ESET researchers detect first UEFI rootkit in cyberattack

ESET researchers detect first UEFI rootkit in cyberattack

ESET researchers discovered a cyberattack that used a UEFI rootkit to establish a presence on the victims’ computers

ESET researchers have discovered a cyberattack that used a UEFI rootkit to establish a presence on the victims’ computers. Dubbed LoJax by ESET, this rootkit was part of a campaign run by the infamous Sednit group against several high-profile targets in central and Eastern Europe and is the first-ever publicly known attack of this kind.

“Although in theory we were aware that UEFI rootkits existed, our discovery confirms they are used by an active APT group. So they are no longer just an attractive topic at conferences but a real threat,” said Jean-Ian Boutin, ESET Senior Security Researcher who led the research into LoJax and Sednit’s campaign.

UEFI rootkits are extremely dangerous formidable tools for the launch of cyberattacks. They serve as a key to the whole computer, are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement. Moreover, even cleaning a system that was infected with a UEFI rootkit requires knowledge well beyond the reach of a typical user, such as flashing the firmware.

Sednit, also known as APT28, STRONTIUM, Sofacy or Fancy Bear, is one of the most active APT groups and has been operating since at least 2004. Allegedly, the Democratic National Committee hack that affected the 2016 US elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak and many others are believed to be the work of Sednit.

This group has in its arsenal a diversified set of malware tools, several examples of which ESET researchers have documented in their whitepaper.

The discovery of the first ever in-the-wild UEFI rootkit serves as a wake-up call for users and their organisations who often ignore the risks connected with firmware modifications.

“Now there is no excuse for excluding firmware from regular scanning. Yes, UEFI-facilitated attacks are extremely rare and up to now they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to the full control of a computer, with nearly total persistence,” said Jean-Ian Boutin.

ESET’s endpoint security solutions have a dedicated layer of protection, ESET UEFI Scanner, designed to detect malicious components in a PC’s firmware.

“Thanks to the ESET UEFI Scanner, both our consumer and business customers are in a good position to spot such attacks and defend themselves against them,” added Juraj Malcho, Chief Technology Officer at ESET.

ESET’s analysis of the Sednit campaign that uses the first-ever in-the-wild UEFI rootkit is described in detail in the LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group whitepaper.

Browse our latest issue

Intelligent CISO

View Magazine Archive