Researchers from Kaspersky have discovered a unified extensible firmware interface (UEFI) rootkit that stays on the victim’s machine even after the operating system has been rebooted or reinstalled.
Dubbed ‘CosmicStrand’, it was developed by an advanced persistent threat (APT) actor and its persistence makes it very dangerous in the long run, says Kaspersky.
UEFI firmware is a critical component in the vast majority of hardware, because its code is responsible for booting up a device and launching the software component that loads the operating system. If UEFI firmware is modified to contain malware, the malicious code will be launched before the operating system, making its activity potentially invisible to security solutions and to the operating system’s defences. This, and the fact that the firmware resides on a chip separate from the hard drive, makes attacks against UEFI firmware exceptionally evasive and persistent. Irrespective of how many times the operating system is reinstalled, the malware will stay on the device.
Unknown end goal
Kaspersky attributes this new threat to a previously unknown Chinese-speaking actor. While the end goal pursued by the attackers remains unknown, it was observed that affected victims were individual users – as opposed to corporate computers.
In addition, all of the attacked devices were Windows-based. Each time a computer rebooted, a bit of malicious code would be executed after Windows started. Its purpose was to connect to a C2 (command-and-control) server and download an additional malicious executable.
The researchers were unable to determine how the rootkit ended up on the infected machines in the first place, but unconfirmed accounts discovered online indicate that some users received compromised devices while ordering hardware components online.
According to the security giant, the most striking aspect of this rootkit is that the UEFI implant seems to have been used in the wild since the end of 2016 – long before UEFI attacks started being publicly described.
Kept under the radar
Ivan Kwiatkowski, senior security researcher at Global Research and Analysis Team (GReAT) at Kaspersky, says despite being recently discovered, the CosmicStrand UEFI firmware rootkit seems to have been deployed for quite a long time.
This indicates that certain threat actors have had very advanced capabilities that they’ve managed to keep under the radar since then. “We are left to wonder what new tools they have created in the meantime that we have yet to discover.”
the UEFI implant seems to have been used in the wild since the end of 2016.
Kaspersky
In order to stay protected from threats such as CosmicStrand, Kaspersky recommends providing SOC teams with access to the latest threat intelligence, and implementing EDR solutions for endpoint level detection, investigating and quickly remediating incidents.
Also, Kaspersky advises to provide staff with basic cyber security training, as many targeted attacks start with phishing or other social engineering techniques, and to always use a robust endpoint security product that can detect the use of firmware.
Finally, the company says to regularly update UEFI firmware and only use firmware from trusted vendors.
Share