Slovakia-based IT security company, ESET, has recently confirmed the existence of a dangerous malware, dubbed LoJax, that infects a targeted computer by re-writing the Unified Extensible Firmware Interface (UEFI) which is located in the motherboard’s flash memory, allowing it to survive even when you wipe/replace your hard disk and re-install your operating system.
UEFI rootkits are extremely dangerous as they are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement. Moreover, even cleaning a system that was infected with a UEFI rootkit requires knowledge well beyond the reach of a typical user, such as flashing the firmware.
Many experts had talked about UEFI rootkits as a theoretical attack but ESET was able to detect the first-ever publicly known attacks of this kind which affected several high-profile targets in Central and Eastern Europe and was confirmed to be a part of a campaign run by the infamous Sednit group.
Sednit, also known as APT28, STRONTIUM, Sofacy or Fancy Bear, is one of the most active Advanced Persistent Threat (APT) groups and has been operating since at least 2004. The Democratic National Committee hack that affected the 2016 US elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Sednit.
“Although, in theory we were aware that UEFI rootkits existed, our discovery confirms they are used by an active (APT) group,” said Jean-Ian Boutin, ESET senior security researcher who led the research into LoJax and Sednit’s campaign. “So they are no longer just an attractive topic at conferences, but a real threat.”
The discovery of the first-ever malware in-the-wild UEFI rootkit serves as a wake-up call for users and their organizations who often ignore the risks connected with firmware modifications. Even if UEFI-based attacks are extremely rare, this will push I.T. security providers to include the firmware in regular scanning because if such an attack succeed in taking over the computer’s firmware, it would lead to the full control of the compromised computer to the hackers with near total persistence.