Sat. May 30th, 2020

ESET researchers have discovered a hacker group that can fully attack UEFI firmware

3 min read

Researchers tracking security cyber threats by security vendor ESET have for the first time discovered a hacker group that can fully exploit the extended firmware interface UEFI.

The study found that the hacker group can embed the virus into the target computer SPI flash module, and if it is successfully embedded, the user may have no way to deal with the virus.

Because the virus can not only prevent users from reinstalling the operating system, even if the user replaces the hard disk, the entire device will not start and use properly.


Named LOJAX rootkit:

The virus uses multiple modules and exploits multiple methods to attack UEFI firmware, such as releasing details of the module’s collection firmware before the attack begins.

A copy of the system firmware is then created by reading the SPI flash module in which the UEFI firmware is located, and then a copy of the virus is written back to the SPI flash.

After the final step, the virus is a threatening device and operating system that is sustainable. Even if the user finds the virus, there is no good way to solve it.


Take advantage of configuration errors and vulnerabilities in several ways:

RWEverything is a well-known hardware information reading and writing tool. In this attack, the hacker group also uses RWEverything to provide reading and writing.

The tool has a regular digital signature so it can read and write system hardware information smoothly, but this is only the initial condition for the virus to successfully enter the firmware.

In fact, the most commonly used attack method of the virus is UEFI’s own configuration error, which makes it easier to bypass the write protection mechanism of the SPI flash.

The CVE-2014-8273 vulnerability is exploited if the user is configured with the correct virus and cannot bypass the write protection mechanism. This vulnerability is a long time ago vulnerability.

So if you are still using very old hardware and have never updated the firmware, then even if the UEFI firmware is configured correctly, it will still be infected.


How to defend against LOJAX rootkit viruses:

Turning on the secure boot check mechanism is a very good defense. It checks all components for a valid signature when the system boots.

Although the virus uses the read and writes tools that contain normal signatures to reach the firmware, the virus itself is not signed and therefore cannot be checked by security mechanisms.

If the system fails to pass the check, the system will automatically discard the virus, so the virus will be successfully killed and the UEFI firmware will no longer be infected when it is initially started.

It is also important to keep the firmware up to date: In this case, the hacker group not only used UEFI configuration errors but also exploited vulnerabilities that were fixed many years ago.

Therefore, updating the firmware in time is a very important thing. The main method of updating the firmware is to go to the motherboard manufacturer’s official website to download the corresponding BIOS driver.