UEFI and Rootkits join nomenclature of publicly recognized APTs

Next story

With the passage of time, IT literacy has grown amongst the general public and businesses. This has also led to a growing awareness of malicious technological forces. Malware, ransomware, cryptomining and advanced persistent threats have all entered our collective consciousness, if not our colloquial IT vocabulary. However, there are threats deeply buried which have remained the realm of “IT myth”, outside of the knowledge base of all but the most well informed.

Enter rootkits and UEFI
In 2007, following agreement among industry scions Intel, AMD, and Microsoft, as well as PC manufacturers on a need to address the shortcomings of Basic Input/Output System (BIOS), and ahead of the rollout of 64bit operating systems, requirements for Unified Extensible Firmware Interface (UEFI) were born. In large part, this was done to improve performance and security of PC bootup processes.

In tracking the transition from BIOS to UEFI throughout 2007, ESET also publicly joined the security discussion, and by 2012 saw the makings of a concrete threat vector. Specifically, concerns focused on the potential deployment of tools that could (as with BIOS) alter or manipulate a PC during its bootup sequence. In the following years, many in the industry, and likely many cybercriminals pondered who, what, when and how the development of rootkits would join the fray of malicious code. There they stayed, a myth, unicorn like.

However, “With all the potential enabled by targeting a PC during its bootup sequence, we wanted to zero in on practical ways of identifying this threat type” said Roman Kovac, Chief Research Officer, ESET. While many cybersecurity minds across the industry were tracking rootkits, including UEFI rootkits, ESET decided to create the capability within its core technology to detect firmware modifications.

One complication with scanning UEFI is that there are many legitimate reasons for its modification. As such many of the same vectors that enable legitimate modifications like remote diagnostics or servicing, can also be misused to introduce vulnerabilities. For example, this could occur in the course of shipping or while at a repair shop. Within an organization this could be carried out by a malicious insider or an intruder who breaks into the premises.

Another option, which is the latest and most concerning, is a remote attack using malware and various other tools to modify firmware.

As the only vendor among the Top-20 to provide this layer of protection against such an attack, ESET chose to step away from cybersecurity orthodoxy. This decision yielded the necessary R&D to deploy ESET UEFI Scanner in 2017, and with it, the ability to scan a computer's firmware was added to the multilayered technology found in our business and consumer solutions.

Myth becomes reality - Sednit transforms anti-theft software into an APT
Amongst the malicious actors and cybergangs and the malware threats ESET and the wider industry has tracked, Sednit group AKA FancyBears stands out as the “one to watch”.

Thought to be behind many high profile attacks in politics, journalism and even sports, Sednit possess a diversified set of powerful malware tools in its arsenal. In our Sednit white paper from 2016, ESET previously discussed the group’s prolific capabilities. Since then we’ve built up an extensive set of clues by tracking the tools used and an M.O. for the group.

In May 2018, members the wider cyber security community described how code in the small agent executable file found in Absolute Software’s LoJack product, a legitimate laptop recovery solution, had been trojanized. Now, ESET researchers have demonstrated that it was Sednit group, AKA FancyBears that managed this feat.


Malicious samples show communications with a malicious command and control server (C&C) instead of Absolute Software’s legitimate server and alterations the original product’s hardcoded configuration settings. Among other clues was the use of C&C domains for the notorious first-stage backdoor, SedUploader, first recorded in 2017. With those connections made, ESET researchers began referring to the campaign's malicious usage of the legitimate software as LoJax.

What does this assault on UEFI mean for users?
Without making sweeping assumptions, the fact that malware targeting and successfully infiltrating UEFI has been found in-the-wild is of serious concern. Since hacking UEFI improves persistence of malware and is nearly undetectable with the traditional scanning methods of average cybersecurity solutions, hackers have been looking for ways to gain access, escalate user privileges, and write directly to the UEFI Serial Peripheral Interface, part of the flash memory that holds the code trusted to make your computer boot. Said simply, if you control the boot sequence, then you control whatever the machine is likely to do once it’s operating.

So, to IT decision makers, their staff and the wider public tracking threats to their use of IT, there is now a new way that your computer can be turned against you. We’ve been collectively put on notice by Sednit that the capacity to attack and manipulate PCs at their boot level has arrived and has been tested. Fortunately, ESET researcher’s detection means that security technologists have a chance to align and fight in the name of Safer Technology.

For more on UEFI Security