Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/7/2020
04:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Rare Firmware Rootkit Discovered Targeting Diplomats, NGOs

Second-ever sighting of a firmware exploit in the wild is a grim reminder of the dangers of these mostly invisible attacks.

It's a silent and deadly threat long dreaded by security experts: malware entrenched in the firmware of modern computer chips that can't be expelled by reinstalling the operating system or even wiping or replacing the hard drive.

These mostly invisible firmware rootkit — aka bootkit — attacks thus far have been very rare, but researchers at Kaspersky have discovered one in the wild. The custom rootkit compromised the Unified Extensible Firmware Interface (UEFI) in computer chips that handles system booting and loading the operating system. The malware implant, which was just one module found in a larger attack framework Kaspersky named MosaicRegressor, appears to be written by a Chinese-speaking actor, based on several artifacts and language clues in it, the researchers say.

Related Content:

'Boothole' Vulnerability Exposes Secure Boot Devices to Attack

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Rethinking Email Security in the Face of Fearware

The attackers pointed MosaicRegressor at African, Asian, and European diplomatic and nongovernmental organizations between 2017 and 2019. Two victims of were found with the UEFI bootkit infection. All of the targets had some link to North Korea interests, either as nonprofits focused on the country or with locations there.

This is only the second known case of a bootkit attack: The first, revealed two years ago by ESET, was used by the Russian nation-state hacking group Fancy Bear, aka Sednit/Sofacy/APT28, best known for its 2016 attack on the Democratic National Committee. The so-called LoJax malware basically mimicked Absolute Software's LoJack computer anti-theft software embedded in many machines, exploiting the flaws in the BIOS of victim machines and then dropping the bootkit on them.

"That was truly a significant finding," said Mark Lechtik, senior security researcher at Kaspersky, who along with colleague Igor Kuznetsov detailed their research at Kaspersky's [email protected] virtual event this week. What sets this second UEFI rootkit apart from the previous one, Lechtik said, is that's a customized version of one developed by HackingTeam, the controversial zero-day exploit development firm out of Italy known for selling advanced attack modules to governments.

HackingTeam itself got hacked and doxed five years ago, and much of its code, including that of a UEFI rootkit, is now living on GitHub for researchers and attackers alike to experiment with.

"There was actually no evidence of [the HackingTeam rootkit's] usage in the wild" until now, Lechtik said.

It was only a matter of time that an advanced threat group would employ the UEFI bootkit tool from HackingTeam. Jesse Michael, principal security researcher with Eclypsium, says he's built proof-of-concept versions of the code in his own research to prove and study how it could be weaponized.

Bootkits are all about dwell time for an attacker, he says, even though they have not yet been widely used to date. This malware found by Kaspersky is based on "pretty simple code," he says, and has plenty of room for enhancement. "There's a lot you can do to take advantage of " the UEFI bootkit, he says. "This just scratches the surface."

The Kaspersky researchers say they weren't able to pinpoint how the attackers were able to plant the bootkit on the victim machines and rewrite the legitimate UEFI firmware. They point to two possible scenarios: physical access to the victim machine akin to Hacking Team's USB key tool. "Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well," they wrote in a blog post.

Another option is via a remotely installed "patch" of the firmware with the malicious code. That would entail attacking the BIOS update authentication process to pull off.

The bootkit's main job is to deploy malware in a targeted file directory, Lechtik said. "So when the operating system starts, this malware file will be executed."

The attackers also appeared to have used the Winnti backdoor, a popular tool among Chinese nation-state groups. Kuznetsov said he and the team were able to get one of the DLL files, which turned out to be an information-stealing tool that had archived the contents of the recently accessed documents folder. "It suggested the whole campaign was related to espionage activities. But we don't have evidence to have any clues about what is actually the target" information, he said. MosaicRegressor has no known ties to any other threat groups that Kaspersky tracks.

Fighting the Invisible Enemy
It's not easy to even track these types of attacks because there's little visibility into them, researchers say. So, how do you protect against a bootkit attack?

Encrypting the hard drive itself is one way to defend against such an attack, using Microsoft's BitLocker, for example, Kaspersky says. There's also Secure Boot, a feature supported on most modern computers that allows only securely signed firmware and software to boot up and run on a machine. Intel offers in its microprocessors the Secure Boot-based Intel Boot Guard, which protects UEFI firmware from tampering and malware.

"But if the motherboard is misconfigured and protections are not in place — if Boot Guard is not turned on — there are huge problems for any platform" that gets targeted, Kuznetsov said.

Michael says he worries that the bootkit capability ultimately be deployed in even more sophisticated attacks. For example, an attacker could watch and wait for a system protected by BitLocker to unlock, and then "patch" the system with bootkit malware.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27974
PUBLISHED: 2020-10-28
NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.
CVE-2020-27975
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
CVE-2020-27976
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
CVE-2020-27978
PUBLISHED: 2020-10-28
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
CVE-2020-22552
PUBLISHED: 2020-10-28
The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed.