Proprietary, Microsoft Holes, and UEFI Flaws
-
US, Ukraine sign pact to expand cooperation in cyberspace [iophk: Windows TCO]
CISA signed a memorandum of cooperation with the Ukrainian State Service of Special Communications and Information Protection of Ukraine (SSSCIP) amid the eastern European country’s ongoing war with Russia, an aggressor in the digital realm that has attacked both Ukrainian and American cyber networks and infrastructure in the past.
The cooperation pact bolsters information sharing on cyber incidents and creates pathways between the two agencies to share key data on critical infrastructure. It also authorizes joint exercises and training sessions between the two agencies.
-
Ransomware attacks enabled by malicious insiders warns Gigamon [iophk: Windows TCO]
Nearly one-third of organisations have suffered a ransomware attack enabled by a malicious insider, a threat seen as commonly as the accidental insider (35%), according to a new report from cloud visibility and analytics company Gigamon.
-
Government Should Incentivize Information Sharing for Ransomware Attacks, Experts Say [iophk: Windows TCO]
The Cyber Incident Reporting for Critical Infrastructure Act passed in March does not cover private companies who do not operate in the critical infrastructure sectors and does not include safe harbor and shield laws that would encourage private companies to engage in the process.
Oftentimes, companies will avoid interacting with law enforcement to avoid the stigma associated with being a victim of a cyberattack and out of fear of being held liable by regulators and investors, said Trent Teyema, senior fellow at technology policy university collaborative GeoTech Center.
-
CosmicStrand: a UEFI rootkit
Since UEFI firmware is embedded in a chip on the motherboard and not written to the hard drive, it is immune to any hard drive manipulations. Therefore, it is very difficult to get rid of UEFI-based malware: even wiping the drive and reinstalling the operating system will not touch UEFI. For this same reason, not all security solutions can detect malware hidden in UEFI. Simply put, once malware has made its way into the firmware, it is there to stay.
-
Chinese UEFI Rootkit Found on Gigabyte and Asus Motherboards
Security researchers with Kaspersky have analyzed a UEFI firmware rootkit that appears to target specific motherboard models from Gigabyte and Asus.
-
CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit
Rootkits are malware implants which burrow themselves in the deepest corners of the operating system. Although on paper they may seem attractive to attackers, creating them poses significant technical challenges and the slightest programming error has the potential to completely crash the victim machine. In our APT predictions for 2022, we noted that despite these risks, we expected more attackers to reach the sophistication level required to develop such tools. One of the main draws towards malware nested in such low levels of the operating system is that it is extremely difficult to detect and, in the case of firmware rootkits, will ensure a computer remains in an infected state even if the operating system is reinstalled or the user replaces the machine’s hard drive entirely.
In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor. One of our industry partners, Qihoo360, published a blog post about an early variant of this malware family in 2017.
-
Jul 25, 2022 New CosmicStrand UEFI Rootkit Variant Found By Dennis Fisher
Earlier this year, Kasperksy identified anoother UEFI rootkit called MoonBounce that was used against one known victim.
-
New UFEI Rootkit
Both links have lots of technical details; the second contains a list of previously discovered UFEI rootkits. Also relevant are the NSA’s capabilities—now a decade old—in this area.
-
Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us
Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.
The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.