SedNit, CCC, Kaspersky and ESET

Re: and

Sednit UEFI malware is back in the news, because of the recent CCC video, some are hearing about it for the first time, and because Kaspersky Lab is tweeting about it, confusing people that the news came from Kaspersky instead of ESET. Instead, I wish Kaspersky’s GReAT team would be giving some new news about their UEFI research, as hinted from an upcoming BlueHat Israel talk:

[..]For the past year, Kaspersky’s Global Research and Analysis Team (GReAT) extracted and processed thousands of UEFI dumps, applying anomaly analysis and code similarity techniques in order to find the “things that lurk in the shadows”[…]


Nick FitzGerald of ESET on scanning UEFI

ESET recently released a scanner for UEFI. Nick FitzGerald, ESET, Senior Research Fellow, has an article on why you should scan your UEFI firmware.

UEFI 101, and why you need it scanned
By Nick FitzGerald
Monday, November 20, 2017 – 15:16

In the rapidly evolving world of security software development, recent research has shown that UEFI scanning has transformed from a “nice to have” into a “must have” feature. Initially deemed a theoretical threat, there was little information about real-world UEFI attacks in the wild. However over time, enough data was collected and analyzed by cybersecurity vendors to conclude that UEFI protection is now required.[…]


ESET adds UEFI Scanner

ESET’s internet security just keeps getting better thanks to new IoT protection and UEFI Scanner
October 24, 2017

ESET, a global leader in cybersecurity celebrating 30 years of continuous IT innovation, today launched its latest consumer security product portfolio for Windows. The enhanced solutions are designed to protect people from an expanding array of cyberthreats, data theft, malware and viruses. The features released today enhance the security capabilities of ESET NOD32 Antivirus, ESET Internet Security and ESET Smart Security Premium. The Unified Extensible Firmware Interface (UEFI) Scanner, included in all three products, adds elevated levels of malware protection by detecting and removing threats that potentially launch before the operating system boots up. Threats, including rootkits and ransomware, target vulnerabilities in the UEFI and are highly persistent, even surviving after an operating system is reinstalled. ESET’s UEFI Scanner prevents these types of attacks.[…]


Black Hat Asia: The UEFI Firmware Rootkits: Myths and Reality

The UEFI Firmware Rootkits: Myths and Reality
Alex Matrosov  |  Principal Research Scientist, Cylance
Eugene Rodionov  |  Senior Specialized Software Engineer, ESET

In recent days, the topic of UEFI firmware security is very hot. There is a long list of publications that have appeared over the last few years discussing disclosed vulnerabilities in UEFI firmware. These vulnerabilities allows an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim’s system. In this presentation, authors will take a look at the state of the art attacks against UEFI firmware from practical point of view and analyze applicability of disclosed attacks in real life scenarios: whether these vulnerabilities can be easily used in real-world rootkits (OS->SMM->SPI Flash).

In the first part of the presentation, the authors will dive into different types of vulnerabilities and attacks against UEFI firmware to summarize and systematize known attacks: whether the vulnerability targets one specific firmware vendor, whether an attacker needs physical access to the victims platform and so on. Such a classification is useful to understand possibilities of an attacker. The authors will also look at the attacks and determine whether it can be converted into a real-world rootkit or the possibilities of the attacker are very limited and the attack vector cannot make it beyond the PoC.

In the second part of the presentation, the authors will look at defensive technologies and how can one reduce severity of some attacks. In modern Intel-based platforms implemented different methods and mitigation technologies against firmware and boot process attacks. The Boot Guard – hardware-based integrity protection technology that provided new levels of configurable boot: Measured Boot and Verified Boot (supported from MS Windows 8). The technologies responsible for platform flash memory protection from malicious modifications not a new trend. As example BIOS Write Enable bit (BIOSWE) has been introduced long time ago for made read-only access of flash memory. Another protection technology is BIOS Lock Enable bit (BLE) which is control every privileged code execution from System Management Mode (SMM) on each attempt to change BIOSWE bit. Also SMM based write protection (SMM_BWP) protects an entire BIOS region from unprivileged code (non-SMM) modifications attempts. One of the latest security technologies is SPI Protected Ranges (PRx) which can be configured to protect memory ranges of flash memory on the BIOS/platform developers side. The BIOS Guard (delivered since Skylake CPU) – is the most recent technology for platform armoring protection from firmware flash storage malicious modifications. Even if an attacker has access for modifying flash memory BIOS Guard can prevent execution of malicious code and protect flash memory from malicious modifications. Authors will analyse how these technologies can counteract existing firmware vulnerabilities and attacks.