What you need to know about UEFI malware

ESET is the only vendor among the Top 20 endpoint security solutions vendors (by revenue) that provides users with UEFI scanning technology implemented in its endpoint protection solutions. While some other vendors may have technologies with “UEFI” in their names, their purpose is different than what a true firmware scanner should do.

Being the only vendor offering UEFI scanning illustrates ESET’s approach to protection. UEFI firmware-facilitated attacks are sporadic, and up to now, they were mostly limited to physical tampering with the target computer.

However, such attacks have the potential to take over complete control of computers and networks. Any data (files, videos, microphones, etc.) on the computer or network it's connected to can be stolen or hijacked for the attacker's own use. So ESET decided to invest in the ability to protect its customers from UEFI firmware-facilitated attacks.

The recent discovery of LoJax, the first-ever UEFI rootkit detected in a real computer attack, shows that UEFI rootkits may become a regular part of advanced computer attacks.

Fortunately, thanks to the ESET UEFI Scanner, our customers are in an excellent position to spot such attacks.

In short, scanning the firmware is the only way to spot modifications in it. From the security point of view, the corrupted firmware is extremely dangerous as it is hard to detect and able to survive security measures such as operating system reinstallation, and even a hard disk replacement.

It is possible that firmware might get compromised at the stage of manufacturing of the computer or during its shipping, or via reflashing the firmware if the attacker gains physical access to the device. But as the recent ESET research shows, it could also be compromised via a sophisticated malware attack.

Usually, the firmware is not accessible to security solutions for scanning and as a result, security solutions are designed only to scan disk drives and memory. To access the firmware, a specialized tool (a scanner) is needed.

The UEFI scanner is a module in ESET security solutions whose sole function is to read the content of the UEFI firmware and make it accessible for inspection. The ESET UEFI Scanner makes it possible for ESET’s regular scanning engine to check and enforce the security of the pre-boot environment.

 ESET security solutions with capabilities boosted by the UEFI scanning technology are designed to detect suspicious or malicious components in the firmware and report them to the user.

Once a suspicious or malicious component is detected in the firmware, the user is notified so that they can take the right steps.

Under one scenario, there is nothing wrong with the detections – the suspicious component may belong, for example, to an anti-theft solution designed for maximum possible persistency in the system.

Under another scenario, however, there is no legitimate reason for the discovered non-standard component’s presence in the firmware. In such a case, remediation actions must be taken.

Unfortunately, there are no easy ways of cleaning the system to remove such a threat. Typically, the firmware needs to be reflashed to remove the malicious component. If reflashing the UEFI is not an option, the only alternative is to change the motherboard of the infected system.

ESET’s discovery is described in full in a blog post and a white paper published at ESET’s security blog, WeLiveSecurity.

In short, the ESET researchers, led by Jean-Ian Boutin, ESET Senior Researcher, combined their in-depth knowledge of the Sednit APT group, telemetry data from ESET detection systems, and a previous discovery by their peers at Arbor Network. As a result, they discovered a whole new set of tools for cyberattacks, including the first in-the-wild UEFI rootkit.

Sednit, operating since at least 2004 and also known as APT28, STRONTIUM, Sofacy and Fancy Bear, is one of the most active APT (Advanced Persistent Threat) groups. Such groups are known to conduct cyber espionage and other cyberattacks on high profile targets.

The Democratic National Committee hack that affected the US 2016 elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Sednit.

This group has a diversified set of malware tools in its arsenal, several examples of which ESET researchers have documented in their previous white paper as well as in numerous blog posts on WeLiveSecurity. The discovery of the LoJax UEFI rootkit shows that the Sednit APT group is even more advanced and dangerous than was previously thought, according to Jean-Ian Boutin, the ESET senior malware researcher who led the research into the recent Sednit campaign.

As for attribution, ESET does not perform any geopolitical attribution. Performing attribution in a serious, scientific manner is a delicate task that is beyond the scope of our security researchers. What ESET researchers call “the Sednit group” is merely a set of software and the related network infrastructure, without any correlation with any specific organization.