SoylentNews is people
SoylentNews
Chinese APT deploys MoonBounce implant in UEFI firmware:
Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.
The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.
On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.
"Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement," the team noted.
Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was "modified by attackers in a way that allowed them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain."
The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.
"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices," the researchers explained. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."
(Score: 4, Insightful) by Gaaark on Sunday January 23 2022, @12:23AM (9 children)
If Microsoft would just be taken for the joke they are and be forced to close their doors, we wouldn't have all these problems.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Funny) by Anonymous Coward on Sunday January 23 2022, @12:40AM
It's Microsoft WINDOWS. They don't have doors.
Perhaps if they had window guards ...
(Score: 2, Insightful) by Anonymous Coward on Sunday January 23 2022, @01:25AM (7 children)
UEFI was supposed to be THE #1 for all time secure gateway.
Now we are hearing the same BS about their new TPM chip.
People just don't learn, do they?
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @01:42AM (4 children)
I hope I don't wake up tomorrow and read that Blockchain's decentralized security only takes 15 minutes to crack.
No, actually I do, as I've never been someone with Superfaith in supposedly mathematically-safe authentication, a result of having "Computer and Network Security Engineer" on my business card for 30 years ...and I'm old and bitter about what happened to my wonderful Internet.
(Score: 4, Insightful) by maxwell demon on Sunday January 23 2022, @08:36AM (3 children)
No, you actually don't. Because the technology that secures the blockchain (cryptographic hashes and digital signatures) also secures much of the critical infrastructure of the internet. And your password, too.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @09:05AM (2 children)
> No, you actually don't.
I have my Amateur Licence, and participate directly with more people over the unencrypted-unhypermonetized radio than I do on the net. I can cope.
(Score: 2) by maxwell demon on Sunday January 23 2022, @05:08PM (1 child)
Can you also cope with the attackers emptying your bank account? I guess you don't store your money in cash and/or gold at home, do you?
And in case you think you're secure because you don't use online banking: What do you think how the communication between the ATM and the bank, or the credit card company and the bank, is secured?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by shrewdsheep on Sunday January 23 2022, @06:06PM
In principle, banks and other official institutions do not have to establish trust without shared keys. They can use one-time passwords instead for communication among each other. As such money flow keeps traceable and reversible even if online banking is compromised.
(Score: 2) by driverless on Monday January 24 2022, @02:13AM (1 child)
That was my reaction too, EFI was the super-secure prevents-even-Linux-from-booting DRM mechanism for PCs.
And now it's being used by the attackers.
(Score: 4, Insightful) by Spamalope on Monday January 24 2022, @05:47AM
It's to secure the system from competition, not Haxxors. Haxxors are a you problem.