dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,547
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
CPU-Level Ransomware: Rapid7’s Christiaan Beek Proves Microcode Can Be Weaponised
14 May 2025 — At RSA Conference 2025, Rapid7 senior director of threat analytics Christiaan Beek stunned attendees by unveiling a proof-of-concept (PoC) ransomware that hides inside a processor’s microcode, well below the reach of operating-system or firmware defences.
Beek’s PoC abuses “EntrySign,” a recently disclosed flaw in AMD Zen-family CPUs that lets attackers load unsigned microcode once they hold kernel-level privileges. AMD confirmed the vulnerability in an advisory after Google researchers showed how falsified signatures bypass the chip’s ROM checks.
Because endpoint protection works above the CPU layer, microcode malware is invisible to antivirus and EDR tools. TechSpot calls the technique “the ghost in the machine.”
While writing custom microcode still demands elite skills and privileged access, Rapid7 notes that ransomware gangs have discussed firmware implants for years, and Beek’s demo shows the concept is now practical.
Mitigation tips
Apply firmware updates promptly, restrict admin access that could flash microcode, and monitor for unexplained boot failures that could hint at a silicon-level lockout.
14 May 2025 — At RSA Conference 2025, Rapid7 senior director of threat analytics Christiaan Beek stunned attendees by unveiling a proof-of-concept (PoC) ransomware that hides inside a processor’s microcode, well below the reach of operating-system or firmware defences.
The exploit chain
Beek’s PoC abuses “EntrySign,” a recently disclosed flaw in AMD Zen-family CPUs that lets attackers load unsigned microcode once they hold kernel-level privileges. AMD confirmed the vulnerability in an advisory after Google researchers showed how falsified signatures bypass the chip’s ROM checks.
- Bypass microcode signing. EntrySign removes the need for AMD’s private key.
- Encrypt boot-time memory. Malicious micro-ops scramble critical page tables before the OS starts.
- Persist in silicon. Even replacing the motherboard or reinstalling the OS will not dislodge the rogue code.
Why this matters
Because endpoint protection works above the CPU layer, microcode malware is invisible to antivirus and EDR tools. TechSpot calls the technique “the ghost in the machine.”
While writing custom microcode still demands elite skills and privileged access, Rapid7 notes that ransomware gangs have discussed firmware implants for years, and Beek’s demo shows the concept is now practical.
Industry reaction
- Patching underway. AMD is rolling out enhanced signature checks via AGESA 1.2.0.3C BIOS updates.
- Detection gaps. Vendors are exploring secure-boot extensions that hash microcode during power-on.
- Policy push. Regulators may soon require microcode attestation in critical infrastructure.
Mitigation tips
Apply firmware updates promptly, restrict admin access that could flash microcode, and monitor for unexplained boot failures that could hint at a silicon-level lockout.