I’ve posted a question (link) related to a potential compromised computer via SSH access with root user. Although no evidence of a break-in, I’m considering extended measures to ensure (as much as possible) that my hardware has not been compromised. The software rootkit/malware would be easier to deal with apart of technical details as I expressed in another question (link). I’m particularly concerned because a SSH root access seems much more serious than a rootkit/malware infection from a compromised application downloaded from the internet.
OTOH, hardware rootkit/malware is a different level of a threat and I was trying to get more information about it. As I could see in other questions (link,link, plus some internet articles), the debate regarding hardware threats was much related to state-actors aiming high-level targets a few years back (prior 2017). However LoJax surfaced in 2018 and possibly others until today.
So, what is the current status (mid-2020) of these infections? Are they popular or still related to particular high-level targets?
My research showed that the only ways to get rid of such threats at hardware level would be either (i) flash the hardware with default firmware (not simple) or (ii) replace the piece of hardware. Besides, I’m not sure this hardware-level intervention would be detected in any manner, even using specialized application like rkhunter or TDSSKiller, since it could be hidden at kernel Ring 0 area outside the userspace. In the end, the user would have an evidence only if the rootkit drops a malware in the userspace, which could be caught by an AV or other scan app.
I see that OSSEC would be a handy tool to monitor the system, but possible setup before an infection. In case one has a potential compromised system, what would be the way to detect and/or to monitor the activity of a potential compromised hardware rootkit/malware (if any)?
In summary, such threats could be hidden in any writable firmware in the hardware (BIOS, SSD, HDD, GPU, etc.), however detailed knowledge of these firmwares are needed in order to deploy such malicious software, making it not so popular (this answer from 2015 states it in a more clear way, although somehow old). If this level of threat is still not popular in the wild, I would consider a very small possibility that such threat would be deployed in my computer, but I don’t have the clear picture yet.