This post was originally intended to be one of my meager attempts at humor using a bit of this article as a jumping off point.  But the notion that tens of millions of PCs and other devices are probably already infected with stealth malware that cannot be removed just ain't all that funny given the state of the world in the macro; and, in the micro, that the IT industry itself is a big part of the bigger problem.  Another major global IT services company has itself been hacked.  So if the big IT guys are constantly getting hit, there are no good defenses against a coordinated focused cyber attack for us mere mortals.  It is naive to think otherwise.

First, the newly discovered facts discussed in the above referenced article.

Researchers have discovered 23 "high-impact vulnerabilities" affecting any vendors that adopted Independent BIOS Developers (IBV) code into their Unified Extensible Firmware Interface (UEFI) firmware.

Binarly explained the vulnerabilities in a blog post this week, confirming that "all these vulnerabilities are found in several of the major enterprise vendor ecosystems" including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos. CERT/CC confirmed that Fujitsu, Insyde and Intel were affected but left the others tagged as "unknown," urging anyone affected to update to the latest stable version of firmware.

That's right. Like Log4j, another open source 3^rd party software application, that has been integrated into the systems of hundreds of different manufacturers of different products, has a vulnerability that in the real world of digital commerce is not going to be fixed — and probably cannot be fixed. 

Let me explain, as best I can, how you experience firmware on your computer motherboard.  When you first turn your computer on, if the PC is a name brand, you will see the company logo flash and then you see a couple of seconds or more of a blank screen.  During the blank screen, the PC is loading basic hardware commands to the computer before any other software loads from the hard drive.  So if these commands are corrupted, the computer will be reinfected every time the computer starts.  Despite the utter bullshit antivirus vendors spew; despite whether the PC operating system and applications are up to date; despite any other mitigations, there is no way to thwart this vulnerability.  It's like stage 4 pancreatic cancer.  There ain't a cure; just the delay of the inevitable. 

A good firewall might be a possible mitigation.  The hackers do have to get into the computer first.  But such devices have become rather expensive for the same reason 20 year old scotch is relatively expensive.  It's better.  The vendor knows it.  And if you want it, you are going to pay.  But even then, the people who program the antimalware packages for the firewall have to know what virus signatures to scan for.  One reason antimalware software cannot detect an attacker is the signs of that specific attacker are unknown.  That situation is what the digerati call a zero day attack.  In computer terms, we begin counting at the number 0.  A zero day attack refers to the fact that we are still at the first day of the attack.  Some zero attacks have attacked, and continue to attack, for several years.

As always, the mitigation for the situation is to update the system BIOS.  But that, also, just ain't gonna happen on the scale on which it would have to happen to truly be an effective mitigation.  If your PC is within a couple of years old, most likely the PC manufacturer will eventually release a BIOS update.  On an older and out of warranty machine there is no profit, and thus no motivation, for any vendor to try.  And, quite frankly, I wouldn't try on an old machine.  I wouldn't want to be held responsible for the inevitable system failure. 

So this is a computing environment in which an Advanced Persistent Threat can live, breathe, and grow. And who might be these Advanced Persistant Threat Actors who will inevitably exploit these unmitigated vulnerabilities?  Although Iran, Syria, and Israel are all fairly active, there are three countries most associated with APTs.

1.  North Korea.  If you want understand the motivations for the chaos instigated by of North Korea, find a copy of the book or movie, The Mouse That Roared.
2.  China.  China is mostly engaged in very sophisticated campaigns of industrial espionage.  Not to disregard the practice at all, but industrial espionage is a time honored profession. If you have valuable assets and you do not move heaven and earth to protect those assets, then you deserve to lose those assets.  And industrial espionage is not intended to destroy Western Civilization as we know it.  But it might well be the result, nonetheless.
3.  Russia.  I know the study of history is today considered a subversive act that indicates that one who might engage in such an activity is probably a communist sympathizer, if not a full blown card carrying commie.

Of course, there are no real communists left, as defined by adherence to the principles of Marxism-Leninism. Since Joseph Stalin, today's dictator's have completely abandoned the Marxist part, which was deeply rooted in democracy, [ed. and as James Harrington might have said: democratic to a fault] and simply kept the Vladimir Lenin part. Lenin believed the democratic West would eventually collapse under its own dead weight of decadence and corruption, and all the communists had to do was wait for the coming collapse.  Good communists should, however, develop deep relationships with "useful idiots" who can unknowingly accelerate the west's decline.

For modern day Russia, cyber attacks have become not only a means of warfare, but also acts of coercion and retaliation.  Irish fishermen stand up to the Russian navy, who under the guise of war games may have been intending to cut the cables that connects Europe to the Internet and other means of global communication.  Brave Irish fisherman forced the Russian navy to turn around.  Russia hackers, for their part, have brought the Irish healthcare system almost to a halt.  Meanwhile, here in the US, the Biden Administration announced a new plan to secure U.S. water systems from cyberattacks, part of a broader effort to defend elements of domestic critical infrastructure from digital threats. 

In October 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released a detailed threat analysis of the threat against American water systems. The report was:

The result of analytic efforts between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) to highlight ongoing malicious cyber activity—by both known and unknown actors—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities.

In the report, CISA detailed recent attacks on municipal water systems here in the US.

WWS Sector cyber intrusions from 2019 to early 2021 include:

• In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.

• In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.

• In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).

• In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.

• In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.

On January 24, 2022, the DHS released a paper discussing the imminent threat to US water systems in the event of a Russian invasion of Ukraine.  “Russia maintains a range of offensive cyber tools that it could employ against U.S. networks that make everything from planes to hospitals to dams and bridges operate." is how USA Today reported it.  Paul Rosenzweig, a former senior Homeland Security official, told USA Today that:

“In a globally connected world, conflicts are no longer geographically isolated. As DHS is warning, Russia may respond to U.S. actions in support of Ukraine by using offensive cyber tools against U.S. networks.”. “We have seen how vulnerable American systems are – think of the criminals who disrupted gas pipelines and meat packing last year. Now imagine that an angry Russia decides to take it to the next level – wastewater treatment; agriculture; transportation are all potential targets.”

If that isn't indicative of a slow burning global war, then I don't know what would be.

The Russian cyberwar is a global effort.  It employs millions of infected devices into its botnets.  Cities all over the west are being brought to their knees by cyberattacks that for the most part originate in Russia.  Enter into all this chaos comes the pandemic and its tentacles are also being yanked on by Russian  misinformation specialists.  The stresses and strains on the social orders of the western democracies are becoming apparent.  Twenty years ago a fist fight on a airplane among the passengers was both unthinkable and unheard of.  Now it's an everyday occurrence.  Useful idiots abound.

Governments all over the western world are trying to both sound the alarm about the real threat that these attacks from Russia represent, but the people of those democracies are not listening and really do not seem to care.  Thus, for example, the US Senate continues to press its absolutely awful and asinine sideloading bill. 

I am of two minds about all this. One is ironically optimistic, and based on limited facts and even less real experience.  It's based on the notion that certain Leviathans of the global network, like Microsoft and Google (Opps! Pardon me.) I mean Alphabet, along with the NSA, the FBI, and their counterparts in law enforcement in Europe are all making an effort to expose and fix all these critical vulnerabilities.  It does seem like there is a daily announcement of some widely implemented piece of open source software being exploited globally.  And by exposing these vulnerabilities, and using the clout of global law enforcement, our Leviathans will somehow get them fixed. Clean up and calm down the murky and roiling waters of cyberspace, or at least those systems most critical to one's own national survival.

My other more pessimistic view is best illustrated by the cartoon below.