New UEFI bootkit used to backdoor Windows devices since 2012

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/new-uefi-bootkit-used-to-backdoor-windows-devices-since-2012/

A newly discovered and previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit has been used by attackers to backdoor Windows systems by hijacking the Windows Boot Manager since 2012.

Bootkits are malicious code planted in the firmware (sometimes targeting UEFI) invisible to security software that runs within the operating system since the malware is designed to load before everything else, in the initial stage of the booting sequence.

They provide threat actors with persistence and control over an operating systems' boot process, making it possible to sabotage OS defenses bypassing the Secure Boot mechanism if the system boot security mode is not properly configured. Enabling 'thorough boot' or 'full boot' mode would block such malware as the NSA explains).

Persistence on the EFI System Partition​

The bootkit, dubbed ESPecter by ESET researchers who found it, achieves persistence on the EFI System Partition (ESP) of compromised devices by loading its own unsigned driver to bypass Windows Driver Signature Enforcement.

 

[jetman]

Would the Microsoft Defender Offline Scan (or similar) discover such a rootkit ? This performs a scan before the Windows operating system loads I think.

 

[plat]

Clipped from BC article:

They provide threat actors with persistence and control over an operating systems' boot process, making it possible to sabotage OS defenses bypassing the Secure Boot mechanism if the system boot security mode is not properly configured. Enabling 'thorough boot' or 'full boot' mode would block such malware as the NSA explains).

If this malware can bypass Secure Boot, there may well be others in the future. Secure Boot sure was a hassle to locate and enable on here for Windows 11 so this finding is a little disappointing. I had higher expectations for Secure Boot.

 

[Andy Ful]

...
If this malware can bypass Secure Boot, there may well be others in the future. Secure Boot sure was a hassle to locate and enable on here for Windows 11 so this finding is a little disappointing. I had higher expectations for Secure Boot.

The attack required disabling Secure Boot.

For Windows OS versions that support Secure Boot, the attacker would need to disable it. For now, it’s unknown how the ESPecter operators achieved this, but there are a few possible scenarios:

• The attacker has physical access to the device (historically known as an “evil maid” attack) and manually disables Secure Boot in the BIOS setup menu (it is common for the firmware configuration menu to still be labeled and referred to as the “BIOS setup menu”, even on UEFI systems).
• Secure Boot was already disabled on the compromised machine (e.g., user might dual-boot Windows and other OSes that do not support Secure Boot).
• Exploiting an unknown UEFI firmware vulnerability that allows disabling Secure Boot.
• Exploiting a known UEFI firmware vulnerability in the case of an outdated firmware version or a no-longer-supported product.
  
  
  

  UEFI threats moving to the ESP: Introducing ESPecter bootkit

  ESET researchers discover and analyze ESPecter, a previously undocumented UEFI bootkit with roots that go back all the way to at least 2012.

  www.welivesecurity.com

Due to vulnerabilities in UEFI firmware such attacks were predicted several years ago. Microsoft developed a new security boundary (Virtualization-based Security) to protect Windows kernel.
Of course, if the attacker would have physical access to the machine then he/she could disable both VBS and Secure Boot.