This thing is a nightmare that escaped into daylight. The Russian GRU—aka Fancy Bear—probably was riveted reading the Wikileaks CIA Vault 7 UEFI Rootkit docs and built one of these motherboard-killers of their own, apparently weaponizing the existing LoJack commercial code to speed up the job.
This rootkit survives a reformat and OS reinstall—and even a hard-disk swap—because it lives in the system’s flash RAM. The only way to get rid of this infection means going in and over-writing the machine’s flash storage, not something for the faint of heart, provided you can even get hold of the right code. Imagine this monster being propagated with a 0-day worm like WannaCry. It gives you the shivers, right on time for Halloween.
What the Heck Is UEFI?
Remember BIOS? It got replaced with UEFI, which stands for Unified Extensible Firmware Interface. UEFI is a specification for the interface between a computer’s firmware and its operating system. The interface controls booting the operating system and runs pre-boot apps.
This rootkit attack compromises the machine’s UEFI. By re-writing it, the malware can persist inside the computer’s flash memory, and that is why it survives “Nuke From Orbit” (that clip never gets old) and even hard disk swaps.
The last few years, the hardware community has introduced measures that do make it very hard for someone to make unauthorized changes at the firmware level. One example is Secure Boot, a mechanism that ensures only securely signed firmware and software can be booted up and run on a system.
Controls like Secure Boot are why InfoSec pros up to now generally considered UEFI rootkits as something more hypothetical, and that only state-sponsored actors are able to develop and use.
However, now that this spectre is out of the bottle, you can expect more UEFI rootkits rearing their ugly heads, possibly having advanced features like signature verification bypass.
Who Discovered This?
Security Firm ESET blogged about it a few days ago. They said: “UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyber attacks. No UEFI rootkit has ever been detected in the wild – until we discovered a campaign by that successfully deployed a malicious UEFI module on a victim’s system.”
ESET’s analysis shows that Fancy Bear used a kernel driver bundled with a legitimate and freely available utility called RWEverything to install the UEFI rootkit. The driver can be used to access a computer’s UEFI/BIOS settings and gather information on almost all low-level settings on it.
Here Are Two Things to Do About It
- Alexis Dorais-Joncas, security intelligence team lead at ESET said: “Organizations should review the Secure Boot configuration on [all] their hardware and make sure they are configured properly to prevent unauthorized access to the firmware memory. They also need to think about controls for detecting malware at the UEFI/BIOS level.” You can say that again. They have a PDF that explains the problem in detail, and note that only modern chipsets support Secure Boot. The infection was running on an older chipset.
- The black hats behind this are known for their recent headlines about major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. So, these guys are not leaving Russia anytime soon, they probably have the indictment framed on their wall as a reminder.
That leaves spear phishing as their go-to strategy to penetrate targets. So, this is another excellent reason to step your users through new-school security awareness training, because social engineering is how these bad guys get into your network. Here is the updated KnowBe4 Blog post with all the links. Oh, and tell your friends:
Information provided by our partners at KnowBe4.
KnowBe4 provides security awareness training and information on how to best avoid ransomware attacks.
Email us at firstname.lastname@example.org for, you know, information on how this can help protect your business