Few CISOs worry about Unified Extensible Firmware Interface (UEFI), a technology built into motherboard chips to help secure the loading of an operating system.
It’s a tempting target for threat actors but until now, only one UEFI bootkit that persists in the EFI System Partition (ESP) has been seen.
However, researchers at ESET have discovered a new one, which, they say in a report, could have been used by a threat actor since 2012 for espionage.
Dubbed ESPecter. it bypasses Windows Driver Signature Enforcement to load its own unsigned driver. It originally used Master Boot Record (MBR) modification for persistence, before moving to attack to modern UEFI systems.
“By patching the Windows Boot Manager, attackers achieve execution in the early stages of the system boot process, before the operating system is fully loaded,” say the researchers. “This allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) in order to execute its own unsigned driver at system startup. This driver then injects other user-mode components into specific system processes to initiate communication with ESPecter’s C&C (command and control) server and to allow the attacker to take control of the compromised machine by downloading and running additional malware or executing C&C commands.”
Even though Secure Boot stands in the way of executing untrusted UEFI binaries from the ESP, says the report, over the last few years ESET has seen various UEFI firmware vulnerabilities affecting thousands of devices that allow disabling or bypassing Secure Boot. “This shows that securing UEFI firmware is a challenging task and that the way various vendors apply security policies and use UEFI services is not always ideal.”
The ESET report follows the release of a report in September by Kaspersky about the discovery of a UEFI bootkit that loads the FinSpy/FinFisher/Wingbird surveillance toolkit.
ESET isn’t sure how the operator of ESPecter disables Windows Secure Boot. One possibility is the attacker has physical access to the computer and manually disables Secure Boot in the BIOS setup menu. Another is that Secure Boot was already disabled on the compromised machine (for example, the user might dual-boot Windows and other OSes that do not support Secure Boot).
To fight threats similar to the ESPecter bootkit, ESET recommends IT managers ensure all computers
- use the latest firmware version;
- are properly configured and Secure Boot is enabled;
- proper privileged account management is used to help prevent adversaries from accessing privileged accounts necessary for bootkit installation.