Dangerous UEFI Firmware Bootkit Puts PCs Users Under Threat Of Persistent Attacks
UEFI attacks are not necessarily new, but they are not often seen in the wild. As the SecureList team puts it, you do not see these attacks “due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.” If these sorts of attacks are used, however, the persistence is perfect for malicious actors. Malware can be injected during the boot phase or while the operating system (OS) is running. Furthermore, the UEFI firmware will not be wiped if a user notices something odd on their machine. Typically, they would only wipe the OS and call it a day. In the past, UEFI attacks have been seen with the LowJax implant or hypothetical cases with the open-source VectorEDK bootkit. VectorEDK is particularly interesting as the team said they “hadn’t witnessed actual evidence of it in the wild” until now.
Upon investigating some suspicious UEFI firmware images, they found that there were components based on the VectorEDK bootkit with some customization included. A set of four modules would complete their work by creating an executable in the Startup folder of a Windows machine, thus automatically launching the malicious software. If you were to remove the malicious executable, it would be recreated because it is being baked in the firmware, which cannot be removed without specifically wiping it.
At the SecureList team explains, the “attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine.” This sort of attack, while rare, is certainly possible, so security companies and individuals need to be aware of it. If you are concerned about compromised UEFI, you can read more of the post here.