Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday January 23, @12:06AM   Printer-friendly [Skip to comment(s)]

Chinese APT deploys MoonBounce implant in UEFI firmware:

Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.

The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.

On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.

"Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement," the team noted.

Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was "modified by attackers in a way that allowed them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain."

The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.

"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices," the researchers explained. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0, Redundant) by Mockingbird on Sunday January 23, @12:14AM (6 children)

    by Mockingbird (15239) Subscriber Badge on Sunday January 23, @12:14AM (#1214886) Journal

    sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."

    As usual, there is a simple solution: do not load Windows. Install Linux, or BSD, instead.

    --
    "It is a sin to kill a mockingbird" Atticus Finch
    • (Score: 0) by Anonymous Coward on Sunday January 23, @01:27AM (4 children)

      by Anonymous Coward on Sunday January 23, @01:27AM (#1214901)

      Linux or BSD...
      Too late if the motherboard already has been compromised. Landfill and replace. And hopefully the new one, made in China, doesn't arrive with the malware preloaded...

      • (Score: 2) by RamiK on Sunday January 23, @01:49AM

        by RamiK (1813) on Sunday January 23, @01:49AM (#1214905)

        Too late if the motherboard already has been compromised. Landfill and replace.

        You can get a usb eeprom / spi / bios programmer under $10 over at amazon... $15 for one with a soic8 adapter... $25 for low-voltage chips support...

        Comes in handy if you're using UBU [win-raid.com] to update microcode and such on out-of-service boards and something didn't go right.

        --
        compiling...
      • (Score: 1, Insightful) by Anonymous Coward on Sunday January 23, @07:03AM (2 children)

        by Anonymous Coward on Sunday January 23, @07:03AM (#1214932)

        Do you seriously think that there are "hooks" into Unix bootloaders? I guess we do not understand computers, do we? Of course, Windows motherboards arrive with malware preloaded, to give access to american intel agencies. it is called "Windows loader".

        • (Score: 0) by Anonymous Coward on Sunday January 23, @07:56AM

          by Anonymous Coward on Sunday January 23, @07:56AM (#1214943)

          Yes. No, you don't.

        • (Score: 3, Touché) by maxwell demon on Sunday January 23, @08:26AM

          by maxwell demon (1608) on Sunday January 23, @08:26AM (#1214954) Journal

          Just start the Linux kernel with the kernel command line parameter init=/my/malware. Should be easy to do if you control the boot process before Linux even loads.

          --
          The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 5, Insightful) by Anonymous Coward on Sunday January 23, @02:26AM

      by Anonymous Coward on Sunday January 23, @02:26AM (#1214909)

      It can be just as easily accomplished with any host OS like Linux. This results from a fundamental security problem with UEFI in it can be manipulated by bad code at the Host OS level, and also it has control over the Host OS, so basically once its corrupted it is hard to get rid of from the level of Host OSs. UEFI should not be there or at least it should be loaded from from a SD card which can be replaced.

  • (Score: 0) by Anonymous Coward on Sunday January 23, @12:17AM (10 children)

    by Anonymous Coward on Sunday January 23, @12:17AM (#1214888)

    If they kept better control of their UEFI code when they forced manufacturers to replace BIOS, we wouldn't have all these problems.

    • (Score: 4, Insightful) by Gaaark on Sunday January 23, @12:23AM (9 children)

      by Gaaark (41) on Sunday January 23, @12:23AM (#1214891) Journal

      If Microsoft would just be taken for the joke they are and be forced to close their doors, we wouldn't have all these problems.

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 1, Funny) by Anonymous Coward on Sunday January 23, @12:40AM

        by Anonymous Coward on Sunday January 23, @12:40AM (#1214898)

        It's Microsoft WINDOWS. They don't have doors.

        Perhaps if they had window guards ...

      • (Score: 2, Insightful) by Anonymous Coward on Sunday January 23, @01:25AM (7 children)

        by Anonymous Coward on Sunday January 23, @01:25AM (#1214900)

        UEFI was supposed to be THE #1 for all time secure gateway.
        Now we are hearing the same BS about their new TPM chip.
        People just don't learn, do they?

        • (Score: 0) by Anonymous Coward on Sunday January 23, @01:42AM (4 children)

          by Anonymous Coward on Sunday January 23, @01:42AM (#1214904)

          I hope I don't wake up tomorrow and read that Blockchain's decentralized security only takes 15 minutes to crack.

          No, actually I do, as I've never been someone with Superfaith in supposedly mathematically-safe authentication, a result of having "Computer and Network Security Engineer" on my business card for 30 years ...and I'm old and bitter about what happened to my wonderful Internet.

          • (Score: 4, Insightful) by maxwell demon on Sunday January 23, @08:36AM (3 children)

            by maxwell demon (1608) on Sunday January 23, @08:36AM (#1214957) Journal

            No, actually I do

            No, you actually don't. Because the technology that secures the blockchain (cryptographic hashes and digital signatures) also secures much of the critical infrastructure of the internet. And your password, too.

            --
            The Tao of math: The numbers you can count are not the real numbers.
            • (Score: 0) by Anonymous Coward on Sunday January 23, @09:05AM (2 children)

              by Anonymous Coward on Sunday January 23, @09:05AM (#1214966)

              > No, you actually don't.

              I have my Amateur Licence, and participate directly with more people over the unencrypted-unhypermonetized radio than I do on the net. I can cope.

              • (Score: 2) by maxwell demon on Sunday January 23, @05:08PM (1 child)

                by maxwell demon (1608) on Sunday January 23, @05:08PM (#1215029) Journal

                Can you also cope with the attackers emptying your bank account? I guess you don't store your money in cash and/or gold at home, do you?

                And in case you think you're secure because you don't use online banking: What do you think how the communication between the ATM and the bank, or the credit card company and the bank, is secured?

                --
                The Tao of math: The numbers you can count are not the real numbers.
                • (Score: 1) by shrewdsheep on Sunday January 23, @06:06PM

                  by shrewdsheep (5215) on Sunday January 23, @06:06PM (#1215051)

                  In principle, banks and other official institutions do not have to establish trust without shared keys. They can use one-time passwords instead for communication among each other. As such money flow keeps traceable and reversible even if online banking is compromised.

        • (Score: 2) by driverless on Monday January 24, @02:13AM (1 child)

          by driverless (4770) on Monday January 24, @02:13AM (#1215168)

          That was my reaction too, EFI was the super-secure prevents-even-Linux-from-booting DRM mechanism for PCs.

          And now it's being used by the attackers.

          • (Score: 4, Insightful) by Spamalope on Monday January 24, @05:47AM

            by Spamalope (5233) on Monday January 24, @05:47AM (#1215203) Homepage

            It's to secure the system from competition, not Haxxors. Haxxors are a you problem.

  • (Score: -1, Troll) by Anonymous Coward on Sunday January 23, @02:49AM (3 children)

    by Anonymous Coward on Sunday January 23, @02:49AM (#1214912)
    >> a Chinese-speaking sophisticated hacking group

    Seriously, they don't speak chinese in China - try mandarin, which Pooh-Bear is trying to make the only official language.

    • (Score: 0) by Anonymous Coward on Sunday January 23, @04:40AM (2 children)

      by Anonymous Coward on Sunday January 23, @04:40AM (#1214921)

      You're that guy who always ends up sitting next to me on the airplane who gives me a strong desire to jam pencils in my ears before we hit cruising altitude.

      • (Score: 1, Informative) by Anonymous Coward on Sunday January 23, @08:26AM (1 child)

        by Anonymous Coward on Sunday January 23, @08:26AM (#1214955)

        Would you dare complain if an article was posted about a European-speaking hacking group based out of London? Or is your respect for people with different languages only reserved for Europeans?

        • (Score: 0) by Anonymous Coward on Sunday January 23, @01:15PM

          by Anonymous Coward on Sunday January 23, @01:15PM (#1214983)

          European is the language Brussels bureaucrats speak to each other when debating the appropriate legal colour for aubergines (eggplants).

  • (Score: 5, Insightful) by Mojibake Tengu on Sunday January 23, @03:30AM

    by Mojibake Tengu (8598) Subscriber Badge on Sunday January 23, @03:30AM (#1214917) Journal

    The whole concept of existing DXE is exemplary bad engineering, a preference of "modular functionality we want because of our laziness" versus "tight security stands in our way of doing things".
    In simple words: https://www.ami.com/acronym-soup-what-is-dxe/ [ami.com]

    Though one does not need to become a Haxxor Bunny[1] to understand DXE and quarry its internals.
    I think anyone can achieve such ability as APT41 and others did, to add features[2] to their UEFI BIOS, no matter what operating system follows them next in the boot process.

    [1] https://www.livewallpaperpc.com/haxxor-bunny-live-wallpaper/ [livewallpaperpc.com]
    [2] https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c [github.com]

    --
    The edge of 太玄 cannot be defined, for it is beyond every aspect of design
  • (Score: 4, Insightful) by deimios on Sunday January 23, @08:58AM (5 children)

    by deimios (201) Subscriber Badge on Sunday January 23, @08:58AM (#1214962) Journal

    Just set the jumper to disallow BIOS flashing. Oh UEFI has nothing like that? Progress!

    • (Score: 4, Insightful) by Common Joe on Sunday January 23, @10:44AM (3 children)

      by Common Joe (33) Subscriber Badge <common.joe.0101NO@SPAMgmail.com> on Sunday January 23, @10:44AM (#1214976) Journal

      This is how I knew UEFI wasn't serious about security. That and a way to restore the original version. And if you really want to get fancy, you could even implement a switch outside of the computer which would allow flashing or not (instead of needing to grab a screw driver).

      • (Score: 1, Interesting) by Anonymous Coward on Sunday January 23, @05:39PM

        by Anonymous Coward on Sunday January 23, @05:39PM (#1215037)

        That's how you do it in some industrial computers. More - there is a peculiar control system in which you have to be there and keep this button pressed during upload (12-15 seconds) or it will interrupt and not switch to the second bank (it keeps the previous version of software in the other memory bank).
        But when UEFI came, everyone warned about this. Now the solution proposed by corporations will be to chain-certify everything and offer the possibility to boot up the system only for blessed OS developers. Read: MS, Google, and maybe Apple. And it will cost much more than a jumper.

      • (Score: 0) by Anonymous Coward on Monday January 24, @05:49AM

        by Anonymous Coward on Monday January 24, @05:49AM (#1215204)

        Microsoft can now flash any bios with whatever they want.

        How is this progress?

        If in newer systems it can be done without the main OS, how is this "secure"?

      • (Score: 0) by Anonymous Coward on Monday January 24, @05:39PM

        by Anonymous Coward on Monday January 24, @05:39PM (#1215300)

        The original SPI flash chips up to around 512K *HAD* a write-lock pin on them. Either due to a defective stepping of intel southbridge (strapping the pin on.) or a defective SPI (Winbond or Macrontix I believe) they starting using the pin as a softstrap instead requiring a command to be sent to the chip in order to write-lock it. As you can imagine there were ways to trip a power cycle at which point the write lock was disabled until the read-lock command was sent again...

        Sounded pretty janky at the time and it has only gotten worse as the years have passed. It is really time for 'the rest of us' to desolder those shitty spi chips and put a daughtercard there, with a microcontroller that can spoof read/writes to the system and thus be able to be set read only while also checking if a malware image upload attempted to take place. Cheap ones can be done for 10 dollars or less in quantity with all kinds of cool options like supporting segmented bios memory with compatible (say, coreboot) images and some command stream magic to switch banks for larger memory payloads. Hell if you wanted to be ambitious you could put a microsd card on the spi daughterboard and have arbitrary 'bios' images up to whatever size you wanted. Slow but secured by your own microcontroller and capable of bootstrapping any data you want into ram. I'm sure someone has already done similar inside of an SPI chip for clandestine purposes.

    • (Score: 0) by Anonymous Coward on Sunday January 23, @10:55PM

      by Anonymous Coward on Sunday January 23, @10:55PM (#1215130)

      All three of the major vendors support disabling BIOS flashing. It is usually under the "security" menu.

  • (Score: 1, Interesting) by Anonymous Coward on Sunday January 23, @07:08PM (1 child)

    by Anonymous Coward on Sunday January 23, @07:08PM (#1215063)

    Where are all the principled engineers that work in the computer hardware industry? In software we have tons of people writing FOSS, but hardware only has a handful of "screwballs" trying to fight the whole war. Why are hardware people such dirty-legged gutter skanks?

    • (Score: 0) by Anonymous Coward on Monday January 24, @01:37PM

      by Anonymous Coward on Monday January 24, @01:37PM (#1215248)

      It requires money to build hardware.

(1)