Researchers with cybersecurity company ESET have discovered a malware campaign that is able to compromise a device’s firmware component, which they say in a report published Thursday is the first known instance of such an attack in the wild.
ESET says that it found attributes in the malware that link it to the prominent Russian hacking group APT28. The malware, dubbed LoJax, can “serve as a key to the whole computer” by infecting the Unified Extensible Firmware Interface (UEFI) of a device, according to the report.
ESET explains that firmware rootkits like LoJax have in the past been demonstrated in theory and are suspected to be in use by some governments, but haven’t been observed in the wild. This kind of malware is hard to detect and has advanced persistence properties, as it’s able to survive a complete operating system reinstall and even a hard drive replacement.
If LoJax sounds familiar, that’s because it mimics the the persistence methods of the legitimate LoJack anti-theft software, which itself was co-opted into being used APT28 malware.
APT28 (which ESET calls Sednit and is also known as Fancy Bear or Sofacy), is most known for its attacks on the Democratic National Committee before the 2016 election, as well as several other attacks on European organizations.
“Although we were aware in theory that UEFI rootkits existed, our discovery confirms that they are used by an active advanced persistent threat group,” said ESET researcher Jean-Ian Boutin, in a press release. “These attacks targeting the UEFI are a real threat, and anyone in the crosshairs of Sednit [Fancy Bear] should be watching their networks and devices very closely.”
The researchers say they’ve observed LoJax being used to target government organizations in the Balkans and Central and Eastern Europe. ESET linked the malware to APT28 with “high confidence” based on specific tools known to be used by the group, like custom backdoors and network proxy tools.
ESET’s research found at least one instance where LoJax was actually successful in writing a malicious UEFI module onto a target system’s flash memory.
The good news is that LoJax is not properly signed, the researchers say, which means that it can be blocked with a secure boot. Doing so ensures that all the firmware components on a system are properly signed. “We strongly suggest that you enable it,” the report says.
However, completely removing the LoJax rootkit involves flashing the system’s firmware, an advanced process that ESET says even many savvy users aren’t familiar with. An alternative would be to replace the entire motherboard.
“Now, there is no excuse for excluding firmware from regular scanning,” Boutin said. “Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to full control of a computer by the attacker, with nearly total persistence.”