SoylentNews is people
SoylentNews
Chinese APT deploys MoonBounce implant in UEFI firmware:
Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.
The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.
On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.
"Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement," the team noted.
Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was "modified by attackers in a way that allowed them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain."
The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.
"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices," the researchers explained. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."
(Score: 0, Redundant) by Mockingbird on Sunday January 23 2022, @12:14AM (6 children)
As usual, there is a simple solution: do not load Windows. Install Linux, or BSD, instead.
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @01:27AM (4 children)
Linux or BSD...
Too late if the motherboard already has been compromised. Landfill and replace. And hopefully the new one, made in China, doesn't arrive with the malware preloaded...
(Score: 2) by RamiK on Sunday January 23 2022, @01:49AM
You can get a usb eeprom / spi / bios programmer under $10 over at amazon... $15 for one with a soic8 adapter... $25 for low-voltage chips support...
Comes in handy if you're using UBU [win-raid.com] to update microcode and such on out-of-service boards and something didn't go right.
compiling...
(Score: 1, Insightful) by Anonymous Coward on Sunday January 23 2022, @07:03AM (2 children)
Do you seriously think that there are "hooks" into Unix bootloaders? I guess we do not understand computers, do we? Of course, Windows motherboards arrive with malware preloaded, to give access to american intel agencies. it is called "Windows loader".
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @07:56AM
Yes. No, you don't.
(Score: 3, Touché) by maxwell demon on Sunday January 23 2022, @08:26AM
Just start the Linux kernel with the kernel command line parameter init=/my/malware. Should be easy to do if you control the boot process before Linux even loads.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 5, Insightful) by Anonymous Coward on Sunday January 23 2022, @02:26AM
It can be just as easily accomplished with any host OS like Linux. This results from a fundamental security problem with UEFI in it can be manipulated by bad code at the Host OS level, and also it has control over the Host OS, so basically once its corrupted it is hard to get rid of from the level of Host OSs. UEFI should not be there or at least it should be loaded from from a SD card which can be replaced.
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @12:17AM (10 children)
If they kept better control of their UEFI code when they forced manufacturers to replace BIOS, we wouldn't have all these problems.
(Score: 4, Insightful) by Gaaark on Sunday January 23 2022, @12:23AM (9 children)
If Microsoft would just be taken for the joke they are and be forced to close their doors, we wouldn't have all these problems.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Funny) by Anonymous Coward on Sunday January 23 2022, @12:40AM
It's Microsoft WINDOWS. They don't have doors.
Perhaps if they had window guards ...
(Score: 2, Insightful) by Anonymous Coward on Sunday January 23 2022, @01:25AM (7 children)
UEFI was supposed to be THE #1 for all time secure gateway.
Now we are hearing the same BS about their new TPM chip.
People just don't learn, do they?
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @01:42AM (4 children)
I hope I don't wake up tomorrow and read that Blockchain's decentralized security only takes 15 minutes to crack.
No, actually I do, as I've never been someone with Superfaith in supposedly mathematically-safe authentication, a result of having "Computer and Network Security Engineer" on my business card for 30 years ...and I'm old and bitter about what happened to my wonderful Internet.
(Score: 4, Insightful) by maxwell demon on Sunday January 23 2022, @08:36AM (3 children)
No, you actually don't. Because the technology that secures the blockchain (cryptographic hashes and digital signatures) also secures much of the critical infrastructure of the internet. And your password, too.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @09:05AM (2 children)
> No, you actually don't.
I have my Amateur Licence, and participate directly with more people over the unencrypted-unhypermonetized radio than I do on the net. I can cope.
(Score: 2) by maxwell demon on Sunday January 23 2022, @05:08PM (1 child)
Can you also cope with the attackers emptying your bank account? I guess you don't store your money in cash and/or gold at home, do you?
And in case you think you're secure because you don't use online banking: What do you think how the communication between the ATM and the bank, or the credit card company and the bank, is secured?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by shrewdsheep on Sunday January 23 2022, @06:06PM
In principle, banks and other official institutions do not have to establish trust without shared keys. They can use one-time passwords instead for communication among each other. As such money flow keeps traceable and reversible even if online banking is compromised.
(Score: 2) by driverless on Monday January 24 2022, @02:13AM (1 child)
That was my reaction too, EFI was the super-secure prevents-even-Linux-from-booting DRM mechanism for PCs.
And now it's being used by the attackers.
(Score: 4, Insightful) by Spamalope on Monday January 24 2022, @05:47AM
It's to secure the system from competition, not Haxxors. Haxxors are a you problem.
(Score: -1, Troll) by Anonymous Coward on Sunday January 23 2022, @02:49AM (3 children)
Seriously, they don't speak chinese in China - try mandarin, which Pooh-Bear is trying to make the only official language.
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @04:40AM (2 children)
You're that guy who always ends up sitting next to me on the airplane who gives me a strong desire to jam pencils in my ears before we hit cruising altitude.
(Score: 1, Informative) by Anonymous Coward on Sunday January 23 2022, @08:26AM (1 child)
Would you dare complain if an article was posted about a European-speaking hacking group based out of London? Or is your respect for people with different languages only reserved for Europeans?
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @01:15PM
European is the language Brussels bureaucrats speak to each other when debating the appropriate legal colour for aubergines (eggplants).
(Score: 5, Insightful) by Mojibake Tengu on Sunday January 23 2022, @03:30AM
The whole concept of existing DXE is exemplary bad engineering, a preference of "modular functionality we want because of our laziness" versus "tight security stands in our way of doing things".
In simple words: https://www.ami.com/acronym-soup-what-is-dxe/ [ami.com]
Though one does not need to become a Haxxor Bunny[1] to understand DXE and quarry its internals.
I think anyone can achieve such ability as APT41 and others did, to add features[2] to their UEFI BIOS, no matter what operating system follows them next in the boot process.
[1] https://www.livewallpaperpc.com/haxxor-bunny-live-wallpaper/ [livewallpaperpc.com]
[2] https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Core/Dxe/DxeMain/DxeMain.c [github.com]
Respect Authorities. Know your social status. Woke responsibly.
(Score: 4, Insightful) by deimios on Sunday January 23 2022, @08:58AM (5 children)
Just set the jumper to disallow BIOS flashing. Oh UEFI has nothing like that? Progress!
(Score: 4, Insightful) by Common Joe on Sunday January 23 2022, @10:44AM (3 children)
This is how I knew UEFI wasn't serious about security. That and a way to restore the original version. And if you really want to get fancy, you could even implement a switch outside of the computer which would allow flashing or not (instead of needing to grab a screw driver).
(Score: 1, Interesting) by Anonymous Coward on Sunday January 23 2022, @05:39PM
That's how you do it in some industrial computers. More - there is a peculiar control system in which you have to be there and keep this button pressed during upload (12-15 seconds) or it will interrupt and not switch to the second bank (it keeps the previous version of software in the other memory bank).
But when UEFI came, everyone warned about this. Now the solution proposed by corporations will be to chain-certify everything and offer the possibility to boot up the system only for blessed OS developers. Read: MS, Google, and maybe Apple. And it will cost much more than a jumper.
(Score: 0) by Anonymous Coward on Monday January 24 2022, @05:49AM
Microsoft can now flash any bios with whatever they want.
How is this progress?
If in newer systems it can be done without the main OS, how is this "secure"?
(Score: 0) by Anonymous Coward on Monday January 24 2022, @05:39PM
The original SPI flash chips up to around 512K *HAD* a write-lock pin on them. Either due to a defective stepping of intel southbridge (strapping the pin on.) or a defective SPI (Winbond or Macrontix I believe) they starting using the pin as a softstrap instead requiring a command to be sent to the chip in order to write-lock it. As you can imagine there were ways to trip a power cycle at which point the write lock was disabled until the read-lock command was sent again...
Sounded pretty janky at the time and it has only gotten worse as the years have passed. It is really time for 'the rest of us' to desolder those shitty spi chips and put a daughtercard there, with a microcontroller that can spoof read/writes to the system and thus be able to be set read only while also checking if a malware image upload attempted to take place. Cheap ones can be done for 10 dollars or less in quantity with all kinds of cool options like supporting segmented bios memory with compatible (say, coreboot) images and some command stream magic to switch banks for larger memory payloads. Hell if you wanted to be ambitious you could put a microsd card on the spi daughterboard and have arbitrary 'bios' images up to whatever size you wanted. Slow but secured by your own microcontroller and capable of bootstrapping any data you want into ram. I'm sure someone has already done similar inside of an SPI chip for clandestine purposes.
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @10:55PM
All three of the major vendors support disabling BIOS flashing. It is usually under the "security" menu.
(Score: 1, Interesting) by Anonymous Coward on Sunday January 23 2022, @07:08PM (1 child)
Where are all the principled engineers that work in the computer hardware industry? In software we have tons of people writing FOSS, but hardware only has a handful of "screwballs" trying to fight the whole war. Why are hardware people such dirty-legged gutter skanks?
(Score: 0) by Anonymous Coward on Monday January 24 2022, @01:37PM
It requires money to build hardware.