Ars Technica: Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us. “Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.”
Ars Technica: First UEFI malware discovered in wild is laptop security software hijacked by Russians. “ESET Research has published a paper detailing the discovery of a malware campaign that used repurposed commercial software to create a backdoor in computers’ firmware—a ‘rootkit,’ active since at least early 2017 and capable of surviving the re-installation of the Windows operating system or even hard drive replacement. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold.”
TechCrunch: Russian hackers ‘Fancy Bear’ now targeting governments with rootkit malware. “Security researchers say that they have found evidence that for the first time Russia-backed hackers are now using a more sophisticated type of malware to target government entities. ESET presented its case Thursday that the hacker group, known as Fancy Bear (or APT28), is using rootkit malware to target its victims. That marks an escalation in tactics, which the researchers say the group’s hacking capabilities ‘may be even more dangerous than previously thought.’” ESET sounds like it should be an explained acronym but it’s the name of a security company.
A new tool defends against Petya ransomware – and as a bonus is also good against rootkits. “MBRFilter defeats Petya in a rather simple, clever way. MBRFilter is a driver that simply places the MBR into read-only mode. Therefore, ransomware like Petya cannot overwrite the MBR or otherwise modify its contents. … Although MBRFilter will not help organizations solve their problems with Locky, it has wide use beyond ransomware. ‘This should be effective at stopping all rootkits which require MBR modification,’ says [Craig] Williams.” MBR stands for Master Boot Record; you can learn more about it here.
The ResearchBuzz Firehose is regular RB content presented as individual posts.
For digest-type posts a couple of times a day, please visit ResearchBuzz.
Want to know how to best use the Firehose for content discovery?
Check out this handy article.