Security News

A newly discovered and previously undocumented UEFI bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since 2012. Bootkits are malicious code planted in the firmware invisible to security software that runs within the operating system since the malware is designed to load before everything else, in the initial stage of the booting sequence.

Commercially developed FinFisher surveillanceware has been upgraded to infect Windows devices using a UEFI bootkit using a trojanized Windows Boot Manager, marking a shift in infection vectors that allow it to elude discovery and analysis. While the tool was previously deployed through tampered installers of legitimate applications such as TeamViewer, VLC, and WinRAR that were backdoored with an obfuscated downloader, subsequent updates in 2014 enabled infections via Master Boot Record bootkits with the goal of injecting a malicious loader in a manner that's engineered to slip past security tools.

Commercially developed FinFisher malware now can infect Windows devices using a UEFI bootkit that it injects in the Windows Boot Manager. "During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager replaced with a malicious one," Kasperksy researchers revealed today.

An estimated 30 million Dell computers are affected by several vulnerabilities that may enable an attacker to remotely execute code in the pre-boot environment, Eclypsium researchers have found. The vulnerabilities affect 128 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs. The problem resides in the BIOSConnect feature of Dell SupportAssist, a solution that comes preinstalled on most Windows-based Dell machines and helps users troubleshoot and resolve hardware and software problems.

TrickBot malware developers have created a new module that probes for UEFI vulnerabilities, demonstrating the actor's effort to take attacks at a level that would give them ultimate control over infected machines. TrickBoot acts as a reconnaissance tool at this stage, checking for vulnerabilities in the UEFI firmware of the infected machine.

TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system. The new functionality, dubbed "TrickBoot" by Advanced Intelligence and Eclypsium, makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to inject malicious code in the UEFI/BIOS firmware of a device, granting the attackers an effective mechanism of persistent malware storage.

Cybersecurity researchers have spotted a rare kind of potentially dangerous malware that targets a machine's booting process to drop persistent malware. The campaign involved the use of a compromised UEFI containing a malicious implant, making it the second known public case where a UEFI rootkit has been used in the wild.

Russian antivirus maker Kaspersky has said it uncovered "Rogue UEFI firmware images" seemingly developed by black hats with links to China. The firm explained that UEFI firmware is "Typically shipped within SPI flash storage that is soldered to the computer's motherboard", and thus any malware injected into it is "Resistant to OS reinstallation or replacement of the hard drive." The technique shot to public prominence in 2015 when malware-for-governments purveyor Hacking Team was itself hacked, with details of its firmware-level spyware becoming public knowledge.

A threat actor linked to China has used UEFI malware based on code from Hacking Team in attacks aimed at organizations with an interest in North Korea, Kaspersky reported on Monday. Kaspersky researchers analyzed the malware and the malicious activity after stumbling upon several suspicious UEFI firmware images.

According to the NSA incompatibility issues often result in Secure Boot being disabled, which the agency advises against. "Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons. Customization may - depending on implementation - require infrastructures to sign their own boot binaries and drivers," the NSA says.