Security News > 2022 > July > Experts Uncover New 'CosmicStrand' UEFI Firmware Rootkit Used by Chinese Hackers
An unknown Chinese-speaking threat actor has been attributed to a new kind of sophisticated UEFI firmware rootkit called CosmicStrand.
"The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset," Kaspersky researchers said in a new report published today.
CosmicStrand, a mere 96.84KB file, is also the second strain of UEFI rootkit to be discovered this year after MoonBounce in January 2022, which was deployed as part of a targeted espionage campaign by the China-linked advanced persistent threat group known as Winnti.
The "Shellcodes received from the server might be stagers for attacker-supplied PE executables, and it is very likely that many more exist," Kaspersky noted, adding it found a total of two versions of the rootkit, one which was used between the end of 2016 and mid-2017, and the latest variant, which was active in 2020.
Interestingly, Chinese cybersecurity vendor Qihoo360, which shed light on the early version of the rootkit in 2017, raised the possibility that the code modifications may have been the result of a backdoored motherboard obtained from a second-hand reseller.
"The most striking aspect is that this UEFI implant seems to have been used in the wild since the end of 2016 - long before UEFI attacks started being publicly described," the researchers said.
News URL
https://thehackernews.com/2022/07/experts-uncover-new-cosmicstrand-uefi.html
Related news
- US says Chinese hackers breached multiple telecom providers (source)
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Sophos reveals 5-year battle with Chinese hackers attacking network devices (source)
- Sophos Versus the Chinese Hackers (source)
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Chinese hackers target Linux with new WolfsBane malware (source)
- Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries (source)