Displaying items by tag: UEFI

Yesterday we reported on a ransomware attack that impacted PC and component manufacturer MSI. When they, MSI, disclosed the attack they claimed there was no significant impact, but failed to consider that most, if not all, modern ransomware attacks also incorporate exfiltration techniques to ensure a ransom is paid. This this case, the group Money Message had exfiltrated data a claimed 1.5TB of data that included firmware, source code, and databases. This sounds a bit significant at this point.

Updated May-08-2023 with statement from Intel
Back in early April MSI, a popular PC and PC component maker, disclosed that it had a security incident. They stated that they quickly rolled out their Incident Response Team and enacted their recovery procedures (IR and BC/DR plans). Not much was known about the attack at the time, including when the incident happened, just that the disclosure was made to the relevant authorities.

The Security Group Binarly has disclosed 16 high-severity vulnerabilities in different implementations of UEFI firmware in HP Enterprise devices. The list of affected devices includes Laptops, Desktops, POS (point-of-sale) and edge computing nodes. The vulnerabilities range in severity from 7.5 to 8.8 putting them square in the high-severity range. The discovery also may affect additional manufacturers via a reference code match that has led to AMD’s firmware driver (AgesaSmmSaveMemoryConfig). This AMD reference code means that some vulnerabilities may exist across the entire computing ecosystem.

UEFI (Unified Extensible Firmware Interface) was designed to replace the old and outdated BIOS (Baic Input Output System). The older BIOS setup was slow and not very secure. It gave attackers several entry points for infection and persistence at that level. The older BIOS standard was also susceptible to attack and compromise (think the Chernobyl BIOS virus). Something new needed to be put in place to help speed things up and help account for more complex hardware and software. Hence the UEFI was born.

We first talked about the using the UEFI firmware as an attack vector (At Def Con 22 in 2014). Since that time there have been three identified and disclosed versions of malware that directly targeted this critical subsystem. That would seem to be a relatively small percentage given the time since it was first uncovered, the number of devices that operate using the UEFI firmware subsystem, and the time between then and now. However, this is only ones identified and in most of the identified cases were found because of the method of delivery for the OS payload. This begs the question, are there more out there that just have not been found?

APT group 41 also known as Winnti has been tied to a wonderful new piece of malware that does not infect your operating system, but the UEFI firmware on your device. The malware in question has been dubbed MoonBounce by the security researchers at Kaspersky who are responsible for finding it. APT41 has been in operation for a while and is identified by their tactics techniques and protocols (TTPs) which include stealthy attacks meant to maintain a long-term presence for information gathering on the target.

Back in August of 2014 while covering DEFCON 22 we sat in on a talk about how insecure the UEFI BIOS was and how it could potentially grant a malicious person ring zero access to your system. The talk was given by Corey Kallenberg and Xeno Kovah and they showed just how easy it would be to plant non-removable malware into the UEFI BIOS as well as how easy it would be to kill the BIOS remotely by affecting only two lines of code in the BIOS.

DEF CON 22, Las Vegas, NV - The thought of getting a root kit or back door on a critical system is always a bad one. These pieces of malicious code allow an attacker to continue to exploit your network and move laterally increasing their foot hold. The good news is that in most cases you can find and remove these holes either by paving the system (formatting and reinstalling) or by cleaning (not always the best choice).

So Windows 8 has gone gold and has been shipped to all of Microsoft’s OEM partners so that they all can make the October 26th release date. This is supposed to be a good thing for Microsoft and their partners, but for some reason we just are not hearing the same type of excitement we did with Windows 7 or even Windows Vista. Before the Windows 7 launch we heard from many OEMs and vendors who were excited about the launch of the new OS, it fixed many issues that Vista had and was much faster to boot. This time we are getting responses like “we are not commenting on our Windows 8 plans” or another very generic statement.

As we have continued to work with Windows 8 in all of its x86/64 forms (we have it on desktop, virtual and tablet hardware) we have found one item that is both amazing and annoying all at the same time. No this is not the MetroUI, we are still not happy with that piece. No what has frustrated us at the same time we are very impressed with it is the fast boot time. On our Asus EEE Slate EP-121 the normal boot time is something like 5-6 seconds from off, to sign in screen. This is an amazing feat from Microsoft considering how long it can take to boot up older versions of Windows.