Track Common Adversary Tasks Performed Using Allwinner

Presented by: Ashwin (Microsoft Azure MVP)

Allwinner is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by Allwinner for use on these devices reportedly contained a backdoor.


MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this software in chronological order, and how we can work to mitigate or detect these threats.

Supply Chain Compromise

Initial Access

Compromise Software Supply Chain

A Linux kernel distributed by Allwinner reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Security Updates

Security updates may contain patches that inhibit system software compromises.

System Partition Integrity

Ensure Verified Boot is enabled on devices with that capability.

Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.