Slashdot Mirror

← Back to Stories (view on slashdot.org)

First-Ever UEFI Rootkit Tied To Sednit APT (threatpost.com)

Posted by msmash on from the security-woes dept.

Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks. From a report: The discussion of Sednit was part of the 35C3 conference, and a session given by Frederic Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall [PDF]. During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard's flash memory, giving it both persistence and stealth.

"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said. The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system's UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

5 of 168 comments (clear)

  1. Whatever happened to... by Anonymous Coward · · Score: 2, Insightful

    Whatever happened to requiring the insertion of a jumper on the motherboard to update the BIOS? That would stop this thing in its tracks.

    1. Re:Whatever happened to... by sjames · · Score: 5, Insightful

      This. Unlike old BIOS that only needed a few bytes to maintain configuration (commonly battery backed CMOS, but eeprom could be used) the latest abomination from Intel needs a full fledged read/write flash file system. To make it worse, unlike old BIOS where clearing the CMOS would recover from any mis-configuration, some implementations of EFI can be bricked.

      Now, from TFA, it turns out UEFI makes a dandy platform for persistent malware.

      So, NOW can we go back to BIOS and just make it unstand GPTs?

  2. The state of IT is a tragedy by Anonymous Coward · · Score: 5, Insightful

    Anyone with a working brain can see that non-removable persistent storage on the mainboard, that can be written from inside a running OS and only be inspected under the control of the software in that storage, is an extraordinarily stupid mistake. Then there are a variety of "management" systems (SMM, IME, ...) which also evade inspection and have full access to everything. The most trustworthy computers these days are small embedded processors (but not phones!). Desktop systems and laptops can practically not be secured. If there is a possibility of a hack, there is no reliable way to restore the system to a safe state.

  3. Re:APT? by Anonymous Coward · · Score: 0, Insightful

    Not knowing what an APT is in context of infosec is like not knowing what a CPU is while reading programming news.

    It's expected the audience will know the basics.

  4. UEFI and persistent code by Anonymous Coward · · Score: 3, Insightful

    So UEFI allows persistent code to exist in it from a 3rd party for example these laptop security/tracking apps? Who didn't think this would eventually be abused by malware or some 3 letter agency?

    What's even better than the malware back in the day that would attempt to modify known BIOS code, or maybe brick a BIOS it didn't know? A known documented API into UEFI that allows for "sanctioned" persistent code! yay!

    UEFI and IME sounds like a 3 letter agencies wet dream.