New
#1
That sounds like some serious stuff. Make me glad I use ESET.
ESET discovers first LoJax UEFI rootkit malware by Sednit group
-
-
-
New #3
Hardware based droppers have been around for some time now, started in 2016.
It doesn't 'Drop' or 'Execute', it call out and DL's the malware, turns your PC into a VM .... Welcome to the Botnet.
Extensively, in the 'Device Manager' you have an option to update your bios:
It doesn't take much to hijack this process and flash a malicious script.
MSU for W10 will eventually be an automatic install for this procedure.
LINUX ......
-
New #4
Not all systems have the option to update the BIOS from inside the OS.
-
New #5
-
New #6
hello,
If I flashed the BIOS with the original manufacturer BIOS firmware and if it is not modified
Does this mean I am safe ?
-
New #7
This sounds very serious (as Essenbe said above). Viruses are become more and more sophisticated. As I haven't notice any sign of benefits about using GPT/UEFI partition schemes, I think I may be returning to good old MBR when new Windows (v1809) arrives. I don't know. What do you think?
In all seriousness,GPT/UEFI doesn't provide anything fancy, despite Intel claims. I do a lot of backups with Macrium Reflect, so I am not worried about partition corruption and such.
-
New #8
-
-
New #9
This hardware base malware payload is not introduced via social engineering, it is in its current state, introduce to the targeted PC by, a person.
This will have to be in the factory, at a service center, repair depot, large academic or learning center, any large global company that has an IT department.....Even a municipal, State/Provincial or Federal Employee has an IT department.....You get the idea
It's not inconceivable that a service/repair/production line employee at any major PC company could be bribed to have a hand in this. The lure of money is too great, you don't need to be under finical distress to fold under the pressure of CA$H in hand.
In 2012, the MBR ZeroAccess Rootkit BotNet was worth 2.7 Million per year, and an estimated $100,000 USD per day for clickjacking and up to $900,000.00 in fraudulent clicks.......That's 2012! The botnet has quadrupled in size.
Its about money, lots of it, and someone out there is worth more than Trump/Putin and Mao combined, they just cant advertise it or be on the cover of Forbes.
Dump a payload into a production line system for half million, sure, why not.
Also, did you notice that MS Firmware update driver is dated 2006 .... That doesn't inspire confidence in me....
Linux, my next machine is going to be Linux.....
And then there's RAM based malware, another hardware based payload.
Undetectable by ALL current AV/AM programs.
Writes itself to RAM, does its thing, disappears when the PC is shut down.
Not there when it starts up, MBR/Boot time scans will not detect it.Last edited by Penny K; 28 Sep 2018 at 03:49.
ESET discovers first LoJax UEFI rootkit malware by Sednit group
Posted: 27 Sep 2018
UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement. Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system.
The discovery of the first in-the-wild UEFI rootkit is notable for two reasons.
First, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.
And second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than previously thought.
Our analysis of the Sednit campaign that uses the UEFI rootkit was presented September 27 at the 2018 Microsoft BlueHat conference and is described in detail in our “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. In this blog post, we summarize our main findings.
The Sednit group has been operating since at least 2004, and has made headlines frequently in past years: it is believed to be behind major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many others. This group has a diversified set of malware tools in its arsenal, several examples of which we have documented previously in our Sednit white paper from 2016.
Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.
Our research has shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe...
Read more: LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
Download research paper (PDF): https://www.welivesecurity.com/wp-co...ESET-LoJax.pdf
Tweet
— Twitter API (@user) View on Twitter
Quote
Related Discussions
