Tag Archives: UEFI

APT28 Group Distributes First in the Wild UEFI Rootkit

=======================
Update: 6th February 2019
=======================
In mid-January, the IT news website; The Register provided details of an analysis of this threat from the security firm Netscout. They concluded that they believe the malware utilising the UEFI rootkit began as long as 2 years ago:

In addition; the command and control (C2) (defined) infrastructure originating from this threat remains operational but has reduced from 7 servers to 2. The attackers also have further servers and reserved IP addresses ready to use should they need to.

Thank you.

=======================
Original Post:
=======================
In late September; researchers from the security/anti-malware firm Eset discovered the first UEFI (defined) rootkit (defined) being used in the wild (namely being present on computing devices used by the general public in their professional and personal lives).

The APT group known as APT28 (who we discussed before on this blog) has been named as being responsible for this advanced threat being distributed to victim systems located in the Central Europe, Eastern Europe and the Balkans.

Why should this threat be considered important?
While this threat is so far limited to targeting systems in Central Europe, Eastern Europe and the Balkans; it has the potential to set a precedent to dramatically increase the persistence of malware on selected systems. This is due to the fact that to save time malware removal usually involves re-installing the operating system. More advanced users may choose to re-create the MBR/GPT, replace the boot sector and rebuild the BCD. Even more informed users may replace the hard disk to remove the malware. This new threat is significant since all of these steps would not remove it.

Eset researchers discovered that the LoJack anti-theft software which was installed compromised systems was being leveraged to start the attacker’s malware instead by using the Windows registry (defined) to load files with very similar names to that of the legitimate LoJack software. They also located a kernel (defined) driver (defined) being used to write the systems firmware when required. Since this tool was a legitimate tool; it has a valid digital signature. This is significant; otherwise the attacker’s tool would not have worked on a 64 bit Windows system. Should attempts to write to the firmware fail, the malware uses a 4 year old vulnerability CVE-2014-8273 (a race condition (defined)) to bypass the write lock.

Once the firmware has been updated it replaces the original LoJack software files with hijacked versions designed to enable further persistence on the compromised systems, namely a backdoor (defined).

How can I protect myself against this threat?
While it is less likely a threat of this sophistication will become widespread; the steps below will help to defend you against this and similar threats in the future. How this threat establishes an initial foothold on a system was inconclusive by Eset. However exercising caution on the links you click in emails, IMs and social networking should provide some form of prevention. Keeping your system up to date should also prevent a drive by download (defined). However I will detail more specific defensive steps below:

Eset determined that this threat can be prevented from affecting a system by enabling the Secure Boot hardware security feature (if your system has this feature available; most systems manufactured from 2012 onwards do). Any system with a certified Windows 8 or Windows 10 badge on the outside will have Secure Boot enabled with no action required from you. Secure Boot works even better when paired with Intel BootGuard (corporate users are more likely to use/enable this feature).

If the rootkit had affected the system described above it would have then refused to boot due to Secure Boot being enabled. It’s important to clarify that Secure Boot won’t prevent the infection/tampering but it will prevent that tampering from starting the system for use as normal.

Secure Boot was added to Windows 8.0 in 2012 to prevent unsigned components (e.g. rootkits) from affecting a system so early in the boot process that anti-malware software would be unable to detect or prevent that component from obtaining a privileged level of access over the system.

=====

Keeping the UEFI firmware of your system up to date will assist with resolving known vulnerabilities within the firmware. Patching known firmware vulnerabilities makes your system less vulnerable to low level attacks such as this. Please only install UEFI firmware updates from your system vendor. Check the vendor’s website or contact them to determine if you need a UEFI firmware update and how to install it. If possible/available verify the checksum (defined) of the file you download matches the vendors provided checksum. I use the word available above since not all vendors provide checksums of the firmware updates they distribute which would allow you to verify them.

More recent Intel motherboards (defined) are not vulnerable to the race condition by Eset in their paper (more details available here). These modern chipsets feature a Platform Controller Hub (present in Intel’s Series 5 chipsets and later (available circa 2010 onwards).

If you know of a system affected with such a low level threat you may be able to update the UEFI firmware with a known safe version from the vendor but this is not guaranteed to work. Replacing the hardware will be a more reliable alternative.

Thank you.

Lenovo Releases Security Update For Laptop and Desktop Systems

Earlier this month computer manufacturer Lenovo released a security update for a wide range of its laptop and desktop systems.

The security update affects the Lenovo Service Engine (LSE). This is a utility created by Lenovo that becomes part of the computers BIOS (see Aside below for a definition) that downloads an application known as OneKey Optimizer. This application downloads updates for the computer’s BIOS, drivers updates for hardware and installs applications that are usually pre-installed when the computer leaves the Lenovo factory. Finally the application also sends non-personally identifiable system data to Lenovo servers.

As explained by Lenovo in their security advisory (see links provided below) in collaboration with an independent security researcher and Microsoft security vulnerabilities were found in the LSE (which included a buffer overflow attack (see Aside 2 below for a definition) and an attempted connection to a Lenovo test server). The LSE used the Microsoft Windows Platform Binary Table (WPBT). Microsoft has since provided updated security guidelines for using this capability of Windows. Since the LSE no longer meets those guidelines, Lenovo has chosen to remove all components of the LSE from the affected Lenovo systems.

Why Should These Issues Be Considered Important?
According to the US-CERT, the flaws within the LSE could allow a remote attacker to take control of the Lenovo system.

How Can I Protect Myself From These Issues?
As recommended by Lenovo in their advisories for laptops and desktop systems (both advisories are different), please update the BIOS of the affected systems using the steps provided in those advisories. Once updated the LSE disabler tool can be used to remove the vulnerable LSE components.

Thank you.

=======================
Aside:
What is a BIOS?

A Basic Input/Output System (BIOS) is the first piece of code that tells your computer what to do when it is first turned on. This involves 2 stages, the first stage involves a quick diagnostic of the computers components known as a power on self-test (POST).

The second stage involves brining your computer into a usable state by starting your operating system e.g. Linux, Mac OS X or Windows from the first bootable hard drive (or other drive) it locates.

The BIOS will also check for other bootable devices such as CDs/DVDs or USB jump drives. The goal being to find the next stage of the start-up process whether that be the much more common task of starting your operating system so that you can get to work or allowing you to repair the computer or recover your data using emergency bootable discs/USB jump drives. Further information on computer BIOSes and how they are migrating to the newer Unified Extensible Firmware Interface (UEFI) architecture is available here.

=======================
=======================
Aside 2:
What is a Buffer Overflow attack?

A buffer is an area of computer memory set aside for a specific task. If data larger than that area is (attempted) to be stored in that area, that buffer will overflow. When an overflow happens the data that can fit in the buffer is stored in that buffer while the data that doesn’t fit spills over into memory adjacent to that buffer. Whatever data is stored in those locations is overwritten.

Within the overfilled memory areas (which now contain unintended data (from the point of view of another programs assuming they still contain valid data)) may have previously been another buffer, a programs data output or a pointer (defined below) to another area of memory.

At best this will result in the program using that value (that was overwritten) crashing or getting caught in an infinite loop (performing the same action again and again without ending). At worst, an attack could use a buffer overflow to their advantage.

This can result in an attacker being able to run/execute code of their choice by overwriting the return pointer of the program (due to the overflow that has happened) with a value of the attackers choosing. That value is placed there by the overspill into adjacent memory segments. When an operation is completed, instead of the program returning (using the location the return pointer is referencing) to the place where it was originally asked (called from) the program will instead go to the place in memory where the attacker has stored malicious code (since the attacker supplied this location by inserting a value of their choice (which is too large to fit in the buffer) as mentioned above).

=======================
A pointer is a variable (a segment of memory that stores a single value) that contains the address (in computer memory) of another variable.
=======================

The attacker’s code can then run with same privileges of the program which suffered the overflow. C and C++ functions (a set of instructions that carries out a specific action within a program) such as strcpy (string copy) and strcat(string concatenation/appending function) are just some examples of functions that are vulnerable to buffer overflows.

Such unsafe functions were replaced with functions that carried out the same task but checked the size of the input against the size of the buffer it was to be stored in and don’t allow an overflow to occur. These safe functions are now recommended by Microsoft. To enforce the use of safe functions the Banned Function Calls header file was created (also documented here). Other mitigations such as /GS cookies (discussed in a previous blog post) were also implemented to protect against buffer overflows.

Please note that it is only Microsoft that uses the newer safer functions mentioned above. Linux takes a different approach as does Apple but each results in safer code.

Update: 7th September 2015:
While the use of “safe” versions of common functions that operate on buffers are the preferred method of working with buffers, they are not perfect since they can suffer from incorrect calculations of the width of the buffer to allocate. If a mistake is made here by the programmer, a buffer overflow can still result. An example of a protected version of such a function (of the strcpy() function mentioned above) can be seen in the function declaration shown below that takes the width of the desired buffer as parameter would be:

strncpy(destination, source, width);

The above function declaration shows the name of the “safe” function, namely strncpy (notice the difference to the standard function with the name of strcpy, the “safe” function includes an extra “n”). The 3 parameters to this function are shown within the parentheses () otherwise known as brackets.

=======================
Update: 17th September 2015:
A detailed definition of a stack overflow is provided in a more recent blog post. This similar type of overflow can be a useful addition to the above explanation. Thank you.
=======================

A further reference for buffer overflow attacks is the following:

Smashing The Stack For Fun And Profit by Aleph One
http://phrack.org/issues/49/14.html#article
=======================