Widely viewed as extremely dangerous tools, UEFI Rootkits are used to implement cyberattacks. They are so dangerous that they push past security measures such as hard disk replacements. No UEFI rootkit had ever been detected in the wild, until now. ESET discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system. The rootkit can drop and execute malware on disks during the boot process. This obstinate method is predominantly aggressive as it will not only persist through an OS reinstall but also a hard disk replacement.
Why is this discovery notable?
In a Nutshell – As the Sednit group has been suspected as being behind several high and significant profile headlines attacks, such as the hack on the Democratic National Committee in the 2016 US elections, and hacking into major global tv networks and agencies, if you encounter this APT group, Sednit aka APT28, STRONTIUM, Sofacy and Fancy Bear, you will want to run. Run fast and Run far. These rootkits are the real deal. They are real threats – dangerous threats
ESET research uncovers that Sednit operatives used various components of the LoJax malware to target some government organizations globally. This research also discovered that those of the Sednit group might have mimicked Computrace’s persistence method.
3 tools used along with the LoJax userland agents.
1. By gathering crucial information about a system’s platform through sidestepping protective measures some platforms leverage against illegitimate firmware updates, which is highly dependent on each platform, they leveraged a tool that created a text file that dumped information about low-level system settings.
2. By accessing the contents of an SPI flash memory where the UEFI/ BIOS was located, they stole an image of the system's firmware.
3. Working off this image, they expertly installed the UEFI rootkit on the system via a patch tool that added a malicious UEFI code to write it back to the SPI flash memory. Multiple techniques were used such as bypassing the write protections on the SPI flash memory. This tool played off the unprotected platform that had write operations allowed.
How to protect yourself?
Enable Secure Boot.
Secure Boot requires every firmware loaded onto the platform to be properly signed. This vouches for the firmware integrity. Because this UEFI rootkit is not properly signed, it can be blocked by Secure Boot. Enabling Secure Boot can alone be your first defence against UEFI firmware. This is the first step.
To an advanced hacker, updating a system's firmware shouldn’t be an easy task as many platforms bar unauthorized rights to its SPI flash memory. It’s only if the SPI flash memory protections are misconfigured or vulnerable, only then does it make the accessibility of the hacker easier. Ensure you are running the most recent UEFI/BIOS available for your motherboard. Aged chipsets are another target as their old technology does not incorporate the Platform Controller Hub, making them vulnerable to unauthorized control.
Keeping security in mind, firmware needs to be built from the ground up. Security researchers are continually contributing to its improvement, thus bringing about the need for awareness and security to UEFI/BIOS vendors.
The fix for a UEFI infected platform - is not an easy fix. A Reflash of the SPI flash memory needs to occur in order to clean the image specific to the motherboard. This is a very manual process that requires a lot of time. The other fix is a costly fix. Replace the motherboard. That will also remove the infected UEFI platform.
The UEFI rootkit uncovered is one of its kind. A full list of Indicators of Compromise (IOCs) and samples can be found on GitHub.
ESET is the only major provider of endpoint security solutions to offer a dedicated layer of protection, “ESET UEFI Scanner,” designed to detect malicious components in a PC’s firmware. The UEFI Scanner is included in all of ESET’s latest consumer and business Windows products.
“Thanks to the ESET UEFI Scanner, both our consumer and business customers are in a good position to spot such attacks and defend themselves against them,” noted Juraj Malcho, chief technology officer at ESET.
ESET’s analysis of the discovered the UEFI rootkit by Sednit is detailed in their “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. To get a full detailed copy, fill out this brief form.
- Security Week, “Russian Cyberspies Use UEFI Rootkit in Attacks”: https://www.securityweek.com/russian-cyberspies-use-uefi-rootkit-attacks
- ESET - “ESET researchers discover LoJax, the first-ever UEFI rootkit detected in a cyberattack“ : https://www.eset.com/int/about/newsroom/press-releases/announcements/eset-researchers-discover-lojax-the-first-ever-uefi-rootkit-detected-in-a-cyberattack/