Description
Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.
In general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in Data Destruction.
Platforms
Mitigations (3)
Update SoftwareM1051
Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.
Privileged Account ManagementM1026
Prevent adversary access to privileged accounts or access necessary to replace system firmware.
Boot IntegrityM1046
Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification.
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0606 | Bad Rabbit | Malware | [Bad Rabbit](https://attack.mitre.org/software/S0606) has used an executable that installs a modified bootloader to prevent normal boot-up.(Citation: ... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.(Citation: Ec... |
References
- CISA. (2022, April 28). Alert (AA22-057A) Update: Destructive Malware Targeting Organizations in Ukraine. Retrieved July 29, 2022.
- U.S. Department of Homeland Security. (2016, August 30). The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. Retrieved July 29, 2022.
- Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.
- Yamamura, M. (2002, April 25). W95.CIH. Retrieved April 12, 2019.
Frequently Asked Questions
What is T1495 (Firmware Corruption)?
T1495 is a MITRE ATT&CK technique named 'Firmware Corruption'. It belongs to the Impact tactic(s). Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the a...
How can T1495 be detected?
Detection of T1495 (Firmware Corruption) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1495?
There are 3 documented mitigations for T1495. Key mitigations include: Update Software, Privileged Account Management, Boot Integrity.
Which threat groups use T1495?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.