How to protect yourself from PC hardware and hardware driver vulnerabilities

Attackers have hijacked PC motherboard update software and hardware drivers to install malware. Here's how to identify vulnerable systems and prevent driver-delivered malware.

Windows security and protection [Windows logo/locks]
Thinkstock / Microsoft

PC manufacturer Asus recently announced that from June to November 2018, attackers used its Asus Live Update app, which comes preinstalled on ASUS notebook computers, to install backdoors on targeted computers. Kaspersky indicated that about 57,000 systems installed the backdoored live update software. Asus has acknowledged the introduction of malware into its update process and provided a tool to test your system to see if it has the malicious software installed.

The backdoored updaters appear to target specific computers. As was stated in the investigation, the backdoor software contained hardcoded MD5 hashes representing MAC addresses. The theory is that attackers identified specific hardware systems, groups or computers sold to specific companies to gain more access to those systems.

If you have ASUS Live Update installed on your system, ensure that you have the latest version 3.6.9 installed as it includes a fix and additional mechanisms that can prevent manipulation of updates.

bradley hardware 1 Susan Bradley

Asus tool indicates targeted machines

Steps to ID your PC motherboard

The Asus attack made me question how to determine what motherboard a system used should another vulnerability arise. You have several ways to check the manufacturer and model of the motherboard installed on your system.

In PowerShell you can use the command:

Get-WmiObject win32_baseboard | select Manufacturer

It will respond with name of the motherboard manufacturer.

bradley hardware 2 Susan Bradley

PowerShell query report to identify motherboard manufacturer

The same command on my laptop clearly shows that a different manufacturer prepared this machine:

bradley hardware 3 Susan Bradley

This PowerShell report show a different motherboard manufacturer

Some motherboard identifiers are obvious. Lenovo is clearly the manufacturer of the laptop I’m typing this on. Others may take a bit of detective work. For example, Intel has a series of motherboards based on the Apollo Lake chip that responds to the command indicating that the motherboard manufacturer is APL.

One wide-ranging command used to determine the manufacturer provides a great deal of information about your networks. Windows Management Instrumentation (WMI) is a Windows specific implementation of predefined classes to identify objects. By using the _ComputerName parameter, you can query computers or a series of computers.

For example, you can use the following PowerShell command to list from active directory in your domain key information about the bios, processor and motherboard manufacturer to help you identify manufacturers and devices in your network.

foreach($computer in $computers)

{

    Invoke-Command -ComputerName $computer -ScriptBlock {

        Get-WmiObject Win32_bios

        Get-WmiObject Win32_processor

        Get_WmiObject Win32_Baseboard

    }

}

Hardware drivers are vulnerable, too

Similar to motherboard and bios updating, hardware drivers are often a target of malicious activity because admins often install a driver when deploying computer systems and never install them or update them again. An attacker can target a driver, or even write their malicious software to pretend to be a driver, and you would probably not realize that you had a persistent backdoor in your system.

To detect these silent attackers, monitor outbound traffic for unusual behavior. In particular, look for unusual outbound remote procedure calls (RPCs) and Server Message Block (SMB) communication. It’s wise to place blocking rules at your firewall. Block the ports at the workstation level or at the exterior firewall level.

You might need to determine if your current network will be negatively impacted by the blocking action. Review how dependent you are on SMB v1 and other older and more vulnerable protocols.

The U.S. Department of Homeland Security has long recommended that blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices, and especially in response to ransomware attacks.

It’s also recommended to secure internet-facing Remote Desktop Protocol (RDP) servers (terminal servers) with a multifactor gateway in front of it to ensure that attackers can’t use brute force to determine the RDP password or use password reuse attacks to gain access. If you cannot use multifactor authentication, ensure that Network-Level Authentication is enabled and you use the Local Administration Password Solution (LAPS) toolkit to randomize local admin passwords on computers and servers.

Take action now to review your systems, take inventory of your motherboards, and in particular investigate any unusual outbound connections coming from your network.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!