Skip to main content

Bloomberg Businessweek broke a troubling story about fileless malware found on server motherboards deployed by Amazon Web Services. The servers initially belonged to Elemental, makers of boutique servers used for video compression, which Amazon purchased for its Amazon Prime Video product. AWS shipped Elemental servers to a third party cyber security company, and found a tiny rogue chip the size of a grain of sand embedded in motherboard circuitry.

The rogue chip was not part of the original motherboard design. It allowed a “stealth doorway into any network that included the altered machines,” according to the report. US intelligence sources speaking on background told Bloomberg that the servers, assembled by US-based Supermicro, were sabotaged by People’s Liberation Army operatives in China. “In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.”

Supermicro and Apple, whose servers were also affected according to the report, disputed the findings.

The largest hardware malware attack, but not the first

Last year around this time, a software update for the popular security application CCleaner erupted into a cyber scandal. Millions of users downloaded the latest version of the disk clean-up program as prescribed, and with it, a computer virus. Owner of the CCleaner brand, Avast, found the breach, discovering that it entered and lingered in host servers without detection for months.

The servers belonged to Piriform, a software development company that sold CCleaner rights and hardware to Avast. The company suspects malware came bundled with Piriform server infrastructure. Not the value add Avast wanted.

Either way, the CCleaner debacle has two teachable lessons.

  • Anyone can get hacked, even companies that wrote the book on cybersecurity.
  • Fileless malware is an alarming supply chain problem that affects business infrastructure.

What makes hardware malware different?

Fileless malware is more patient. It gains access by mimicking a update to Flash or firmware and tricks users into a download, Once inside, the payload deploys in stages. The payload bypasses the OS and application level of a computer, and nests on board a motherboard socket, or memory controller. When malware embeds in a nonvolatile memory nook, a hacker can disable security software, access hard drives, and steal in silence. Software-borne malware hijacks applications and operating systems, arriving over the internet and passing through a network port. Running an antivirus scan detects anomalous software triggers, without paying much attention to component firmware.

Elegant throwback to vintage cyberattacks

Programs designed to attack PC hardware components resemble old-school viruses. The malware Elk Cloner lodged itself inside RAM controllers in Apple II computers. It spread via floppy disc hiding behind a simple game. After 50 runs of the game, you received a poem.

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!

It will stick to you like glue
It will modify RAM too

Send in the Cloner!

Malware like Elk Cloner came to be known as a boot sector virus.


Fake firmware targets business systems

Earlier in the year Apple removed Super Micro servers from its SIRI development stack after a hardware firmware update came laced with malware. Cybercrime publication The Information broke the story:

A previously undisclosed investigation by Apple into a problem found in a data center server highlights the potential vulnerability of key hardware in IT infrastructure. The investigation focused on Apple’s relationship with San Jose-based Super Micro Computer, causing Apple to return computers it bought from Super Micro.

For the past year, almost all the big name breaches are tied to similar hardware exploits. It hit the Democratic National Committee, the SEC, and Dyn to name a few. HPE estimates one in five servers are affected by known threats.

This is why Google fabricates its own server components

All brands of x86 servers are vulnerable. HPE, Dell, Super Micro, Lenovo—any OEM server—have common components inside the chassis. Furthermore, components by different brands might use the same hardware controller in the finished product.

HPE estimates one in five OEM platforms are currently vulnerable to known threats.

Hardware security concerns led Google to develop and manufacture its own server parts. In addition to bringing semiconductors in-house, Google devised a way of authenticating computers and everything networked to them with every server boot.

Taking action: Root of trust authentication coming to server hardware

Security experts Google’s method the hardware root of trust. It passes code through a network like a game of telephone, with new encryption added with every touch. chain-linked cryptographic verification passed through computers on a network. It works similar to how bitcoin transactions are verified by a chain of remote servers.


What if you can’t build your own chips?

HPE is building its own hardware security authentication in Gen10 ProLiant servers. A feature set called Security Assurance builds root of trust verification by modifying motherboards with the HPE iLO proprietary controller near the BIOS.

HPE ProLiant Gen10 server family

HPE proliant gen 10 servers image

Microserver, Rackmount, and Tower form factors for the latest generation of HPE servers.

Compare the HPE ProLiant product line on NeweggBusiness + deep reading on hardware security: Gen10 ProLiant technical sheet (24 pages). This article was originally published October 20, 2017. Updated October 4, 2018

'Fileless' Malware Hides in Server Hardware Components
Article Name
'Fileless' Malware Hides in Server Hardware Components
All brands of x86 servers are vulnerable to component attacks. HPE, Dell, Super Micro, Lenovo—any OEM server—have common components inside the chassis. Furthermore, components by different brands might use the same hardware controller in the finished product. HPE estimates one in five OEM platforms are currently vulnerable to known threats.
Adam Lovinus

Author Adam Lovinus

A tech writer and Raspberry Pi enthusiast from Orange County, California.

More posts by Adam Lovinus

What's your take?