ESET discovers the first-ever UEFI rootkit cyber attack

Is it true that ESET is the only endpoint security solutions vendor whose customers can have their UEFI firmware scanned for malicious components? If so, what is the reason for ESET's competitors not having such technology in place?

ESET is the only vendor among Top 20 endpoint security solutions vendors by revenue providing its users with a UEFI scanning technology implemented in its endpoint protection solutions. While some other vendors may have some technologies with “UEFI” in their title, their purpose is different from the function an authentic firmware scanner should perform.

As for the reason ESET is the only vendor in its field securing its customers' UEFI firmware, this illustrates ESET's responsible approach to protection. Yes, UEFI firmware-facilitated attacks are sporadic, and up to now, were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to total control of the machine, with nearly complete persistence. So ESET made the decision to invest its resources into the capability to protect its customers from UEFI firmware-facilitated attacks.

The recent discovery of LoJax, the first-ever UEFI rootkit detected in a real computer attack shows that, unfortunately, UEFI rootkits may become a regular part of advanced computer attacks.

Fortunately, thanks to the ESET UEFI Scanner, our customers are in an excellent position to spot such attacks and defend themselves against them.

In short, scanning the firmware is the only way to spot modifications in it. From the security point of view, the corrupted firmware is extremely dangerous as it is hard to detect and able to survive security measures such as operating system reinstallation, and even a hard disk replacement.

Firmware might get compromised at the stage of manufacturing of the computer, or during its shipping, or via reflashing the firmware if the attacker gains physical access to the device, but also, as the recent ESET research shows, via a sophisticated malware attack.

Usually, the firmware is not accessible to security solutions for scanning and as a result, security solutions are designed only to scan disk drives and memory. To access the firmware, a specialized tool - a scanner - is needed.

The “UEFI scanner” is a module in ESET security solutions whose sole function is to read the content of the UEFI firmware and make it accessible for inspection. Thus, ESET UEFI Scanner makes it possible for ESET’s regular scanning engine to check and enforce the security of the pre-boot environment.

In sum, ESET security solutions, with capabilities boosted by the UEFI scanning technology, are designed to detect suspicious or malicious components in the firmware and report them to the user.

Once a suspicious or malicious component is detected in the firmware, the user is notified so that they can take the right steps.

Under one scenario, there is nothing wrong with the detections – the suspicious component may belong, for example, to an anti-theft solution designed for maximum possible persistency in the system.

Under another scenario however, there is no legitimate reason for the discovered non-standard component’s presence in the firmware. In such a case, remediation actions must be taken.

Unfortunately, there are no easy ways of cleaning the system from such a threat. Typically, the firmware needs to be reflashed to remove the malicious component. If reflashing the UEFI is not an option, the only alternative is to change the motherboard of the infected system.

ESET’s discovery is comprehensively described in full in a blog post and a white paper published at ESET’s security blog, WeLiveSecurity.

In short, the ESET researchers, led by Jean-Ian Boutin, ESET Senior Researcher, did a great research job, combining their in-depth knowledge of the Sednit APT group, telemetry data from ESET detection systems and a previous discovery by their peers at Arbor Network. As a result, they discovered a whole new set of tools for cyber attacks, including the first in-the-wild UEFI rootkit.

Sednit, operating since at least 2004 and also known as APT28, STRONTIUM, Sofacy and Fancy Bear, is one of the most active APT (Advanced Persistent Threat) groups. Such groups are known to conduct cyber espionage and other cyber attacks on high profile targets.

The Democratic National Committee hack that affected the US 2016 elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Sednit.

This group has a diversified set of malware tools in its arsenal, several examples of which ESET researchers have documented in their previous white paper as well as in numerous blog posts on WeLiveSecurity. The discovery of the LoJax UEFI rootkit shows that the Sednit APT group is even more advanced, and dangerous than was previously thought, according to Jean-Ian Boutin, ESET Senior Malware Researcher who led the research into the recent Sednit’s campaign.

As for attribution, ESET does not perform any geopolitical attribution. Performing attribution in a serious, scientific manner is a delicate task that is beyond the remit of ESET security researchers. What ESET researchers call “the Sednit group” is merely a set of software and the related network infrastructure, without any correlation with any specific organization.