Wave Systems Corp. (fka WAVXQ)

[Genz2]

First-Ever UEFI Rootkit Tied to Sednit APT

https://threatpost.com/uefi-rootkit-sednit/140420/


Researcher at ESET outlines research on the first successful UEFI rootkit used in the wild.


LEIPZIG, GERMANY – Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.

The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system’s UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.

“UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level,” he said.

The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software’s LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system’s UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.

Each time the system restarts, the code executes on boot, before the OS loads and before the system’s antivirus software is launched. That means that even if the device’s hard drive is replaced, the LoJack software will still operate.

According to Vachon, the bad guys are making good use of this with LoJax. This weaponized, customized version of Absolute Software’s wares dates back to a vulnerable 2009 version, which had several key bugs, chief among them a configuration module that was poorly secured with weak encryption.

“This vulnerability allowed Sednit to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software,” he said. In the case of LoJax, the single byte contained Sednit command-and-control domains that ultimately delivered the rootkit payload.

The infection chain is typical: An attack begins with a phishing email or equivalent, successfully tricking a victim into downloading and executing a small rpcnetp.exe dropper agent. The rpcnetp.exe installs and reaches out to the system’s Internet Explorer browser, which is used to communicate with the configured domains.

“Once I have a foothold on the machine I can use this tool to deploy the UEFI rootkit,” Vachon explained, adding that the hacker tool takes advantage firmware vendors allowing remote flashing. “UEFI rootkit is located in the BIOS region of the serial peripheral interface (SPI) flash memory,” he said.

Once the UEFI rootkit is installed, there’s not much a user can do to remove it besides re-flashing the SPI memory or throwing out the motherboard, Vachon said.

In May, Arbor Networks spotted LoJack being reused by Sednit agents to develop LoJax. But it wasn’t until September that Sednit began to use it in live campaigns, observed by ESET. These are targeting mostly government entities located in the Balkans, as well as Central and Eastern Europe.

ESET said it identified a customer who had been infected by the rogue version of the LoJax. And last month, the Pentagon made a good-faith gesture to be more open and started uploading malware samples from APTs and other nation-state sources to the website VirusTotal. The first two samples were rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for the UEFI rootkit.

By enabling Windows Secure Boot, and making sure their UEFI firmware is up to date, end users can protect themselves against attack, Vachon said.
==================================================================
It would make sense that after secure boot and the TPM is enabled in Windows 8.1 that Windows 7 should have their TPMs activated as well. With Windows 10 TPMs being enabled as well, Wave ERAS could have helped in activating a full fleet (Windows 7, 8, 8.1 and 10) of computer TPMs in a company such that they are able to keep unknown devices off the company/organization's network. In short, organizations only having TPMs activated on Windows 8.1 (rather than the full range of OSes: 7, 8, 8.1, and 10) could be missing out on better cybersecurity. Organizations having Wave VSC 2.0 and Wave Endpoint Monitor also would enhance their cybersecurity posture. imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Excerpt:

Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.

With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.


==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/products/wave-endpoint-monitor