Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label UEFI Bootkit. Show all posts
UEFI Bootkit
Bookitty Data theft extortion Linux Systems malware Malware Attack News trending news UEFI Bootkit

Bootkitty: The Game-Changing Malware Targeting Linux Systems

 

This malware, named Bootkitty, introduces a new method of attacking Linux, which has traditionally been considered safer from such stealthy threats compared to Windows. Bootkits are highly dangerous because they infect a computer’s boot process, loading before the operating system starts. 

This allows them to take deep control of a system while avoiding detection by traditional security tools.   

Bootkitty specifically targets certain versions of Ubuntu Linux by bypassing critical security checks during system boot.   

How Bootkitty Works  


ESET discovered Bootkitty in November 2024 when a suspicious file, bootkit.efi, was uploaded to VirusTotal. The malware uses advanced techniques to bypass kernel signature verification and inject malicious components during the system boot process.   

It relies on a self-signed certificate, meaning it won’t function on systems with Secure Boot enabled.   The malware hooks into UEFI security protocols and GRUB bootloader functions, disabling key security checks and loading malicious modules into the Linux kernel.  Bootkitty also forces a malicious library to load into system processes upon startup.   

However, the malware is not without flaws.  It only works on specific GRUB and kernel versions, which limits its effectiveness.  It can cause system crashes due to compatibility issues.   

During their investigation, researchers also found another suspicious file, BCDropper, likely associated with Bootkitty. BCDropper installs a rootkit named BCObserver, which provides stealthy control by hiding files, processes, and open ports on the infected system.   

Growing Threat to Linux   


Although Bootkitty is not yet fully developed or actively deployed in real-world attacks, its discovery is concerning. It signals that cybercriminals are increasingly targeting Linux as more businesses rely on it for critical operations.  

To help organizations defend against Bootkitty, ESET has published indicators of compromise (IoCs) on GitHub.   

Recommendations for Protection   


  • Enable Secure Boot: Since Bootkitty cannot operate with Secure Boot enabled, this is a crucial defense. 
  • Update Security Tools: Keeping antivirus and other security software up to date can help detect and block new threats.  

This discovery underscores the growing sophistication of Linux-targeted malware and the need for robust security practices to safeguard critical systems.
Read more »
Vulnerabilities and Exploits
API Bug Black hat Code Execution Flaw PoC Exploit Code TrickBoot UEFI Bootkit UEFI Firmware Vulnerabilities and Exploits

LogoFAIL: UEFI Vulnerabilities Unveiled

The discovery of vulnerabilities is a sharp reminder of the ongoing conflict between innovation and malevolent intent in the ever-evolving field of cybersecurity. The tech community has been shaken by the recent discovery of LogoFAIL, a set of vulnerabilities hidden in the Unified Extensible Firmware Interface (UEFI) code that could allow malicious bootkit insertion through images during system boot.

Researchers have delved into the intricacies of LogoFAIL, shedding light on its implications and the far-reaching consequences of exploiting image parsing vulnerabilities in UEFI code. The vulnerability was aptly named 'LogoFAIL' due to its origin in the parsing of logos during the boot process. The severity of the issue is evident from the fact that it can be exploited to inject malicious code, potentially leading to the deployment of boot kits — a type of malware capable of persistently infecting the system at a fundamental level.

The vulnerability was first brought to public attention through a detailed report by Bleeping Computer, outlining the specifics of the LogoFAIL bugs and their potential impact on system security. The report highlights the technical nuances of the vulnerabilities, emphasizing how attackers could exploit weaknesses in UEFI code to compromise the integrity of the boot process.

Further exploration of LogoFAIL is presented in a comprehensive set of slides from a Black Hat USA 2009 presentation by researcher Rafal Wojtczuk. The slides provide an in-depth analysis of the attack vectors associated with LogoFAIL, offering valuable insights into the technical aspects of the vulnerabilities.

In a more recent context, the Black Hat Europe 2023 schedule includes a briefing on LogoFAIL, promising to delve into the security implications of image parsing during system boot. This presentation will likely provide an updated perspective on the ongoing efforts to address and mitigate the risks that LogoFAIL poses.

The gravity of LogoFAIL is underscored by additional resources such as the analysis on binarly.io and the UEFI Forum's document on firmware security concerns and best practices. Collectively, these sources highlight the urgency for the industry to address and remediate the vulnerabilities in the UEFI code, emphasizing the need for robust security measures to safeguard systems from potential exploitation.

Working together to solve these vulnerabilities becomes critical as the cybersecurity community struggles with the consequences of LogoFAIL. The industry must collaborate to establish robust countermeasures for the UEFI code, guaranteeing system resilience against the constantly changing cyber threat environment.


Read more »
Windows 11
Data Safety malware Safe Boot UEFI Bootkit User Security Windows 11

Fully patched Windows 11 Systems are Susceptible to the BlackLotus Bootkit

 

ESET's analysis of the malware has shown that the BlackLotus bootkit may circumvent security safeguards on fully updated Windows 11 PCs and permanently infect them. 

BlackLotus is a brand-new threat actor that first appeared on darknet forums in October 2022. For $5,000, it gives advanced persistent threat (APT) actors like cybercriminals access to capabilities that were once only available to nation-states. 

The main danger posed by UEFI bootkits is well-known. By controlling the operating system's boot process, they can disable security safeguards and introduce kernel- or user-mode payloads while the machine is booting up, acting covertly and with elevated privileges. 

ESET, which discovered BlackLotus for the first time in late 2022, has so far located six installers, allowing it to thoroughly examine the threat's execution chain and pinpoint the malware's primary capabilities.

BlackLotus has a wide range of evasion capabilities, including anti-debugging, anti-virtualization, and code obfuscation, as evidenced by early reports. It can also disable security measures like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender. 

There is little that can be done to protect systems from attacks, even if the most recent patches have been installed, especially with proof-of-concept (PoC) exploit code being publicly available since August 2022, according to ESET, as the bootkit exploits a year-old vulnerability in Windows (tracked as CVE-2022-21894) to disable secure boot. 

"Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability,” ESET stated. 

When BlackLotus is run on the machine, it installs a kernel driver to prevent removal, sets up the user-mode component, runs kernel payloads, and removes the bootkit. By safeguarding handles for the bootkit's files on the EFI System Partition and causing a Blue Screen Of Death if these handles are closed, removal is avoided.

Command-and-control (C&C) communication through HTTPS, command execution, and payload delivery are all handled by the user-mode component, an HTTP downloader. Under the context of the winlogon.exe process, the downloader is run by the SYSTEM account. 

BlackLotus installers have been found both offline and online, and a typical attack begins with an installer distributing bootkit files to the ESP, turning off system safeguards, and rebooting the device. 

Following the enrolment of the attackers' Machine Owner Key (MOK) to the MokList variable for persistence, CVE-2022-21894 is exploited to deactivate secure boot. The self-signed UEFI bootkit is used to deliver the kernel driver and user-mode payload on subsequent reboots (the HTTP downloader). 

Additionally, the bootkit was found by ESET to rename the genuine Windows Boot Manager binary before replacing it. When the bootkit is told to remove itself, the renamed binary is used to start the operating system or to bring back the initial boot sequence. 

Although BlackLotus is covert and equipped with a number of anti-removal safeguards, ESET thinks they have uncovered a flaw in the way the HTTP downloader transmits instructions to the kernel driver that would allow users to uninstall the bootkit. 

According to ESET, "in the event that the HTTP downloader wishes to send a command to the kernel driver, it merely creates a named section, writes a command with associated data inside, and waits for the command to be processed by the driver by creating a named event and waiting until the driver triggers (or signals) it." 

The kernel driver can be tricked into completely uninstalling the bootkit by creating the aforementioned named objects and sending the uninstall command. The kernel driver supports install and uninstall commands. The bootkit would still be present on infected devices even though upgrading the UEFI revocation list would lessen the threat posed by BlackLotus. A new Windows installation and the deletion of the attackers' enrolled MOK key would be necessary in order to clear them. 

"The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. But until the revocation of the vulnerable bootloaders that BlackLotus depends on happens, we are concerned that things will change rapidly should this bootkit get into the hands of the well-known crimeware groups,” ESET concluded.
Read more »
Subscribe to: Posts (Atom)