Security News > 2022 > January > Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks
A previously undocumented firmware implant deployed to maintain stealthy persistence as part of a targeted espionage campaign has been linked to the Chinese-speaking Winnti advanced persistent threat group.
Kaspersky, which codenamed the rootkit MoonBounce, characterized the malware as the "Most advanced UEFI firmware implant discovered in the wild to date," adding "The purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet."
Three different instances of UEFI malware have been unearthed so far, including MosaicRegressor, FinFisher, and ESPecter.
The Russian cybersecurity company said it identified the presence of the firmware rootkit in a single incident last year, indicative of the highly targeted nature of the attack.
That said, the exact mechanism by which the UEFI firmware was infected remains unclear.
To counter such firmware-level modifications, it's recommended to regularly update the UEFI firmware as well as enable protections such as Boot Guard, Secure boot, and Trust Platform Modules.
News URL
https://thehackernews.com/2022/01/chinese-hackers-spotted-using-new-uefi.html
Related news
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese hackers abuse Microsoft APP-v tool to evade antivirus (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)