Displaying items by tag: UEFI

The UEFI (Unified Extensible Framework Interface) was the replacement for the old BIOS (Basic Input Output System). It was intended as an improvement to the underlying systems on a motherboard (also called mainboard) the motherboard controls communication between all components connected to it from CPUs, to memory, to GPUs, disk or solid-state drives, network cards… you get the picture. The old BIOS was limited and also susceptible to compromise in a number of rather simple ways. By moving to UEFI systems could become more complex without issues potential hardware conflicts, the UEFI structure was also much faster than the BIOS system meaning that as overall computing increased in speed the underlying controls for different components was up to the task.

This one goes in both the “failure of imagination” and “this is why we can’t have nice things” category. It seems that Gigabyte, for some reason, decided to embed an insecure update function into the UEFI BIOS of their motherboards, then shipped roughly 7 million of them to customers. The fatal flaw? Well, this is an update function that runs on startup. It writes a file to disk, reaches out to update servers over open HTTP then downloads any updates and installs them.

Yesterday we reported on a ransomware attack that impacted PC and component manufacturer MSI. When they, MSI, disclosed the attack they claimed there was no significant impact, but failed to consider that most, if not all, modern ransomware attacks also incorporate exfiltration techniques to ensure a ransom is paid. This this case, the group Money Message had exfiltrated data a claimed 1.5TB of data that included firmware, source code, and databases. This sounds a bit significant at this point.

Updated May-08-2023 with statement from Intel
Back in early April MSI, a popular PC and PC component maker, disclosed that it had a security incident. They stated that they quickly rolled out their Incident Response Team and enacted their recovery procedures (IR and BC/DR plans). Not much was known about the attack at the time, including when the incident happened, just that the disclosure was made to the relevant authorities.

The Security Group Binarly has disclosed 16 high-severity vulnerabilities in different implementations of UEFI firmware in HP Enterprise devices. The list of affected devices includes Laptops, Desktops, POS (point-of-sale) and edge computing nodes. The vulnerabilities range in severity from 7.5 to 8.8 putting them square in the high-severity range. The discovery also may affect additional manufacturers via a reference code match that has led to AMD’s firmware driver (AgesaSmmSaveMemoryConfig). This AMD reference code means that some vulnerabilities may exist across the entire computing ecosystem.

UEFI (Unified Extensible Firmware Interface) was designed to replace the old and outdated BIOS (Baic Input Output System). The older BIOS setup was slow and not very secure. It gave attackers several entry points for infection and persistence at that level. The older BIOS standard was also susceptible to attack and compromise (think the Chernobyl BIOS virus). Something new needed to be put in place to help speed things up and help account for more complex hardware and software. Hence the UEFI was born.

We first talked about the using the UEFI firmware as an attack vector (At Def Con 22 in 2014). Since that time there have been three identified and disclosed versions of malware that directly targeted this critical subsystem. That would seem to be a relatively small percentage given the time since it was first uncovered, the number of devices that operate using the UEFI firmware subsystem, and the time between then and now. However, this is only ones identified and in most of the identified cases were found because of the method of delivery for the OS payload. This begs the question, are there more out there that just have not been found?

APT group 41 also known as Winnti has been tied to a wonderful new piece of malware that does not infect your operating system, but the UEFI firmware on your device. The malware in question has been dubbed MoonBounce by the security researchers at Kaspersky who are responsible for finding it. APT41 has been in operation for a while and is identified by their tactics techniques and protocols (TTPs) which include stealthy attacks meant to maintain a long-term presence for information gathering on the target.

Back in August of 2014 while covering DEFCON 22 we sat in on a talk about how insecure the UEFI BIOS was and how it could potentially grant a malicious person ring zero access to your system. The talk was given by Corey Kallenberg and Xeno Kovah and they showed just how easy it would be to plant non-removable malware into the UEFI BIOS as well as how easy it would be to kill the BIOS remotely by affecting only two lines of code in the BIOS.

DEF CON 22, Las Vegas, NV - The thought of getting a root kit or back door on a critical system is always a bad one. These pieces of malicious code allow an attacker to continue to exploit your network and move laterally increasing their foot hold. The good news is that in most cases you can find and remove these holes either by paving the system (formatting and reinstalling) or by cleaning (not always the best choice).