UEFI Rootkit attacks no longer theoretical after one has been discovered in the wild
 |
ESET Cybersecurity researchers have discovered malware, named LoJax, capable of modifying a computer’s Unified Extensible Firmware Interface (UEFI), making it able to sustain an attack even after OS reinstallation and hard disk replacement. The malware was developed by Sednet, a Russian state sponsored hacking group who have been operating since 2007 and have carried out a number of high profile attacks.
UEFI is a critical firmware component of a computer which allows the hardware and operating system software to communicate when booting the computer. This software is inaccessible to users. LoJax works by introducing malicious code into the UEFI, which then cannot be removed without specific software and knowledge that the typical user will not be familiar with.
There has long been mystery surrounding this type of exploit, with some believing it only theoretical, the discovery of LoJax proves this is no longer the case, and a wipe and reboot will no longer guarantee you have purged your machine. LoJax first appeared in 2017 as a Trojan version a legitimate LoJax software. The original LoJax software was created by a company called Absolute Software and is an anti-theft software that works by installing an agent into the computers firmware, that cannot be removed by reinstallation or drive replacement. It then notifies the owner of the location of the laptop in the event of it being stolen.
There is likely to be increased security measures taken by tech companies to better protect users after this discovery. There needs to be ways to detect malware at a firmware level, and a review of the secure boot configuration on their computer hardware, to ensure no unauthorized access can be granted. Secure Boot is a mechanism user in chips and hardware that allows only secured firmware and software can be booted from a system.
