First In-The-Wild UEFI Rootkit Discovered

Dangerous Hooded Hacker Breaks into Government Data Servers and Infects Their System with a Virus. His Hideout Place has Dark Atmosphere, Multiple Displays, Cables Everywhere.

Researchers have discovered the activities of a new dangerous UEFI rootkit reportedly used by the Sednit (aka Fancy Bear) hacking group.

Organized hacking groups never cease giving shocks and surprises to the computer users at large and the cybersecurity experts even.

These groups with malicious intents can come up with new forms of malware, many times going undetected, and find stealthy ways of embedding them on to the systems and networks of their targeted victims.

Sednit is one such organized hacking group and is known in the trade by many aliases. In the latest news, research has found that this hacking group has managed to insert a UEFI rootkit, which is described as “in-the-wild” and is being reported for the first time.

The Criticality of the Finding Explained

The research team that found this malware is from the organization ESET, and they have published a detailed document on their work.

At the outset, they have highlighted how and why their finding of this UEFI rootkit is important and cannot be brushed away as just a topic for discussions in technology conferences.

The most important aspect of their finding is the location of this UEFI rootkit. It was discovered in the firmware used to install operating systems.

ESET gave this malware the name Lojax, primarily since they believe this is a new version of the older trojan Lojack, reported back in May.

This malware is inserted in the flash memory and it cannot be easily detected. Going further, it may not be detected at all as the system is installed and commissioned and the malware can start creating the mischief it is meant to do, later.

Notorious Group Behind Lojax

Virus malware

Organized hacking groups never cease giving shocks and surprises to the computer users at large and the cybersecurity experts even.

As mentioned, the hackers involved in this incident of planting an in-the-wild UEFI rootkit are reported to be the Sednit hacking group.

At various junctions, this group has been identified by different names, with Fancy Bear the most commonly recognized alias. Cybersecurity experts and analysts have reported that the group is likely connected to the Russian government.

Sednit is notorious for its role in hacking the Democratic National Committee’s systems before the U.S. presidential election of 2016.

Some of their other supposed attacks targeted French television channel TV5 Monde in 2015 and the United Kingdom Anti-Doping Agency earlier this year.

There are many more such orchestrated cyberattacks mounted by Sednit, and ESET’s research team is of the firm opinion that it was this group that is behind this Lojax malware or the UEFI rootkit that has been discovered now.

ESET’s Efforts at Exposing the Malware

Some of the findings by the ESET research team in its work are worth going through to fully comprehend the way this malware has been inserted by the hackers.

They have described how they found that the hackers had managed to write the offending malware—in this case, the UEFI module with malicious content—into the system’s SPI flash memory

Experts refer to the previous work on the Lojack malware, as some similarities exist. The malware includes itself in the form of tools while saving the firmware’s image into a file.

This is carried out by reading the SPI flash memory contents. And that’s where the system’s UEFI/BIOS is housed.

In addition, another offending UEFI is attached to the firmware image using a tool written back to the SPI flash memory. This leaves the UEFI rootkit solidly installed within the system.

ESET has gone on to point out that this is why this in-the-wild UEFI rootkit is potentially very dangerous since it will escape detection during the installation of the operating system, even when the owner of the system decides to replace the hard disk in the system.

The researchers also note that the Lojax malware has been traced to limited geography so far in the Central and Eastern parts of Europe.

Other regions need to find a solution to the risk of malware so they can avoid being a victim to this first “in-the-wild” UEFI rootkit.

How to Protect Yourself from This Malware?

The researchers said that older firmware systems have been found to be vulnerable to this attack, but newer versions have not.

In firmware systems, there is a Secure Boot protocol which can act as the protective tool. With the Secure Boot activated, it ensures that only those components of the firmware are allowed to be loaded and installed that are properly signed off; else it will be rejected.

The malicious UEFI rootkit that is attempted to be embedded at the time of software or hardware installation will thus be negated and your system will stay secure from its attack.

Researchers strongly advise that firmware users unable the Secure Boot option via their UEFI settings.

Another solution available is through the use of the latest hardware, where the UEFI/BIOS have the built-in mechanisms to thwart any malware being inserted on them.

By and large, the latest chipsets boast of much better architecture and configuration with security aspects given due consideration.

One of the routines you could therefore try is to make an audit of the systems linked into your network and replace the older chipsets or other key components and update the firmware.

Most of these solutions have figured into the report filed by ESET.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.