![](\"https:\/\/media.wired.com\/photos\/5bad29ae7fefbf3d4e78e272\/master\/pass\/Russian-Computer_Final.png\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Thu, 27 Sep 2018 21:02:05 +0000<\/strong><\/p>\n The Fancy Bear <\/span>hacking group has plenty of tools at its disposal, as evidenced by its attacks against the Democratic National Committee<\/a>, the Pyeongchang Olympics<\/a>, and plenty more<\/a>. But cybersecurity firm ESET appears to have caught the elite Russian team using a technique so advanced, it hadn\u2019t ever been seen in the wild until now.<\/p>\n ESET found what\u2019s known as a UEFI rootkit<\/a>, which is a way to gain persistent access to a computer that\u2019s hard to detect and even harder to clean up, on an unidentified victim\u2019s machine. The technique isn\u2019t unheard of; researchers have explored proofs of concept in the past, and leaked files have indicated that both the CIA<\/a> and the independent exploit-focused company Hacking Team<\/a> have had the capability. But evidence that it has happened, in the form of malware called LoJax, represents a significant escalation in the Fancy Bear\u2014which ESET calls Sednit\u2014toolkit.<\/p>\n If \u201cLoJax\u201d sounds vaguely familiar, it\u2019s because you might recall LoJack\u2014formerly known as Computrace\u2014security software that lets you track your laptop in the event of theft. LoJack turns out to be potent stuff. It sits in a computer\u2019s firmware, making regular calls back to a server to announce its location. Crucially, that also means you can\u2019t get rid of it by reinstalling your operating system or swapping in a new hard drive.<\/p>\n "It allows the attacker to take over the machine and download whatever they want."<\/p>\n Richard Hummel, Arbor Networks<\/p>\n That\u2019s an intentional security feature: If someone steals your computer, you want to make it as hard as possible for them to evade detection. But it also presents a unique opportunity to bad actors, as outlined in a 2016 presentation<\/a> at a security conference called Zero Nights, and again in more detail this May by researchers at security firm Arbor Networks. Essentially, Fancy Bear figured out how to manipulate code from a decade-old version of LoJack to get it to call back not to the intended server, but one manned instead by Russian spies. That\u2019s LoJax. And it\u2019s a devil to get rid of.<\/p>\n \u201cWhenever a computer infected with a UEFI malware boots, it will place the LoJax agent on the Windows file system, so that when Windows boots, it\u2019s already infected with the LoJax agent. Even if you clean LoJax from Windows, as soon as you reboot, the UEFI implant will reinfect Windows,\u201d says Alexis Dorais-Joncas, ESET\u2019s security intelligence team lead.<\/p>\n It is possible to remove LoJax from your system entirely, but doing so requires serious technical skills. \u201cYou can\u2019t just restart. You can\u2019t just reinstall your hard drive. You can\u2019t replace your hard drive. You actually have to flash your firmware,\u201d says Richard Hummel, manager of threat intelligence for Arbor Networks. \u201cMost people don\u2019t know how to do that. The fact that it gets into that spot where it\u2019s really difficult to use makes it really insidious.\u201d<\/p>\n Most antivirus scanners and other security products also don\u2019t look for UEFI issues, making it even harder to detect whether malicious code is there. And if it is, you\u2019re in trouble.<\/p>\n "Decade-old software and hardware vulnerabilities are\u00a0easily exploited by\u00a0modern attackers, so companies must use good endpoint hygiene best practices including ensuring endpoints and firmware are up-to-date, leveraging anti-malware, and confirming other endpoint protection agents are always present and healthy," says Dean \u0106oza, \u00a0executive vice president of products at LoJack developer Absolute. "We take the security of our platform extremely seriously, and are working to confirm these issues do not impact our customers or partners."<\/p>\n The malware ESET observed does not itself actively steal data from an infected device. Think of it not as a robber, but as a door into your house that\u2019s so hidden, you can\u2019t see it even if you pore over every wall. LoJax gives Fancy Bear constant, remote access to a device, and the ability to install additional malware on it at any time.<\/p>\n \u201cIn effect, it allows the attacker to take over the machine and download whatever they want,\u201d says Hummel. \u201cThey can also use the original intent of the malware, which is to track the location of the infected machines, possibly to specific owners that may be of interest to the attackers.\u201d<\/p>\n "Probably more attacks will take place."<\/p>\n Alexis Dorais-Joncas, ESET<\/p>\n Several details about the Fancy Bear UEFI attack remain either vague or unknown. ESET\u2019s Dorais-Joncas confirmed that the device they spotted it on was \u201cinfected by several pieces of malware,\u201d and that the hacking group targeted government entities in Europe. They don\u2019t know exactly how Fancy Bear hackers gained access to the victim\u2019s device in the first place, but Dorais-Joncas suggests that they likely followed their typical strategy of a spearphishing attack to gain an initial foothold, followed by movement through a network to locate more high-value targets.<\/p>\n The security firm has more specificity, though, in terms of how exactly Fancy Bear operated once it got that initial control. First, the hackers used a widely available tool to read the UEFI firmware memory, to better understand what specific device they were attacking. Once in possession of that image, they modified it to add the malicious code, and then rewrote the infected image back to the firmware memory. The process was not automated, says Dorais-Joncas; a human behind a keyboard went through every step.<\/p>\n Those details offer some hope for future potential victims. Namely, the attackers were only able to write onto the target computer\u2019s firmware in the first place because it was an older device; Intel and others have baked in better protections<\/a> against that behavior, especially after the Hacking Team and CIA revelations. Using the Windows Secure Boot feature, too, would prevent this type of attack, since it checks to make sure that the firmware image on your computer matches up with the one the manufacturer put there.<\/p>\n \u201cOn the other hand,\u201d says Dorais-Joncas, \u201cprobably more attacks will take place,\u201d given that Fancy Bear has figured out how to do it successfully. And now that it\u2019s widely known that Fancy Bear did it, copycats may not be far behind.<\/p>\n \u201cWhenever we see these new tactics, it does not take long for other hackers to figure out how they did it and to mimic it,\u201d says Hummel.<\/p>\n Russia\u2019s hackers already have an elaborate hacking toolkit<\/a>. But the introduction of a UEFI rootkit\u2014stealthy, complex, pernicious\u2014affirms just how advanced their capabilities have become. And more importantly, how hard they are to defend against.<\/p>\n