This thing is a nightmare that escaped into daylight. The Russian GRU—aka Fancy Bear—probably was riveted reading the Wikileaks CIA Vault 7 UEFI Rootkit docs (PDF) and built one of these motherboard-killers of their own, apparently weaponizing the existing Lojack commercial code to speed up the job.
This rootkit survives a reformat and OS reinstall—and even a hard-disk swap—because it lives in the system’s flash RAM. The only way to get rid of this infection means going in and over-writing the machine’s flash storage, not something for the faint of heart, provided you can even get hold of the right code. Imagine this monster being propagated with a 0-day worm like Wannacry. It gives you the shivers.
What The Heck Is UEFI?
Remember BIOS? It got replaced with UEFI, which stands for Unified Extensible Firmware Interface. UEFI is a specification for the interface between a computer’s firmware and its operating system. The interface controls booting the operating system and runs pre-boot apps.
This rootkit attack compromises the machine’s UEFI. By re-writing it, the malware can persist inside the computer’s flash memory, and that is why it survives “Nuke From Orbit” (this clip never gets old) and even hard disk swaps.
The last few years, the hardware community has introduced measures that do make it very hard for someone to make unauthorized changes at the firmware level. One example is Secure Boot, a mechanism that ensures only securely signed firmware and software can be booted up and run on a system.
Controls like Secure Boot are why InfoSec pros up to now generally considered UEFI rootkits as something more hypothetical, and that only government sponsored actors are able to develop and use.
However, now that this spectre is out of the bottle, you can expect more UEFI rootkits rearing their ugly heads, possibly having advanced features like signature verification bypass. If you want to take a very deep dive into this, here is a fascinating 1-hour video that explains more.
Who Discovered This?
Security Firm ESET blogged about it a few days ago. They said: “UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyber attacks. No UEFI rootkit has ever been detected in the wild – until we discovered a campaign by that successfully deployed a malicious UEFI module on a victim’s system.”
ESET’s analysis shows that Fancy Bear used a kernel driver bundled with a legitimate and freely available utility called RWEverything to install the UEFI rootkit. The driver can be used to access a computer’s UEFI/BIOS settings and gather information on almost all low-level settings on it.
Here Are Two Things To Do About It
1) Alexis Dorais-Joncas, security intelligence team lead at ESET said: “Organizations should review the Secure Boot configuration on [all] their hardware and make sure they are configured properly to prevent unauthorized access to the firmware memory. They also need to think about controls for detecting malware at the UEFI/BIOS level.” You can say that again. Here is their PDF that explains the problem in detail, and note that only modern chipsets support Secure Boot. The infection was running on an older chipset.
2) The black hats behind this are known for their recent headlines about major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. So, these guys are not leaving Russia anytime soon, they probably have the indictment framed on their wall as a reminder.
That leaves spear phishing as their go-to strategy to penetrate targets. So, this is another excellent reason to step your users through new-school security awareness training, because social engineering is how these bad guys get into your network.
if you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks. We recommend you do your free Phishing Security Test, find out what the Phish-prone percentage of your users is, and how you are doing compared to your peers.
PS, if you do not like to click on buttons with redirects, here is a URL you can cut/paste:
Let’s stay safe out there.
Founder and CEO, KnowBe4, Inc.
Based Blockchain Network