Security news, views and insight from the ESET experts
ESET discovers the first-ever UEFI rootkit cyber attack
October 2, 2018
What are your security risk? learn about firmware, UEFI, rootkits and how ESET protects you from malicious UEFI firmware
How ESET protects from malicious UEFI firmware
ESET is the only major internet security provider to add a dedicated layer, ESET UEFI Scanner, that is designed to detect malicious components in the firmware.
ESET UEFI Scanner is a tool which makes firmware available for scanning. Subsequently, the firmware’s code gets scanned by malware detection technologies. ESET customers can scan their computer’s firmware regularly or on-demand. Most of the detections are labeled as Potentially Unsafe Applications – a code that has broad power over the system and therefore can be misused. The very same code may be completely legitimate if the user or an administrator know about its presence, or it may be malicious if it was installed without their knowledge and consent.
UEFI rootkits – from theory to a real threat
UEFI rootkits, the hackers’ Holy Grail, were long feared but none was ever seen in the wild – until ESET discovered a campaign by the infamous Sednit APT group. Some UEFI rootkits have been presented at security conferences as proofs of concept; some are known to be at the disposal of governmental agencies. However, until August 2018, no UEFI rootkit was ever detected in a real cyber attack.
The above-mentioned Sednit campaign used a UEFI rootkit that ESET researchers named LoJax. ESET’s analysis of the campaign is described in detail in the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper. More information about UEFI-related security can be found at ESET’s security blog, WeLiveSecurity.
Security risks of firmware, UEFI, rootkits
The computer code that starts right after the computer is turned on and has the ultimate power over the computer’s operating system (and thus the whole machine) is called firmware. The standard – think of it as a set of rules – for how the firmware behaves is called UEFI (its predecessor was called BIOS). Firmware and UEFI are often linked together and called UEFI firmware.
A rootkit is a dangerous malware designed to gain “illegal” and persistent access to what is otherwise not allowed. Typically, a rootkit also masks its existence or the existence of other malware.