Sednit– the infamous hacking group reportedly behind hacks on the Democratic National Committee in 2016, the French elections and German Parliament may now be more dangerous than we previously.
ESET researchers recently found that the Russian hacking group sometimes known as Fancy Bear have been using a technique so advanced that, before now, it was never seen in the wild.
The ESET research team, headed by senior malware researcher Jean-Ian Boutin, found that the notorious group were using a UEFI-based rootkit – known as LoJax – to target government organisations in the Balkans as well as in Central and Eastern Europe. UEFI rootkits are widely viewed in the industry as extremely dangerous tools for implementing cyber-attacks - they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement.
Of course, this technique isn’t unheard of. Some UEFI rootkits have been presented as proofs of concept and some are known to be at the disposal of some governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until now.
ESET's investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical computer owner.
Why should businesses be worried?
While we found that Sednit used the LoJax malware to target a few government organisations in the Balkans, as well as in Central and Eastern Europe – this does not mean the threat to UK organisations is any less real.
Sednit has historically targeted Western Europe, including France and Germany, as well as organisations such as the International Association of Athletics Federation (IAAF) or the World Anti-Doping Agency (WADA). When you think of it like that, suddenly, it looks a lot closer to home.
Frankly, any new form of malware moving from a proof of concept at trade shows to a dangerous in-the-wild threat should be cause for concern on a global scale. This is particularly true when it uses a method which is difficult to detect and even more difficult to remove.
Malicious hackers will use any tool at their disposal when targeting a specific organisation and this UEFI rootkit is another, particularly nasty, weapon to be wielded against organisations worldwide. In this case, whenever a computer infected with UEFI malware boots, it will place the LoJax agent on the Windows file system so that when Windows boots, it is already infected with the LoJax agent. Even if you clean LoJax from Windows, as soon as you reboot, the UEFI impact will re-infect Windows.
So, what now?
Sednit’s UEFI rootkit is not properly signed, so the first security mechanism that could have blocked such an attack is Boot Guard. When Boot Guard is enabled, each and every firmware component that is loaded by the firmware needs to be properly signed, thus ensuring the integrity of the firmware.
But this type of software only works when you enable it – I strongly suggest with this news firms make this their number one priority. This is the base defence against attacks targeting UEFI firmware and can be enabled at boot time through your system’s UEFI settings.
You should make sure that you are using the latest available UEFI/BIOS for your motherboard.
What happens if you do become infected? In order to remove the rootkit, the SPI flash memory needs to be re-flashed with a clean firmware image specific to the motherboard. This is a delicate operation that must be performed manually. It is definitely not a procedure that most computer owners are familiar with and is a time consuming and lengthy process, meaning prevention is always the best approach with this type of malware.
The only alternative to re-flashing the UEFI/BIOS is to replace the motherboard of the compromised system outright – a costly and lengthy process, especially if you have multiple devices infected in your organisation.
The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats. Consequently UK businesses should always be on the lookout for signs of compromise. If anything, this research has taught us is that it is always important to dig as deep as you can go! As notorious hacking groups continue to up their game, it’s never been more important to remain on high-alert.
Jake Moore, Cybersecurity expert, ESET UK