Home / malware

PDF

LoJax

First posted on 28 September 2018.
Source: SecurityHome

Aliases :

LoJax is also known as Sednit APT.

Explanation :

Security vendor ESET recently discovered the malware - dubbed LoJax - installed on a system as part of a broader Sednit APT campaign and described it this week as the first UEFI rootkit ever discovered in the wild. The discovery shows that UEFI rootkit attacks - long perceived as a theoretical threat - are a reality.

The use of a UEFI rootkit is enough in itself for businesses to take notice. However, as the rootkit is not properly signed, target systems which have the Windows Secure Boot function enabled will only permit signed firmware to load, and so, exploit is avoided.

On systems that were targeted by the LoJax campaign, various tools that are able to access and patch UEFI/BIOS settings were found. All used a kernel driver, RwDrv.sys, to access the UEFI/BIOS settings. This kernel driver is bundled with RWEverything, a free utility available on the web that can be used to read information on almost all of a computer's low-level settings, including PCI Express, Memory, PCI Option ROMs, etc. As this kernel driver belongs to legitimate software, it is signed with a valid code-signing certificate.

LoJax is linked to the Sednit group, also know as Fancy Bear, APT28, STRONTIUM, and Sofacy.

Solution :

Sednit's UEFI rootkit is not properly signed, so the first security mechanism that could have blocked such an attack is Secure Boot. When Secure Boot is enabled, each and every firmware component that is loaded by the firmware needs to be properly signed, thus ensuring the integrity of the firmware. We strongly suggest that you enable it. This is the base defense against attacks targeting UEFI firmware and can be enabled at boot time through your system's UEFI settings.

Updating system firmware should not be something trivial for a malicious actor to achieve. There are different protections provided by the platform to prevent unauthorized writes to system SPI flash memory. The tool described above is able to update the system's firmware only if the SPI flash memory protections are vulnerable or misconfigured. Thus, you should make sure that you are using the latest available UEFI/BIOS available for your motherboard. Also, as the exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008).

Last update 28 September 2018

 

TOP