Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:45 PM
Connect Directly

Rare Firmware Rootkit Discovered Targeting Diplomats, NGOs

Second-ever sighting of a firmware exploit in the wild is a grim reminder of the dangers of these mostly invisible attacks.

It's a silent and deadly threat long dreaded by security experts: malware entrenched in the firmware of modern computer chips that can't be expelled by reinstalling the operating system or even wiping or replacing the hard drive.

These mostly invisible firmware rootkit — aka bootkit — attacks thus far have been very rare, but researchers at Kaspersky have discovered one in the wild. The custom rootkit compromised the Unified Extensible Firmware Interface (UEFI) in computer chips that handles system booting and loading the operating system. The malware implant, which was just one module found in a larger attack framework Kaspersky named MosaicRegressor, appears to be written by a Chinese-speaking actor, based on several artifacts and language clues in it, the researchers say.

Related Content:

'Boothole' Vulnerability Exposes Secure Boot Devices to Attack

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

The attackers pointed MosaicRegressor at African, Asian, and European diplomatic and nongovernmental organizations between 2017 and 2019. Two victims of were found with the UEFI bootkit infection. All of the targets had some link to North Korea interests, either as nonprofits focused on the country or with locations there.

This is only the second known case of a bootkit attack: The first, revealed two years ago by ESET, was used by the Russian nation-state hacking group Fancy Bear, aka Sednit/Sofacy/APT28, best known for its 2016 attack on the Democratic National Committee. The so-called LoJax malware basically mimicked Absolute Software's LoJack computer anti-theft software embedded in many machines, exploiting the flaws in the BIOS of victim machines and then dropping the bootkit on them.

"That was truly a significant finding," said Mark Lechtik, senior security researcher at Kaspersky, who along with colleague Igor Kuznetsov detailed their research at Kaspersky's [email protected] virtual event this week. What sets this second UEFI rootkit apart from the previous one, Lechtik said, is that's a customized version of one developed by HackingTeam, the controversial zero-day exploit development firm out of Italy known for selling advanced attack modules to governments.

HackingTeam itself got hacked and doxed five years ago, and much of its code, including that of a UEFI rootkit, is now living on GitHub for researchers and attackers alike to experiment with.

"There was actually no evidence of [the HackingTeam rootkit's] usage in the wild" until now, Lechtik said.

It was only a matter of time that an advanced threat group would employ the UEFI bootkit tool from HackingTeam. Jesse Michael, principal security researcher with Eclypsium, says he's built proof-of-concept versions of the code in his own research to prove and study how it could be weaponized.

Bootkits are all about dwell time for an attacker, he says, even though they have not yet been widely used to date. This malware found by Kaspersky is based on "pretty simple code," he says, and has plenty of room for enhancement. "There's a lot you can do to take advantage of " the UEFI bootkit, he says. "This just scratches the surface."

The Kaspersky researchers say they weren't able to pinpoint how the attackers were able to plant the bootkit on the victim machines and rewrite the legitimate UEFI firmware. They point to two possible scenarios: physical access to the victim machine akin to Hacking Team's USB key tool. "Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well," they wrote in a blog post.

Another option is via a remotely installed "patch" of the firmware with the malicious code. That would entail attacking the BIOS update authentication process to pull off.

The bootkit's main job is to deploy malware in a targeted file directory, Lechtik said. "So when the operating system starts, this malware file will be executed."

The attackers also appeared to have used the Winnti backdoor, a popular tool among Chinese nation-state groups. Kuznetsov said he and the team were able to get one of the DLL files, which turned out to be an information-stealing tool that had archived the contents of the recently accessed documents folder. "It suggested the whole campaign was related to espionage activities. But we don't have evidence to have any clues about what is actually the target" information, he said. MosaicRegressor has no known ties to any other threat groups that Kaspersky tracks.

Fighting the Invisible Enemy
It's not easy to even track these types of attacks because there's little visibility into them, researchers say. So, how do you protect against a bootkit attack?

Encrypting the hard drive itself is one way to defend against such an attack, using Microsoft's BitLocker, for example, Kaspersky says. There's also Secure Boot, a feature supported on most modern computers that allows only securely signed firmware and software to boot up and run on a machine. Intel offers in its microprocessors the Secure Boot-based Intel Boot Guard, which protects UEFI firmware from tampering and malware.

"But if the motherboard is misconfigured and protections are not in place — if Boot Guard is not turned on — there are huge problems for any platform" that gets targeted, Kuznetsov said.

Michael says he worries that the bootkit capability ultimately be deployed in even more sophisticated attacks. For example, an attacker could watch and wait for a system protected by BitLocker to unlock, and then "patch" the system with bootkit malware.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...