I see this same concept at work in cybersecurity. A major event happens, and everyone moves to spend money on that new and shiny thing. Entire business verticals will pop up around something if the event is significant enough at the time of discovery. Just look at how long it took to have dedicated security services for UEFI firmware and OT vulnerabilities. This in turn causes a shift to that new thing which, in some cases, means ignoring older attack vectors. When the industry and thinking has shifted enough, the attackers are back at that old, now ignored, vector. A perfect example of this is Macro Pivots. The first macro viruses were back in the mid-90s. traditional anti-malware moved to block them, and attackers easily moved to another pivot, years later they were back at them in a more sophisticated way. Microsoft and everyone else knew Macros and VB Script in Office was dangerous, yet it was left open to attack because we had moved on from that war to fight and train for a newer one. This allowed people to forget about the past.
Here is another example, BMCs (Baseboard Management Controllers); call them iDRACs, ILO, what have you. These are the components that allow for the remote management and control of the motherboard in a server or workstation. These have been a known weak point in network security for a long time, but we still hear about critical vulnerabilities in them that allow an attacker to take complete control of the system. Recently Eclypsium identified several high and critical flaws in AMI’s implementation of their BMC. According to Scott Scheferman and Vlad Babkin, “These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions,”
Leaving these critical components on a motherboard is incredibly shortsighted. Much like the Intel Management Interface issues in the past these interfaces, if accessed with the right permissions level, can allow an attacker to insert UEFI malware which will bypass all of the safeguards in the OS. This is a whole new ownage level and if you consider the recent leak of BlackLotus source code, the threat level is even higher.
What makes incidents like this even more concerning is that edge, network, and other infrastructure systems have always been targets, we just seem to have forgotten as the industry moved to fight the work from home war during the pandemic. As we still are fighting the war of the endpoint, attackers are pivoting to firmware code, edge device attacks and other “low level” code vulnerabilities to maintain the pressure. Attack groups can do this because they are much more agile than most organizations and, sadly, they understand how the market and industry works better than most, even those deeply embedded in the market.
So, this means that organizations need to be prepared to not only fight the last war, but also all remember the lessons of the wars before those and prepare for attacks on new fronts. I know, this sounds like an impossible task, but it is not. I have talked about how to build realistic and achievable strategic goals and back them up with tactical and logistical reality. You can follow the same example to extend your security program so that you are not playing a game of whack-a-mole with attack vectors. It is not easy and, it is not something that gets done overnight, but in the end as you take away attack vectors and keep them closed you will remove a statistically significant number of commodity threats. Remember that your data (client and internal) as well as systems operation (ransomware) has value to attackers, investing in the right team and building the right strategies which cover all of the layers of your business will yield real world financial returns. For now, I advise any organization to start assessing their vulnerability to attack in terms of networking vectors (firewalls, switches, BMCs, Wireless Access Points etc.) these are areas that attackers are pivoting to. However, don’t forget to keep an eye on your endpoints as attackers can pivot back to them much faster than most would like to admit.
Stay safe out there