ESET discovers first-ever in-the-wild UEFI rootkit

In Uncategorized

ESET announced that its researchers has discovered a cyberattack that used a UEFI rootkit to establish a presence on the victims’ computers. Dubbed LoJax by ESET, this rootkit was part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind.

“Although, in theory we were aware that UEFI rootkits existed, our discovery confirms they are used by an active APT group. So they are no longer just an attractive topic at conferences, but a real threat,” comments Jean-Ian Boutin, ESET senior security researcher who led the research into LoJax and Sednit’s campaign.

UEFI rootkits are extremely dangerous formidable tools for the launch of cyberattacks. They serve as a key to the whole computer, are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement. Moreover, even cleaning a system that was infected with a UEFI rootkit requires knowledge well beyond the reach of a typical user, such as flashing the firmware.

Sednit, also known as APT28, STRONTIUM, Sofacy or Fancy Bear, is one of the most active APT groups and has been operating since at least 2004. Allegedly, the Democratic National Committee hack that affected the 2016 US elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Sednit.

This group has in its arsenal a diversified set of malware tools, several examples of which ESET researchers have documented in their white paper as well as in numerous blogposts on WeLiveSecurity.

In a statement, the company said “the discovery of the first-ever in-the-wild UEFI rootkit serves as a wake-up call for users and their organizations who often ignore the risks connected with firmware modifications.”

“Now there is no excuse for excluding firmware from regular scanning. Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to the full control of a computer, with nearly total persistence,” comments Jean-Ian Boutin.

ESET claims it is the only major provider of endpoint security solutions to add a dedicated layer of protection, ESET UEFI Scanner, designed to detect malicious components in a PC’s firmware.

“Thanks to the ESET UEFI Scanner, both our consumer and business customers are in a good position to spot such attacks and defend themselves against them,” concludes Juraj Malcho, Chief Technology Officer at ESET.

ESET’s analysis of the Sednit campaign that uses the first-ever in-the-wild UEFI rootkit is described in the detail in the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper.

Comments

You may also read!

Cloud adoption is the biggest security risk

Kaspersky Lab after conducting an survey with over 250 IT security leaders discovered that uncontrolled cloud expansion is the

Read More...

7 Cyber Intelligence Insights

Ashraf Sheet, regional director, Middle East and Africa at Infoblox shares his insights to have a more secure business

Read More...

Fortinet secures DTDC Express worldwide

Fortinet, today announced that India’s leading express distribution and logistics company, DTDC Express has bolstered its existing Fortinet Security

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu