05-Apr-2023

New type of attack discovered: First in-the-wild UEFI bootkit - irrevocable damage imminent

Prepare today for tomorrow's attacks.

After Trojans and ransomware targeting data theft and extortion, attackers have been developing new "permanent" methods to infiltrate malware for quite some time. As early as 2018, the first successful UEFI malware attacks (Lojax) became public knowledge. (UEFI stands for "Unified Extensible Firmware Interface" and describes the interface between the firmware, the operating system and the various modules of a computer).

Now attackers are going one step further: recently, the first publicly known UEFI bootkit that bypasses the platform's essential security feature - UEFI Secure Boot - has now been discovered "in-the-wild".

This can even run on current Windows 11 systems with UEFI Secure Boot enabled. Experts suspect that it is a bootkit called BlackLotus - a UEFI bootkit that has been sold in relevant hacker forums for around $5,000 since last fall. Still, an attack with a UEFI bootkit is quite costly, but experts estimate that this will soon change and the number of UEFI bootkit attacks, especially on lucrative targets, will increase rapidly.

UEFI bootkits - irrevocable damage

UEFI bootkits are very powerful threats as they have full control over the operating system boot process and thus are able to disable various operating system security mechanisms and distribute their own data in kernel or user mode in the early boot phases of the operating system. This allows them to operate very unobtrusively and with extensive privileges. For regular antivirus programs, this form of malware remains invisible. For the attackers themselves, on the other hand, the possibilities are endless: damaging the firmware, locking the computer, even taking over the entire system are easy. The special thing: Software updates and new installations remain ineffective - malware nested in the UEFI even survives a new installation or a hard disk swap. Once a piece of hardware has been infected, it remains lost, as there are no resources or methods available to remove the malware. Thus, this type of attack can quickly lead to high financial damage.

Security independent of the operating system

Only fully comprehensive security solutions offer users appropriate protection against this growing range of attack scenarios. Proactive solutions also help to be prepared today for the attacks of tomorrow. Especially in the environment of particularly high security requirements (classified data, critical infrastructures or similar), users should definitely pay attention to the necessary independence from the security architecture of the operating system. Solutions that act like a UEFI firewall through strong separation offer an additional security gain. In this way, malware is prevented from nesting in the computer's UEFI even if there are vulnerabilities and security holes in the operating system. The hardware is also protected in the future and remains available for trustworthy work.

IT security expert Rohde & Schwarz Cybersecurity offers appropriate protection with its secure workstation – approved by the German Federal Office for Information Security for securing classified data - with zero-trust technology R&S®Trusted Endpoint Suite. The suite consists of the VPN client R&S®Trusted VPN Client - approved by the German Federal Office for Information Security for securing classified data -, which functions independently of the operating system's security mechanisms, and the proven R&S®Trusted Disk full-disk encryption (approved by the German Federal Office for Information Security for securing classified data). R&S®Trusted VPN Client acts like a UEFI firewall and lets potential attacks from the Windows operating system on the hardware firmware go nowhere. Changes to the UEFI instance seen by the operating system are also eliminated after each reboot - making permanent malware nesting impossible. Thus, users are already protected against tomorrow's threats today.