Security News > 2022 > January > Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks
A previously undocumented firmware implant deployed to maintain stealthy persistence as part of a targeted espionage campaign has been linked to the Chinese-speaking Winnti advanced persistent threat group.
Kaspersky, which codenamed the rootkit MoonBounce, characterized the malware as the "Most advanced UEFI firmware implant discovered in the wild to date," adding "The purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet."
Three different instances of UEFI malware have been unearthed so far, including MosaicRegressor, FinFisher, and ESPecter.
The Russian cybersecurity company said it identified the presence of the firmware rootkit in a single incident last year, indicative of the highly targeted nature of the attack.
That said, the exact mechanism by which the UEFI firmware was infected remains unclear.
To counter such firmware-level modifications, it's recommended to regularly update the UEFI firmware as well as enable protections such as Boot Guard, Secure boot, and Trust Platform Modules.
News URL
https://thehackernews.com/2022/01/chinese-hackers-spotted-using-new-uefi.html
Related news
- Chinese hackers targeted sanctions office in Treasury attack (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- US sanctions Chinese company linked to Flax Typhoon hackers (source)
- Chinese hackers also breached Charter and Windstream networks (source)
- US Treasury hack linked to Silk Typhoon Chinese state hackers (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks (source)
- US sanctions Chinese firm, hacker behind telecom and Treasury hacks (source)
- Trump 'waved a white flag to Chinese hackers' as Homeland Security axed cyber advisory boards (source)
- Google says hackers abuse Gemini AI to empower their attacks (source)