ESET uncovered a new ongoing cyber attack, a UEFI rootkit being actively
used by the Sednit (aka Fancy Bear) APT group to compromise
governmental targets from Central and Eastern Europe.
The threat group behind the attack, also known as APT28, STRONTIUM, and
Sofacy, are the first cybercriminals who successfully compromised
computing systems using a UEFI rootkit.
Among Sednit's previous victims are the US Democratic National Committee
(DNC), TV5Monde, the World Anti-Doping Agency, and a handful of other
high profile targets.
As reported by ESET, "the LoJax rootkit was part of a campaign run by
Fancy Bear against several high-profile targets in Central and Eastern
Europe and is the first-ever publicly known attack of this kind."
LoJax attacks work by injecting a malicious UEFI module within the
system's SPI flash memory which will download and run malware while the
operating system boots up, providing the rootkit owner with
administrator-level privileges on the compromised computer.
The biggest issue is that once LoJax successfully penetrates a
computer's UEFI firmware, the rootkit will survive OS reinstalls and
storage device changes.
"Enabling Secure Boot is the best way to block LoJax from compromising your machine"
There is very little regular users could do to mitigate such an
infection, seeing that the only way you can get rid of it would be to
re-flash the memory chips with a clean copy of the firmware, an
operation only professionals should try, or change the computer's
motherboard altogether.
Users with Secure Boot enabled will be protected by default since this
Windows feature will automatically block any malicious software
components from running while the operating system boots up.
If you haven't yet enabled Secure Boot on your device, you can do so by
going into the UEFI systems and toggle on the Secure Boot system
setting.
ESET's research team managed to link LoJax with the Sednit APT group
after finding out that the command-and-control (C&C) servers used by
LoJax were also used by the SedUploader backdoor during other attack
campaigns.
https://www.geezgo.com/sps/41079
Join Geezgo for free. Use Geezgo's end-to-end encrypted Chat with your Closenets (friends, relatives, colleague etc) in personalized ways.>>
No comments:
Post a Comment