SoylentNews is people
SoylentNews
Chinese APT deploys MoonBounce implant in UEFI firmware:
Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.
The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.
On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.
"Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement," the team noted.
Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was "modified by attackers in a way that allowed them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain."
The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.
"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices," the researchers explained. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."
(Score: 4, Insightful) by deimios on Sunday January 23 2022, @08:58AM (5 children)
Just set the jumper to disallow BIOS flashing. Oh UEFI has nothing like that? Progress!
(Score: 4, Insightful) by Common Joe on Sunday January 23 2022, @10:44AM (3 children)
This is how I knew UEFI wasn't serious about security. That and a way to restore the original version. And if you really want to get fancy, you could even implement a switch outside of the computer which would allow flashing or not (instead of needing to grab a screw driver).
(Score: 1, Interesting) by Anonymous Coward on Sunday January 23 2022, @05:39PM
That's how you do it in some industrial computers. More - there is a peculiar control system in which you have to be there and keep this button pressed during upload (12-15 seconds) or it will interrupt and not switch to the second bank (it keeps the previous version of software in the other memory bank).
But when UEFI came, everyone warned about this. Now the solution proposed by corporations will be to chain-certify everything and offer the possibility to boot up the system only for blessed OS developers. Read: MS, Google, and maybe Apple. And it will cost much more than a jumper.
(Score: 0) by Anonymous Coward on Monday January 24 2022, @05:49AM
Microsoft can now flash any bios with whatever they want.
How is this progress?
If in newer systems it can be done without the main OS, how is this "secure"?
(Score: 0) by Anonymous Coward on Monday January 24 2022, @05:39PM
The original SPI flash chips up to around 512K *HAD* a write-lock pin on them. Either due to a defective stepping of intel southbridge (strapping the pin on.) or a defective SPI (Winbond or Macrontix I believe) they starting using the pin as a softstrap instead requiring a command to be sent to the chip in order to write-lock it. As you can imagine there were ways to trip a power cycle at which point the write lock was disabled until the read-lock command was sent again...
Sounded pretty janky at the time and it has only gotten worse as the years have passed. It is really time for 'the rest of us' to desolder those shitty spi chips and put a daughtercard there, with a microcontroller that can spoof read/writes to the system and thus be able to be set read only while also checking if a malware image upload attempted to take place. Cheap ones can be done for 10 dollars or less in quantity with all kinds of cool options like supporting segmented bios memory with compatible (say, coreboot) images and some command stream magic to switch banks for larger memory payloads. Hell if you wanted to be ambitious you could put a microsd card on the spi daughterboard and have arbitrary 'bios' images up to whatever size you wanted. Slow but secured by your own microcontroller and capable of bootstrapping any data you want into ram. I'm sure someone has already done similar inside of an SPI chip for clandestine purposes.
(Score: 0) by Anonymous Coward on Sunday January 23 2022, @10:55PM
All three of the major vendors support disabling BIOS flashing. It is usually under the "security" menu.