microsoft[.]com/security/blog/2021/03/30/new-security-signals-study-shows-firmware-attacks-on-the-rise-heres-how-microsoft-is-working-to-help-eliminate-this-entire-class-of-threats/
The March 2021 Security Signals report showed that more than 80% of enterprises have experienced at least one firmware attack in the past two years...
While basically a sales pitch to corp IT, the stats I think are eye-opening. The UEFI BIOS most current & new devices use runs what's basically a version of Linux, which means like any OS, it can be hacked. When you turn on the device, the BIOS is what's responsible for tying all the components together and then starting the OS. Since it's 1st in line, any malware code runs 1st, before an OS like Windows, so it remains pretty much invisible to Windows and any security software. And because it's in the BIOS, you can replace hard disks, replace Windows, replace anything but the motherboard with the BIOS, and it's still there. Kind of a bad thought when it comes to ransomware.
And besides being careful, there's not a whole lot anyone can do to prevent it. Firmware on network & graphics cards and things like thunderbolt docks can also be infected, and since the BIOS talks to them right at the beginning, you get the same effect.
Watch out for bogus infected drivers &/or firmware/BIOS updates, along with everything else you do to avoid malware. AFAIK Kaspersky's the only company making consumer level software that can scan the BIOS -- Microsoft's tools for corp. IT and some other corp security software can also [hopefully] detect it. That said, malware no matter where it resides has to do something, and that usually includes phoning home for directions and to send your stolen data. And those sorts of things are what most security apps look for, so you're not totally unprotected.