UEFI Problems Get Worse (AKA China)

I have reported before on UEFI security holes in a variety of vendor’s products, but I didn’t think it would come to this.

The Russian cybersecurity firm Kaspersky (who walks a fine line with Putin), analyzed a firmware rootkit called CosmicStrand.

It appears that this was developed by Chinese speaking hackers. Does that mean it is state sponsored? Difficult to tell, but probably.

Hiding a rootkit in your computer’s firmware, well under the operating system, makes it invisible to any software running on those computers.

When this firmware rootkit runs, every single time Windows boots, it will embed kernel mode malware in the operating system. That malware could do anything the hackers want it to do.

It will persist even if you wipe the disk and reinstall windows.

It will persist even if you replace the hard drive in the computer.

It will persist even if you replace the motherboard (I think they have to be called a system board now).

It will not persist if you run over the computer with your car and shred it. That is about the only way to get rid of it.

Earlier versions of this malware were identified by a Chinese security firm in 2017.

Kaspersky has identified two vendors so far that are affected, but I bet more will be found. That is what we have seen in the past with other UEFI bugs.

Zero Trust is probably the best way to try and mitigate this risk.

If you are ready to implement a zero trust program, please contact us.

Credit: Security Week