![]() ![]() The differences between the legitimate LoJack client and the malicious client were so small-in the tens of bytes, according to the ESET researchers-that they were largely not being detected as malware. Domains used by the malware were the same used in 2017 for another backdoor known as SedUploader. On May 1, Arbor Networks reported the discovery of “trojanized” samples of the LoJack small agent-versions that had been modified to communicate with servers suspected to be connected to Fancy Bear activities. While this issue was brought up by researchers in 2014, it would be four more years before there was a hint that someone had actually done that. So if someone were able to impersonate the Absolute servers, they would have been able to hijack the client to their own ends. The protocols used by the client associated with LoJack/Computrace had no authentication. In other words, Computrace was a commercially developed firmware rootkit. That firmware module ensured a software “small agent” stayed installed on the computer, which connected to an Absolute Web server-even if the computer had its drive wiped. “LoJack attracted a lot of attention in recent years as it implements a UEFI/BIOS module as a persistence mechanism,” the ESET team wrote. ![]() LoJax’s rootkit is essentially a modified version of a 2008 release of the LoJack anti-theft agent from Absolute Software, known at release as Computrace. While LoJax shows all the hallmarks of a state-funded attack, the Fancy Bear team had a little bit of a head start when it came to the UEFI payload-the Bears borrowed from a commercial software product that was purpose-built to stay active in a computer’s firmware. And ESET researchers found at least one confirmed case of a successful deployment of LoJax. This tool’s ultimate goal was to install a malicious UEFI module on a system whose SPI flash memory protections were vulnerable or misconfigured.”īecause of variations in the implementation of UEFI, those sorts of memory protection issues-the very sort of thing Wilkins and Mortensen warned of-have been entirely too common. “Along with the LoJax agents,” ESET researchers noted, “tools with the ability to read systems’ UEFI firmware were found, and in one case, this tool was able to dump, patch and overwrite part of the system’s SPI flash memory. ![]() But LoJax is an entirely different animal-it was built to be deployed remotely, using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory. WikiLeaks’ Vault 7 files showed that the CIA apparently developed an implant for Apple's computers that used the Extensible Firmware Interface (the predecessor of UEFI) but required physical access to the targeted computer and a malicious Thunderbolt Ethernet adapter (called the “Sonic Screwdriver”). ![]() UEFI is essentially a lightweight operating system in its own right, making it a handy place to put rootkits for those who can manage it. “Firmware is software and is therefore vulnerable to the same threats that typically target software,” they explained. There have been a number of security concerns about UEFI’s potential as a hiding place for rootkits and other malware, including those raised by Dick Wilkins and Jim Mortensen of firmware developer Phoenix Technologies in a presentation at UEFI Plugfest last year. And based on the way the malware was spread, it is highly likely that it was authored by the Sednit/Fancy Bear/APT 28 threat group-the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold.ĭubbed “LoJax,” the malware is the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by an adversary. ESET Research has published a paper detailing the discovery of a malware campaign that used repurposed commercial software to create a backdoor in computers’ firmware-a “rootkit," active since at least early 2017 and capable of surviving the re-installation of the Windows operating system or even hard drive replacement. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |