When we first saw the UEFI our thoughts centered on how to protect it. We were told that there were systems in place that could prevent the loading of unsigned or malicious code into the firmware environment. This was and still is true, but those systems are not impossible to compromise, and they are not the only game in town for attackers to take advantage of. In 2014 we covered once of the first proof of concepts for a UEFI compromise. It was an impressive thing to watch. There were some responses to this display including some additional security validation to prevent the loading of malicious code into the UEFI itself.
Since that time there has not exactly been a proliferation of UEFI malware or bootkits. There have been roughly 4-6 major ones that have been identified and cataloged. Give the time frame that is not bad at all. When we start to add context to those numbers, things look a little different. More than half of the identified Bootkits aimed at the UEFI have happened in the last 2-3 years. There have been other indicators that this will be a new tactics for major attacks. Two recent UEFI based attacks included techniques that were part of the Hacking Team and/or Vault7 leaks. This means that the information disclosed in those two dumps are actively being worked on and used by attackers (Captain Obvious here).
Security Researchers are also seeing this trend with reports form Kaspersky and ESET both focusing on the new trend. Right now, these types of attacks are being used against high profile targets where persistence and time on target is going to produce the largest payoff. The goal here is long term espionage while remaining undetected for as long as possible. These types of attacks also take time and money to get set up, so they are not going to be the stuff of drive-bys anytime soon.
Still there is another type of attack group out there that might move into the UEFI attack space in the near future, the IAG (Initial Access Group). These groups look to compromise systems in masse so that they can later sell access for other campaigns. These campaigns can range from Botnets for DDoS attacks, Adware campaigns, and (if the money is good enough) ransomware targets.
As the techniques and tools needed to execute this type of attack become more documented and available the IAG groups can work them into their efforts. If they can compromise many systems with this level of persistence, they can get a lot of money out of it. The potential return on investment could be enough to get them developing a more commodity attack aimed at the UEFI (we have seen other firmware attacks used by IAG groups). Once that happens the idea of UEFI zombies is very real with little chance of detection and removal by the average user. As there are no well-defined consumer level next generation antimalware products, we could potentially see these remain in place for years as the typical reload or system restore does nothing to remove the original infection.
Now this is not to say that we will see this happen tomorrow, there is still a development curve to think about. The groups in question need to be able to understand the return on any development investment. There also must be a relatively easy way to push this out to large numbers of people either via phishing, drive-bys or another attack at scale. This one item is probably the only thing hold back these groups. After all, why put in all the work when the old attacks still work and pay. Oddly enough this is also the reason some major security tools are not moving to more advanced detection methods. If people are still paying for the old stuff, why develop new.