The microcode layer that chip manufacturers use to implement updates can be used to install ransomware in the deepest layers of a system.
Christiaan Beek, a researcher at software company Rapid7, has found a way to inject ransomware directly into a CPU by using custom microcode updates. He warns of an underestimated vulnerability that operates deep below the operating system.
Critical vulnerability
Microcode is a layer of software between machine instructions and the hardware itself, intended for bug fixes and updates by the chip manufacturer. However, it appears that this layer can also be misused. The discovered flaw would allow attackers to bypass the RDRAND security instruction (Read Random) and inject custom microcode.
Beek tells The Register that he has written proof-of-concept code that mimics the process. “Of course, we’re not going to release that, but it’s fascinating. With this, you can bypass any traditional security technology we have,” he emphasizes. The chance of this risk being exploited is small but not non-existent. Otherwise, Beek himself wouldn’t have been able to execute it.
Better security
How attackers break in “isn’t rocket science,” he added. “What I see in many ransomware breaches: it’s a high-risk vulnerability, or companies use weak passwords without multi-factor authentication. That’s frustrating.”
What should organizations do? Beek urges everyone to focus on the basics of cybersecurity. “As an industry, we spend a lot of time and money on innovation,” he said. “But at the same time, our cyber resilience isn’t improving sufficiently.”
read also