UEFI rootkits – from theory to a real threat
UEFI rootkits, the hackers’ Holy Grail, were long feared but none was ever seen in the wild – until ESET discovered a campaign by the infamous Sednit APT group. Some UEFI rootkits have been presented at security conferences as proofs of concept; some are known to be at the disposal of governmental agencies. However, until August 2018, no UEFI rootkit was ever detected in a real cyber attack.
The above-mentioned Sednit campaign used a UEFI rootkit that ESET researchers named LoJax. ESET’s analysis of the campaign is described in detail in the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. More information about UEFI-related security can be found at ESET’s security blog, WeLiveSecurity.
Security risks of firmware, UEFI, rootkits
The computer code that starts right after the computer is turned on and has the ultimate power over the computer’s operating system (and thus the whole machine) is called firmware. The standard – think of it as a set of rules – for how the firmware behaves is called UEFI (its predecessor was called BIOS). Firmware and UEFI are often linked together and called UEFI firmware.
A rootkit is a dangerous malware designed to gain “illegal” and persistent access to what is otherwise not allowed. Typically, a rootkit also masks its existence or the existence of other malware.
Learn more
A UEFI rootkit is a rootkit that hides in firmware, and there are two reasons for this type of rootkit being extremely dangerous. First, UEFI rootkits are very persistent, able to survive a computer’s reboot, re-installation of the operating system and even hard disk replacement. Second, they are hard to detect because the firmware is not usually inspected for code integrity. ESET security solutions containing a dedicated layer of protection, ESET UEFI Scanner, are an exception.
Malicious UEFI firmware is a nightmare for anyone concerned with IT security, very damaging and difficult to detect
Jean-Ian Boutin, Senior Malware Researcher at ESET
How ESET protects from malicious UEFI firmware
ESET is the only major internet security provider to add a dedicated layer, ESET UEFI Scanner, that is designed to detect malicious components in the firmware.
ESET UEFI Scanner is a tool which makes firmware available for scanning. Subsequently, the firmware’s code gets scanned by malware detection technologies. ESET customers can scan their computer’s firmware regularly or on-demand. Most of the detections are labeled as Potentially Unsafe Applications – a code that has broad power over the system and therefore can be misused. The very same code may be completely legitimate if the user or an administrator know about its presence, or it may be malicious if it was installed without their knowledge and consent.
Learn more
Naturally, since the discovery of the first cyber attack using a UEFI rootkit, ESET customers equipped with the ESET UEFI Scanner can also detect these malicious modifications and are thus in an excellent position to protect themselves.
As for remediation, it is out of the reach of a typical user. In principle, re-flashing the chip with a clean firmware always helps. If this is not possible, then the only remaining option is replacing the computer’s motherboard.
Frequently asked questions
ESET is the only endpoint security vendor which protects from UEFI rootkit cyber attacks - true?
Is it true that ESET is the only endpoint security solutions vendor whose customers can have their UEFI firmware scanned for malicious components? If so, what is the reason for ESET's competitors not having such technology in place?
ESET is the only vendor among Top 20 endpoint security solutions vendors by revenue providing its users with a UEFI scanning technology implemented in its endpoint protection solutions. While some other vendors may have some technologies with “UEFI” in their title, their purpose is different from the function an authentic firmware scanner should perform.
As for the reason ESET is the only vendor in its field securing its customers' UEFI firmware, this illustrates ESET's responsible approach to protection. Yes, UEFI firmware-facilitated attacks are sporadic, and up to now, were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to total control of the machine, with nearly complete persistence. So ESET made the decision to invest its resources into the capability to protect its customers from UEFI firmware-facilitated attacks.
The recent discovery of LoJax, the first-ever UEFI rootkit detected in a real computer attack shows that, unfortunately, UEFI rootkits may become a regular part of advanced computer attacks.
Fortunately, thanks to the ESET UEFI Scanner, our customers are in an excellent position to spot such attacks and defend themselves against them.
Why is it important to scan the computer’s firmware?
In short, scanning the firmware is the only way to spot modifications in it. From the security point of view, the corrupted firmware is extremely dangerous as it is hard to detect and able to survive security measures such as operating system reinstallation, and even a hard disk replacement.
Firmware might get compromised at the stage of manufacturing of the computer, or during its shipping, or via reflashing the firmware if the attacker gains physical access to the device, but also, as the recent ESET research shows, via a sophisticated malware attack.
How does the ESET UEFI Scanner work?
Usually, the firmware is not accessible to security solutions for scanning and as a result, security solutions are designed only to scan disk drives and memory. To access the firmware, a specialized tool - a scanner - is needed.
The “UEFI scanner” is a module in ESET security solutions whose sole function is to read the content of the UEFI firmware and make it accessible for inspection. Thus, ESET UEFI Scanner makes it possible for ESET’s regular scanning engine to check and enforce the security of the pre-boot environment.
In sum, ESET security solutions, with capabilities boosted by the UEFI scanning technology, are designed to detect suspicious or malicious components in the firmware and report them to the user.
How to fix your UEFI firmware?
Once a suspicious or malicious component is detected in the firmware, the user is notified so that they can take the right steps.
Under one scenario, there is nothing wrong with the detections – the suspicious component may belong, for example, to an anti-theft solution designed for maximum possible persistency in the system.
Under another scenario however, there is no legitimate reason for the discovered non-standard component’s presence in the firmware. In such a case, remediation actions must be taken.
Unfortunately, there are no easy ways of cleaning the system from such a threat. Typically, the firmware needs to be reflashed to remove the malicious component. If reflashing the UEFI is not an option, the only alternative is to change the motherboard of the infected system.
How did the ESET researchers discover the campaign using the UEFI rootkit?
ESET’s discovery is comprehensively described in full in a blog post and a white paper published at ESET’s security blog, WeLiveSecurity.
In short, the ESET researchers, led by Jean-Ian Boutin, ESET Senior Researcher, did a great research job, combining their in-depth knowledge of the Sednit APT group, telemetry data from ESET detection systems and a previous discovery by their peers at Arbor Network. As a result, they discovered a whole new set of tools for cyber attacks, including the first in-the-wild UEFI rootkit.
The Sednit APT group – what is it?
Sednit, operating since at least 2004 and also known as APT28, STRONTIUM, Sofacy and Fancy Bear, is one of the most active APT (Advanced Persistent Threat) groups. Such groups are known to conduct cyber espionage and other cyber attacks on high profile targets.
The Democratic National Committee hack that affected the US 2016 elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Sednit.
This group has a diversified set of malware tools in its arsenal, several examples of which ESET researchers have documented in their previous white paper as well as in numerous blog posts on WeLiveSecurity. The discovery of the LoJax UEFI rootkit shows that the Sednit APT group is even more advanced, and dangerous than was previously thought, according to Jean-Ian Boutin, ESET Senior Malware Researcher who led the research into the recent Sednit’s campaign.
As for attribution, ESET does not perform any geopolitical attribution. Performing attribution in a serious, scientific manner is a delicate task that is beyond the remit of ESET security researchers. What ESET researchers call “the Sednit group” is merely a set of software and the related network infrastructure, without any correlation with any specific organization.
Stay one step ahead with ESET
WeLiveSecurity blog
ESET's award-winning security blog has the latest on this and other discoveries
ESET Technology
Multilayered protection combining machine learning, human expertise, global threat intelligence