I’ve been learning a bit about ‘the Cloud’. In addition to the normal virtualized solutions, there is also ‘bare-metal cloud’, where the customer gets full access to the hardware. The ‘on-premises cloud’ is similar, vendor puts the hardware on yout site. If you are the first client to use that hardware, you’re probably in good shape. However, the 2nd and subsequent customers need to trust the cloud vendor is verifying that previous customers didn’t infect the firmware with bootkits.
If I was an attacker, I would have sold grey-market (used) hardware, with infected firmware on ebay/craigslist to future targets. Now, I’d change tactics and rent as much bare-metal/on-premises cloud hardware as I could, infect it with rootkits, return it to the cloud vendor, and wait for future users of this hardware to phone home. Seems like a better investment for an attacker, multiple targets per infected device.
Before your company relies on a bare-metal/on-prem solution, ask the cloud vendor to clarify the steps they perform to ensure the firmware is not infected with bootkits.