#ABSOLUTE LOJACK DELL UEFI SOFTWARE#
These malicious samples communicated with a malicious C&C server instead of the legitimate Absolute Software server, because their hardcoded configuration settings had been altered. In May 2018, an Arbor Networks blog post described several trojanized samples of Absolute Software’s LoJack small agent, rpcnetp.exe. Our research has shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. This module is able to drop and execute malware on disk during the boot process. Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This group has a diversified set of malware tools in its arsenal, several examples of which we have documented previously in our Sednit white paper from 2016. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many others. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. The Sednit group has been operating since at least 2004, and has made headlines frequently in past years: it is believed to be behind major, high profile attacks. In this blog post, we summarize our main findings. Our analysis of the Sednit campaign that uses the UEFI rootkit was presented September 27 th at the 2018 Microsoft BlueHat conference and is described in detail in our “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. This APT group, also known as APT28, STRONTIUM, Sofacy and Fancy Bear, may be even more dangerous than previously thought. The discovery of the first in-the-wild UEFI rootkit is notable for two reasons.įirst, it shows that UEFI rootkits are a real threat, and not merely an attractive conference topic.Īnd second, it serves as a heads-up, especially to all those who might be in the crosshairs of Sednit. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system. Some UEFI rootkits have been presented as proofs of concept some are known to be at the disposal of (at least some) governmental agencies. UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement.
0 kommentar(er)
