Hacking Team’s UEFI rootkit could enable persistent infections

If remote execution of code via Flash or Java vulnerabilities isn't irritating enough, the Hacking Team leaks could have opened the door to more persistent pwnage, too. Trend Micro warns of a UEFI rootkit developed by the gray-hat devs that's designed to make life miserable for victims with unsecured motherboards. Once it's flashed to the system's firmware, the rootkit ensures that Hacking Team's Remote Control System malware remains installed on the target machine by checking for its presence in Windows before the OS even boots. If the user somehow manages to purge the malware, the compromised firmware reinstalls it before allowing Windows to load.

Since the exploit resides in firmware, reformatting or even replacing the boot volume is not sufficient action to clean the infection. It's not clear whether flashing a clean firmware to the system would purge the infection.

According to Trend Micro, the attack itself requires physical access to the target system, but the company doesn't rule out remote installation as a possibility. One could easily imagine variations of the attack where a phisher calling from "Microsoft support" could remotely flash the firmware of unsuspecting users.

To protect yourself and your PCs, the company recommends enabling UEFI SecureFlash, updating motherboard firmware whenever such an update contains a security patch, and setting up a BIOS or UEFI password.

Ben Funk

Sega nerd and guitar lover

Comments closed
    • LoneWolf15
    • 5 years ago

    So, we need to form an IMF team of geeks to take their operations down?

    I mean, they have known office locations. Once you have physical addresses…

    • rika13
    • 5 years ago

    Despite who is paying who, the important thing is we do have whites and greys who are informing people of vulns instead of silently abusing them. Education and not having your head up your ass are two of the best defenses against being pwned.

    • Krogoth
    • 5 years ago

    Saw this happening from a mile away when UEFI was still in WIP status.

    I suspect the said “holes” are intentional backdoors for certain parties that use letters for their name.

      • DrCR
      • 5 years ago

      As Deanjo mentioned, motherboard manufacturers should start selling boards with open source firmware.

        • Krogoth
        • 5 years ago

        Open-source =! more secure

        It just makes fixes quicker once they are discovered.

          • DrCR
          • 5 years ago

          Peer review, especially if there’s only few select models from a motherboard manufactures line up for the entire community to focus on, will at least somewhat mitigate the intentional backdoors you referred to.

            • Deanjo
            • 5 years ago

            Not to mention extended support. The problem with relying on the MB manufacturer for that firmware is that once they move onto their next gen line up, little, if any, development or maintenance goes into addressing items like these let alone fixing outstanding bugs.

            Sometimes just the fact that the firmware was opensourced leads to even the OEM extending their support for the product. Just for example, because of the efforts of the opensource community routers that have implemented a opensource firmware have enjoyed a extended, productive and secure lifespan. The WRT-54GL, which IIRC was the first open router put out by a large manufacturer is STILL seeing regular firmware updates, not only by the likes of Tomato, DD-WRT, etc but also official support directly from Linksys ten years after the product release (latest official release was last month). Now take a look the WRT-54G, it has identical hardware but proprietary VxWorks firmware and that has not been updated in years.

          • Deanjo
          • 5 years ago

          I agree that opensource does not necessarily mean more secure, however, more times than not, when a product is open-sourced (real opensource not like Android which is a hybrid of open and closed in most implementations) it is more secure because the community keeps development and maintenance going far past the point of where the manufacturer deems it not profitable to do so. I’ll use the example of the WRT-54-GL vs the WRT-54g. The WRT-54G, which has not seen an update to the VXWorks firmware in ages is full of security holes , the wrt-54gl is still updated on a regular basis and gets those discovered holes patched in a timely manner.

    • TwistedKestrel
    • 5 years ago

    Okay, I’ll bite. What is SecureFlash? I’ve never heard of it before today and searching for it only brings up hits talking about this exploit

      • kvndoom
      • 5 years ago

      Isn’t SecureFlash an oxymoron?

      • JJAP
      • 5 years ago

      Maybe they mean secure boot.
      [url<]https://en.m.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot[/url<]

        • TwistedKestrel
        • 5 years ago

        That makes sense. Also, I didn’t realize secure boot protected the firmware as well, I thought it only protected the stuff on the boot drive

    • UnfriendlyFire
    • 5 years ago

    The only difference between the “Hacking Team” and the now-defunct LulzSec is that HT has government contracts, so if they get charged with hacking, the governments would also have to be charged with hacking.

    And money to hire decent lawyers if they start feeling the heat.

    LulzSec pissed off organizations with significant influence, and had no “legal” defenses.

      • NovusBogus
      • 5 years ago

      There’s two key differences:

      1. HT is based in Italy, which like most non-superpowers doesn’t really care what the folks do as long as they pay taxes and stay out of the way.

      2. HT didn’t commit the crime itself, it just sold the tools to those who did. They’re an arms dealer: sleazy, but a fungible symptom of the actual problem.

        • UnfriendlyFire
        • 5 years ago

        If HT sold the tools to LulzSec, and that transaction was traced, HT would’ve been paid a visit by the police.

        There’s a major hacking and identity theft dark website that just went down after it was raided by 19 different law enforcement organizations.

    • Nevermind
    • 5 years ago

    So.. why not a physical switch disabling BIOS writes?

    Jumper technology, didn’t we have this exact feature once?

      • esc_in_ks
      • 5 years ago

      Remember the 5.25″ floppy write protect mechanism of putting a sticker over the notch on the side? Let’s do the same thing: sticker on top of the BIOS chip. If we’re going to do this, let’s go fully old school.

        • lycium
        • 5 years ago

        ITT everyone is 30+

      • mesyn191
      • 5 years ago

      This attack is only if they have physical access to the PC.

      If they have physical access a jumper won’t stop them.

    • HisDivineOrder
    • 5 years ago

    Remember, though.

    They’re “the good guys.” 😉

      • UnfriendlyFire
      • 5 years ago

      Even if you disagree with that definition, they’re simply following the money trail, and governments pay good money to hack each other and “disruptive citizens”.

        • HisDivineOrder
        • 5 years ago

        I think the adjective “disruptive” is going to be a word that has an “evolving” meaning going forward.

          • UnfriendlyFire
          • 5 years ago

          There’s a reason why I put quotation marks around “disruptive”, because it is open to interpretation.

          A protestor in a country can be classified as a dangerous extremist in many others.

    • albundy
    • 5 years ago

    that’s assuming that the system even runs windows.

      • Srsly_Bro
      • 5 years ago

      lol -1

      • UnfriendlyFire
      • 5 years ago

      If you have an infected UEFI, BIOS or any sort of firmware, chances are that they also wrote the malware to infect Mac OS, Linux, and etc.

    • mcnabney
    • 5 years ago

    You know, if we put a few of these punks up against the wall and shot them once they are found – maybe there wouldn’t be so many people willing to do this crap for sh$&% and giggles.

      • derFunkenstein
      • 5 years ago

      They are doing this for the exact opposite of shits and giggles. They are doing this for money and profit.

      • BobbinThreadbare
      • 5 years ago

      So you’d rather just not know about all the security vulnerabilities? The strength through ignorance plan.

        • GTVic
        • 5 years ago

        The [i<]Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses[/i<] are also very effective.

        • mcnabney
        • 5 years ago

        Don’t have to tell everyone where the vulnerable spits are.

      • Deanjo
      • 5 years ago

      Maybe stuff like eUFI and firmware should just be made open source so a person is not dependent on the manufacturer to fix the issue if the accountants deem it a big enough issue.

      • lilbuddhaman
      • 5 years ago

      The only way we’re going to get the government to stop with this crap is to expose it and show the public how bad things really are with their spying. But who’s kidding, no one seems to care.

      • UberGerbil
      • 5 years ago

      Hacking Team has offices in Milan Italy, Annapolis MD, and Singapore. Its customers include government agencies, intelligence services, and law enforcement in various western countries, South Korea, Russia, Kazakhstan, Azerbaijan, Saudi Arabia, Lebanon, Egypt, Nigeria and Sudan. Those are the people who put [i<]you[/i<] up against the wall, not them. And chances are your tax dollars helped pay for these tools to get built.

        • mcnabney
        • 5 years ago

        So they can discretely report issues, not provide instructions to the script kiddies.

    • bthylafh
    • 5 years ago

    DRINK!

      • alloyD
      • 5 years ago

      How many is that now?

        • Chrispy_
        • 5 years ago

        Over 9000

      • Deanjo
      • 5 years ago

      [url<]https://www.youtube.com/watch?v=RXRqYP_IEZk[/url<]

Pin It on Pinterest

Share This