Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/ and https://firmwaresecurity.com/2018/08/05/bluehat-v18-first-strontium-uefi-rootkit-unveiled/
Sednit UEFI malware is back in the news, because of the recent CCC video, some are hearing about it for the first time, and because Kaspersky Lab is tweeting about it, confusing people that the news came from Kaspersky instead of ESET. Instead, I wish Kaspersky’s GReAT team would be giving some new news about their UEFI research, as hinted from an upcoming BlueHat Israel talk:
[..]For the past year, Kaspersky’s Global Research and Analysis Team (GReAT) extracted and processed thousands of UEFI dumps, applying anomaly analysis and code similarity techniques in order to find the “things that lurk in the shadows”[…]
BlueHat Israel has multiple interesting presentations, including this one, one on AMDFlaws, bunnie on supply chain security, and more:
The Things That Lurk in the Shadows
Costin Raiu, Kaspersky Lab / Wednesday, Feb 6, 12:30-1:00 PM
Looking at the discussions and development of sophisticated attack techniques, it is immediately obvious there is significant gap between the theory and in-the-wild observations. One can easily come up with a list of techniques which have been demonstrated in the past, however, they are not very popular findings across APT researchers. It is especially hard to believe that sophisticated adversaries with huge budgets haven’t been able to implement techniques presented at major conferences 4-5 years ago, right? So, what is missing nowadays from all big APT research announcements?
Here are a few likely culprits:
Virtualization / hypervisor malware – although the infamous Blue Pill was discussed as far back as 2006, we haven’t seen any ItW attacks leveraging this
SMM malware – although Dmytro Oleksiuk aka Cr4sh developed an SMM backdoor as far back as 2015, this is something yet to be seen in real world attacks
UEFI malware – the hacking of HackingTeam revealed that a UEFI persistence module has been available since at least 2014, but we have still to observe real world UEFI malware (with the exception weaponized Absolute Computrace implants)
Malware for the Intel ME
In this talk we will look at the places which have been neglected in terms of APT research with a focus on UEFI. For the past year, Kaspersky’s Global Research and Analysis Team (GReAT) extracted and processed thousands of UEFI dumps, applying anomaly analysis and code similarity techniques in order to find the “things that lurk in the shadows”.
The above tweet hints at UEFI support in Kaspersky TDSS Killer 18.104.22.168, but I’ve not found any more specific information.
PS: Kaspersky has a UEFI AntiVirus product, for OEMs:
Kaspersky Anti-Virus for UEFI (KUEFI) is the EFI BIOS level endpoint security solution providing effective protection from rootkits and bootkits and ensuring safe OS loading. The product’s key feature is that it starts running in the EFI environment even before the OS bootup process begins, thus preventing any resident malware from loading. By working on EFI level, KUEFI ensures reliable protection from rootkits, bootkits and other malware speciﬁcally designed to circumvent desktop anti-malware technologies. KUEFI is provided as a small EFI module which nevertheless contains the award-winning Kaspersky Anti-Virus engine. The KUEFI architecture enables its integration into any motherboard ﬁrmware supporting the EFI standard, regardless of the vendor.
[…]The negative rings:
The year of Meltdown/Spectre/AMDFlaws and all the associated vulnerabilities (and those to come) made us rethink where the most dangerous malware actually lives. And even though we have seen almost nothing in the wild abusing vulnerabilities below Ring 0, the mere possibility is truly scary as it would be invisible to almost all the security mechanisms we have. For instance, in the case of SMM there has at least been a publicly available PoC since 2015. SMM is a CPU feature that would effectively provide remote full access to a computer without even allowing Ring 0 processes to have access to its memory space. That makes us wonder whether the fact that we haven’t found any malware abusing this so far is simply because it is so difficult to detect. Abusing this feature seems to be too good an opportunity to ignore, so we are sure that several groups have been trying to exploit such mechanisms for years, maybe successfully. We see a similar situation with virtualization/hypervisor malware, or with UEFI malware. We have seen PoCs for both, and HackingTeam even revealed a UEFI persistence module that’s been available since at least 2014, but again no real ITW examples as yet. Will we ever find these kinds of unicorns? Or haven’t they been exploited yet? The latter possibility seems unlikely.[…]
Kaspersky Security Bulletin: Threat Predictions for 2018
Juan Andrés Guerrero-Saade, Costin Raiu, Kurt Baumgartner
Sophisticated UEFI and BIOS attacks.
The Unified Extensible Firmware Interface (UEFI) is a software interface which serves as the intermediary between the firmware and the operating system on modern PCs. Established in 2005 by an alliance of leading software and hardware developers, Intel most notable amongst them, it’s now quickly superseding the legacy BIOS standard. This was achieved thanks to a number of advanced features that BIOS lacks: for example, the ability to install and run executables, networking and Internet capabilities, cryptography, CPU-independent architecture and drivers, etc. The very advanced capabilities that make UEFI such an attractive platform also open the way to new vulnerabilities that didn’t exist in the age of the more rigid BIOS. For example, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution – or, indeed, the OS itself – had a chance to start. The fact that commercial-grade UEFI malware exists has been known since 2015, when the Hacking team UEFI modules were discovered. With that in mind, it is perhaps surprising that no significant UEFI malware has been found, a fact that we attribute to the difficulty in detecting these in a reliable way. We estimate that in 2018 we will see the discovery of more UEFI-based malware.[…]
[…]Kaspersky Antivirus for UEFI is integrated into Kraftway’s proprietary chip-based Kraftway Security Shell to ensure timely detection and blocking of malware attacks against key points (Master Boot Record, Global Partition Table, OS loader and kernel, key OS files, registry, critical files and directories, etc.) before the OS itself even starts to load.[…]