How to Remotely Brick a Server

Researchers demonstrate the process of remotely bricking a server, which carries serious and irreversible consequences for businesses.

Attackers with access to your server holds your company in their hands – and its not hard for them to abuse their power and brick the server from anywhere, researchers report.
Most people view firmware attacks, and other attacks that cause permanent damage, as physical in nature. Analysts at Eclypsium sought to demonstrate how its possible to remotely brick a server and disrupt infrastructure by exploiting vulnerabilities in the baseboard management controller (BMC) and system firmware. The result would spell enterprise disaster.
The idea of bricking systems is not new, says John Loucaides, vice president of engineering at Eclypsium. While the concept has been around for a while, and security experts have discovered the vulnerabilities that could lead to this level of compromise, few have shown it. Eclypsiums goal in documentation published today is to help improve understanding of the remote attack vector, which can be performed at scale with enormous potential damage.
Its a fairly significant impact, Loucaides points out. Recovery for most malware involves wiping affected systems and restoring good data. Recovery for this type of attack would require opening each affected server and physically connecting to deliver new firmware. Its a slow, technical process thats beyond the abilities of most IT staff and current enterprise systems, Loucaides explains. This is an area that normal security technologies are missing, he says.
It doesnt take a sophisticated actor to pull this off, he notes. Many people will think of this as a nation state-level attack, he continues, but open source toolkits exist on the Internet that can give attackers the access they need to render a target system inoperable. Eclypsiums
demonstration
marks the first time its using this specific method and technique, and it emphasizes the low barrier to entry for launching a successful attack of this nature.
Similar threats have been seen in the wild, Loucaides explains. Attackers have replaced server components with corrupted firmware, for example, or firmware that doesnt work. Eclypsiums method, which leverages past BMC research, bricks a server by remotely exploiting a BMC. If youre not familiar, the BMC is an independent computer within the server. Its used to remotely configure the system without relying on the host operating system or applications.
How It Plays Out
Step one is getting a foot in the door. The first thing were doing is assuming you have some sort of compromise, Loucaides explains. Perhaps the system got infected with malware; perhaps credentials were lost and picked up by the wrong person.
In Eclypsiums demonstration, researchers then used normal update tools to pass a malicious firmware image to the BMC. No special authentication or credentials are required to do this, and the firmware update contains additional code which, once triggered, erases the UEFI system firmware and essential components of the BMC firmware itself, analysts
say in a blog
.
Why target the BMC? You could target any part of the server and get a similar result, says Loucaides, but the BMC is the most understandable and the most obvious. In a ransomware attack or other major-impact scenario, the BMC is used to recover the system.
Step three is when the BMC boots to the attacker supplied image. Because the BMC handles system management and recovery, it can install components into any part of the system. Researchers could use the malicious capability they installed in the BMC to corrupt system firmware; by corrupting the BMC, they leave no path for a system operator to recover it.
There is an arbitrary amount of time between stages three and four, in which the code executes, Loucaides explains. Attackers could launch malicious code as soon as they gain access via credential compromise, or they could install a component in the BMC and leave it there for as long as they like. It doesnt all have to happen at the same time, he adds. The final payload could be triggered by a timer or external command and control.
The window between stages three and four depends on the attackers goals. If theyre going for maximum damage and disruption, Loucaides says, he would likely want to take his time and infect as many components as possible before bringing it all down at once. In step five, the BMC reboots the server, which is now unusable.
What You Can Do
Existing security defenses dont focus on firmware or hardware, says Loucaides, but there are ways to stop this type of attack. It starts with preventing initial compromise, which goes back to basic cyber hygiene: protecting credentials, for example, and using multifactor authentication.
You cant do everything perfectly, he admits. Something is going to go wrong. The trick is to be assessing the integrity of different components in your system.
Updates get plenty of attention at the application and operating system level, he continues, but not many people pay attention to firmware updates. Security teams should be running scans and monitoring infrastructure for anomalies, and interrupting the process before its complete.
Related Content:
6 CISO Resolutions for 2019
Attack Campaign Targets Financial Firms Via Old But Reliable Tricks
When Cryptocurrency Falls, What Happens to Cryptominers?
Cryptographic Erasure: Moving Beyond Hard Drive Destruction

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How to Remotely Brick a Server