‘Fileless’ Malware Hides in Server Hardware Components, Stealing Silently
A recent update for the popular security application CCleaner erupted into a cyber scandal. Millions of users downloaded the latest version of the disk clean-up program as prescribed, and with it, a computer virus. Owner of the CCleaner brand, Avast, found the breach, discovering that it entered and lingered in host servers without detection for months.
The servers belonged to Piriform, a software development company that sold CCleaner rights and hardware to Avast. The company suspects malware came bundled with Piriform server infrastructure. Not the value add Avast wanted.
Either way, the CCleaner debacle has two teachable lessons.
- Anyone can get hacked, even companies that wrote the book on cybersecurity.
- Fileless malware is a problem that affects a lot of business infrastructure.
What makes hardware malware different?
Fileless malware is more patient. It gains access by mimicking a update to Flash or firmware and tricks users into a download, Once inside, the payload deploys in stages. The payload bypasses the OS and application level of a computer, and nests on board a motherboard socket, or memory controller. When malware embeds in a nonvolatile memory nook, a hacker can disable security software, access hard drives, and steal in silence.
That’s the opposite of most of the hacks he have seen in the past three decades. Basic malware hijacks applications and operating systems, arriving over the internet and passing through a network port. Running an antivirus scan detects anomalous software triggers, without paying much attention to component firmware.
Elegant throwback to classic cyberattacks
Programs designed to attack PC hardware components resemble old-school viruses. The malware Elk Cloner lodged itself inside RAM controllers in Apple II computers. It spread via floppy disc hiding behind a simple game. After 50 runs of the game, you received a poem.
This poetry-ware came to be known as a boot sector virus.
Fake firmware targets business systems
Earlier in the year Apple removed Super Micro servers from its SIRI development stack after a hardware firmware update came laced with malware. Cybercrime publication The Information broke the story:
A previously undisclosed investigation by Apple into a problem found in a data center server highlights the potential vulnerability of key hardware in IT infrastructure. The investigation focused on Apple’s relationship with San Jose-based Super Micro Computer, causing Apple to return computers it bought from Super Micro.
For the past year, almost all the big name breaches are tied to similar hardware exploits. It hit the Democratic National Committee, the SEC, and Dyn to name a few. HPE estimates one in five servers are affected by known threats.
This is why Google fabricates its own server components
All brands of x86 servers are vulnerable. HPE, Dell, Super Micro, Lenovo—any OEM server—have common components inside the chassis. Furthermore, components by different brands might use the same hardware controller in the finished product.
HPE estimates one in five OEM platforms are currently vulnerable to known threats.
Hardware security concerns led Google to develop and manufacture its own server parts. In addition to bringing semiconductors in-house, Google devised a way of authenticating computers and everything networked to them with every server boot.
Root of trust authentication coming to server hardware
Security experts Google’s method the hardware root of trust. It passes code through a network like a game of telephone, with new encryption added with every touch. chain-linked cryptographic verification passed through computers on a network. It works similar to how bitcoin transactions are verified by a chain of remote servers.
What if you can’t build your own chips?
HPE is building its own hardware security authentication in Gen10 ProLiant servers. A feature set called Security Assurance builds root of trust verification by modifying motherboards with the HPE iLO proprietary controller near the BIOS.
HPE ProLiant Gen10 server family
Microserver, Rackmount, and Tower form factors for the latest generation of HPE servers.
Compare the HPE ProLiant product line on NeweggBusiness + deep reading on hardware security: Gen10 ProLiant technical sheet (24 pages)
