Last October 2020, researchers at US security company AdvIntel discovered that one of the Internet’s most troublesome malware platforms, Trickbot, had started testing something rather threatening: probing UEFI firmware chips inside targeted PCs to see whether they were vulnerable to known firmware vulnerabilities. This was only reconnaissance, Trickbot was not infecting the SPI flash chip on which UEFI firmware resides, but the discovery is significant.
UEFI (Unified Extensible Firmware Interface) is the low-level software that has been used to manage the boot process on personal computers, including Windows PCs and Macs, since the old-style BIOS started disappearing ten years ago. Anything capable of compromising a computer at this layer would be powerful in fundamental ways, including being invisible to all mainstream security software. After researching the discovery with research partner Eclypsium, the companies recently published an analysis of what they nicknamed TrickBoot which suggests the answer might be connected to a new and imminent type of ransomware attack.
Today, ransomware is feared for either encrypting data in return for a ransom, threatening to release data in return for a ransom (double extortion), or an unholy mixture of the two. It has also been known to carry out destructive attacks by overwriting hard drives, an approach tried in 2017 by NotPetya variants against Windows machines. This has never caught on with commercial malware, mainly because it achieves little in a ransom context because defenders simply replace or reinstate drives.
Malware able to write to or erase UEFI firmware would be a game-changer. Getting those PCs back up and running would require engineers to visit every PC and probably entail the replacement of the whole motherboard. Unleashed against possibly thousands of machines, or even a few important ones, such a tactic could quickly reduce most organizations to total disruption. Even trying to sanitize machines with any certainty would be a huge task.
P0wn goals - The possibility of targeting the UEFI layer has been common knowledge since Kaspersky Lab discovered serious flaws in the design of the legitimate Computrace/LoJack for Laptops ‘good rootkit’ mobile tracing product in 2014. No new word until 2018 when Arbor Networks chanced upon trojanized versions of the LoJack agent, later called LoJax. Less than three months later, a Slovakian investigation team saw ESET turning up the first example where this had been used to write to UEFI SPI chips in a real attack as part of a fake update sent during a targeted attack. This was attributed to Russian threat group APT28 (STRONTIUM, Sofacy, and Fancy Bear) coincidentally a cousin of the APT 29 attack group blamed for the recent SolarWinds compromise of US Government agencies.
In October 2020, a second UEFI compromise, MosaicRegressor (which uses Hacking Team’s old VectorEDK UEFI code), was discovered by Kaspersky Lab, this time attributed to China or North Korea. As with the ESET attack, this was highly targeted and had been in use for months or even years without being discovered, part of the cyber spy network of nation-state espionage.
Despite only carrying out reconnaissance, the new AdvIntel and Eclypsium UEFI modules are arguably more serious than any of these because it shows that the same idea has now migrated to mass-market malware.
Trickbot was designed like a jack of all trades, looking to any use that malware might need to add to its business model. UEFI is simply a new and lucrative possibility to achieve that goal. Currently, few analysts are looking at firmware level during post-forensics, a point that highlights how invisible this kind of attack would be to victims unaware of their vulnerability. For cybercriminals, it is as if they have discovered the perfect backdoor that cannot easily be closed or patched.
As chance would have it, the discovery of this new Trickbot capability coincided with the huge October takedown of much of its infrastructure by Microsoft so it is possible the crime group behind it have had other things on their mind than hammering companies with UEFI wiping malware. Still, it seems highly unlikely this spells the end of Trickbot. But even if that were to happen, other groups will surely take up where its coders left off.
Some manufacturers make UEFI with baked-in security, yet many others do not. Even secure updating and authentication checks are not standard, which will one day seem like an incredible oversight. Even assessing the level of vulnerability across a billion PCs will be a challenge let alone figuring out mitigation or defense. The irony is that Trickbot’s ability to understand UEFI firmware vulnerability is currently better than any of the victims it might target.
Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities such as Trickbot for over 9 years and maintains a resource library of malware and cyber actor reports. Specifically, our analysts are currently collecting and analyzing the supply chains inside the transportation sector. For many years we have believed the supply chain is the Achilles Heel to the over-all cyber network.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941