Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:45 PM
Connect Directly

Rare Firmware Rootkit Discovered Targeting Diplomats, NGOs

Second-ever sighting of a firmware exploit in the wild is a grim reminder of the dangers of these mostly invisible attacks.

It's a silent and deadly threat long dreaded by security experts: malware entrenched in the firmware of modern computer chips that can't be expelled by reinstalling the operating system or even wiping or replacing the hard drive.

These mostly invisible firmware rootkit — aka bootkit — attacks thus far have been very rare, but researchers at Kaspersky have discovered one in the wild. The custom rootkit compromised the Unified Extensible Firmware Interface (UEFI) in computer chips that handles system booting and loading the operating system. The malware implant, which was just one module found in a larger attack framework Kaspersky named MosaicRegressor, appears to be written by a Chinese-speaking actor, based on several artifacts and language clues in it, the researchers say.

Related Content:

'Boothole' Vulnerability Exposes Secure Boot Devices to Attack

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

The attackers pointed MosaicRegressor at African, Asian, and European diplomatic and nongovernmental organizations between 2017 and 2019. Two victims of were found with the UEFI bootkit infection. All of the targets had some link to North Korea interests, either as nonprofits focused on the country or with locations there.

This is only the second known case of a bootkit attack: The first, revealed two years ago by ESET, was used by the Russian nation-state hacking group Fancy Bear, aka Sednit/Sofacy/APT28, best known for its 2016 attack on the Democratic National Committee. The so-called LoJax malware basically mimicked Absolute Software's LoJack computer anti-theft software embedded in many machines, exploiting the flaws in the BIOS of victim machines and then dropping the bootkit on them.

"That was truly a significant finding," said Mark Lechtik, senior security researcher at Kaspersky, who along with colleague Igor Kuznetsov detailed their research at Kaspersky's [email protected] virtual event this week. What sets this second UEFI rootkit apart from the previous one, Lechtik said, is that's a customized version of one developed by HackingTeam, the controversial zero-day exploit development firm out of Italy known for selling advanced attack modules to governments.

HackingTeam itself got hacked and doxed five years ago, and much of its code, including that of a UEFI rootkit, is now living on GitHub for researchers and attackers alike to experiment with.

"There was actually no evidence of [the HackingTeam rootkit's] usage in the wild" until now, Lechtik said.

It was only a matter of time that an advanced threat group would employ the UEFI bootkit tool from HackingTeam. Jesse Michael, principal security researcher with Eclypsium, says he's built proof-of-concept versions of the code in his own research to prove and study how it could be weaponized.

Bootkits are all about dwell time for an attacker, he says, even though they have not yet been widely used to date. This malware found by Kaspersky is based on "pretty simple code," he says, and has plenty of room for enhancement. "There's a lot you can do to take advantage of " the UEFI bootkit, he says. "This just scratches the surface."

The Kaspersky researchers say they weren't able to pinpoint how the attackers were able to plant the bootkit on the victim machines and rewrite the legitimate UEFI firmware. They point to two possible scenarios: physical access to the victim machine akin to Hacking Team's USB key tool. "Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well," they wrote in a blog post.

Another option is via a remotely installed "patch" of the firmware with the malicious code. That would entail attacking the BIOS update authentication process to pull off.

The bootkit's main job is to deploy malware in a targeted file directory, Lechtik said. "So when the operating system starts, this malware file will be executed."

The attackers also appeared to have used the Winnti backdoor, a popular tool among Chinese nation-state groups. Kuznetsov said he and the team were able to get one of the DLL files, which turned out to be an information-stealing tool that had archived the contents of the recently accessed documents folder. "It suggested the whole campaign was related to espionage activities. But we don't have evidence to have any clues about what is actually the target" information, he said. MosaicRegressor has no known ties to any other threat groups that Kaspersky tracks.

Fighting the Invisible Enemy
It's not easy to even track these types of attacks because there's little visibility into them, researchers say. So, how do you protect against a bootkit attack?

Encrypting the hard drive itself is one way to defend against such an attack, using Microsoft's BitLocker, for example, Kaspersky says. There's also Secure Boot, a feature supported on most modern computers that allows only securely signed firmware and software to boot up and run on a machine. Intel offers in its microprocessors the Secure Boot-based Intel Boot Guard, which protects UEFI firmware from tampering and malware.

"But if the motherboard is misconfigured and protections are not in place — if Boot Guard is not turned on — there are huge problems for any platform" that gets targeted, Kuznetsov said.

Michael says he worries that the bootkit capability ultimately be deployed in even more sophisticated attacks. For example, an attacker could watch and wait for a system protected by BitLocker to unlock, and then "patch" the system with bootkit malware.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.