stealth techniques that dive below the OS. The adversary in question has already demonstrated a focus on stealth, evasiveness, and persistence, and security teams must anticipate that the threat actor may turn to alternative tactics in order to survive IR efforts. In this context, firmware persistence is a highly coveted method for achieving this persistence and evasion. Recommendations for Network Devices

Verify firmware integrity of suspect devices Verify vendor-provided security features are enabled Change credentials for access and remote management Verify device configuration Establish independent baselines for devices Recommendations for Windows or PC Devices

Verify firmware of suspect devices Monitor for anomalous firmware behavior Assess devices for firmware vulnerabilities and device misconfigurations Establish baselines for replacement devices
Link: https://securityboulevard.com/2021/02/in-the-shadow-of-sunburst-hunting-for-firmware-persistence-in-the-context-of-supply-chain-attack-ir/