[Heads-up] Now In The Wild: New Super Evil Rootkit Survives Even "Nuke From Orbit" And HD Swap

Nuke_It_From_Orbit This thing is a nightmare that escaped into daylight. The Russian GRU—aka Fancy Bear—probably was riveted reading the Wikileaks CIA Vault 7 UEFI Rootkit docs (PDF) and built one of these motherboard-killers of their own, apparently weaponizing the existing Lojack commercial code to speed up the job.

This rootkit called "LoJax" survives a reformat and OS reinstall—and even a hard-disk swap—because it lives in the system's flash RAM. The only way to get rid of this infection means going in and over-writing the machine's flash storage, not something for the faint of heart, provided you can even get hold of the right code. Imagine this monster being propagated with a 0-day worm like Wannacry. It gives you the shivers.

What The Heck Is UEFI?

Remember BIOS? It got replaced with UEFI, which stands for Unified Extensible Firmware Interface. UEFI is a specification for the interface between a computer's firmware and its operating system. The interface controls booting the operating system and runs pre-boot apps.

This rootkit attack compromises the machine's UEFI. By re-writing it, the malware can persist inside the computer's flash memory, and that is why it survives "Nuke From Orbit" (this clip never gets old) and even hard disk swaps.

The last few years, the hardware community has introduced measures that do make it very hard for someone to make unauthorized changes at the firmware level. One example is Secure Boot, a mechanism that ensures only securely signed firmware and software can be booted up and run on a system.

Controls like Secure Boot are why InfoSec pros up to now generally considered UEFI rootkits as something more hypothetical, and that only government sponsored actors are able to develop and use.

However, now that this spectre is out of the bottle, you can expect more UEFI rootkits rearing their ugly heads, possibly having advanced features like signature verification bypass. If you want to take a very deep dive into this, here is a fascinating 1-hour video that explains more, and a PDF that describing the opportunity for bad actors.

Most antivirus scanners and other security products also don’t look for UEFI issues, making it even harder to detect whether malicious code is there. And if it is, you’re in trouble, it's a devil to get rid of.

Who Discovered This?

Security Firm ESET blogged about it a few days ago. They said: "UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyber attacks. No UEFI rootkit has ever been detected in the wild – until we discovered a campaign by that successfully deployed a malicious UEFI module on a victim’s system."

ESET's analysis shows that Fancy Bear used a kernel driver bundled with a legitimate and freely available utility called RWEverything to install the UEFI rootkit. The driver can be used to access a computer's UEFI/BIOS settings and gather information on almost all low-level settings on it.

The GRU already has an elaborate hacking toolkit. But the introduction of a UEFI rootkit—stealthy, complex, pernicious—affirms just how advanced their capabilities have become. And more importantly, how hard they are to defend against.

Here Are Two Things To Do About It

1) Alexis Dorais-Joncas, security intelligence team lead at ESET said: "Organizations should review the Secure Boot configuration on [all] their hardware and make sure they are configured properly to prevent unauthorized access to the firmware memory. They also need to think about controls for detecting malware at the UEFI/BIOS level." You can say that again. Here is their PDF that explains the problem in detail, and note that only modern chipsets support Secure Boot. The infection was running on an older chipset.

2) The black hats behind this are known for their recent headlines about major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. So, these guys are not leaving Russia anytime soon, they probably have the indictment framed on their wall as a reminder.

That leaves spear phishing as their go-to strategy to penetrate targets. So, this is another excellent reason to step your users through new-school security awareness training, because social engineering is how these bad guys get into your network.

if you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks. We recommend you do your free Phishing Security Test, find out what the Phish-prone percentage of your users is, and how you are doing compared to your peers.