Security News > 2022 > January > Chinese Hackers Spotted Using New UEFI Firmware Implant in Targeted Attacks
A previously undocumented firmware implant deployed to maintain stealthy persistence as part of a targeted espionage campaign has been linked to the Chinese-speaking Winnti advanced persistent threat group.
Kaspersky, which codenamed the rootkit MoonBounce, characterized the malware as the "Most advanced UEFI firmware implant discovered in the wild to date," adding "The purpose of the implant is to facilitate the deployment of user-mode malware that stages execution of further payloads downloaded from the internet."
Three different instances of UEFI malware have been unearthed so far, including MosaicRegressor, FinFisher, and ESPecter.
The Russian cybersecurity company said it identified the presence of the firmware rootkit in a single incident last year, indicative of the highly targeted nature of the attack.
That said, the exact mechanism by which the UEFI firmware was infected remains unclear.
To counter such firmware-level modifications, it's recommended to regularly update the UEFI firmware as well as enable protections such as Boot Guard, Secure boot, and Trust Platform Modules.
News URL
https://thehackernews.com/2022/01/chinese-hackers-spotted-using-new-uefi.html
Related news
- Chinese hackers targeted sanctions office in Treasury attack (source)
- Chinese hackers breached T-Mobile's routers to scope out network (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Researchers Uncover 4-Month Cyberattack on U.S. Firm Linked to Chinese Hackers (source)
- U.S. org suffered four month intrusion by Chinese hackers (source)
- OpenWrt orders router firmware updates after supply chain attack scare (source)
- OpenWrt Sysupgrade flaw let hackers push malicious firmware images (source)
- Chinese hackers use Visual Studio Code tunnels for remote access (source)