{"id":7217,"date":"2017-04-03T12:31:44","date_gmt":"2017-04-03T20:31:44","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/03\/news-1008\/"},"modified":"2017-04-03T12:31:44","modified_gmt":"2017-04-03T20:31:44","slug":"news-1008","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/04\/03\/news-1008\/","title":{"rendered":"UEFI flaws can be exploited to install highly persistent ransomware"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt1.staticworld.net\/images\/idgnsImport\/2015\/08\/id-2956980-security-100600858-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Lucian Constantin| Date: Mon, 03 Apr 2017 11:31:00 -0700<\/strong><\/p>\n<p>Over the past few years, the world has seen ransomware threats advance from living inside browsers to operating systems, to the bootloader, and now to the low-level firmware that powers a computer&#8217;s hardware components.<\/p>\n<p>Earlier this year, a team of researchers from security vendor Cylance demonstrated a proof-of-concept ransomware program that ran inside a motherboard&#8217;s Unified Extensible Firmware Interface (UEFI) &#8212; the modern BIOS.<\/p>\n<p>On Friday, at the Black Hat Asia security conference, the team revealed how they did it: By exploiting vulnerabilities in the firmware of two models of ultra compact PCs from Taiwanese computer manufacturer Gigabyte Technology.<\/p>\n<p><a href=\"https:\/\/www.cylance.com\/en_us\/blog\/gigabyte-brix-systems-vulnerabilities.html\" target=\"_blank\">The two vulnerabilities<\/a> affect the GB-BSi7H-6500 and GB-BXi7-5775 models of Gigabyte&#8217;s Mini-PC Barebone (BRIX) platform. They allow an attacker with access to the OS to elevate their privileges and execute malicious code in System Management Mode (SMM), a special operating mode of the CPU that allows executing low-level software.<\/p>\n<p>UEFI vulnerabilities are not new, and researchers have presented such flaws over the years at security conferences. They&#8217;re valuable for attackers because they can be used to install highly persistent malware that can reinfect an operating system even after it&#8217;s completely wiped and reinstalled.<\/p>\n<p>UEFI rootkits &#8212; malicious code that&#8217;s meant to hide other malware\u00a0and its activities &#8212; are perfect for cyberespionage or surveillance operations. The 2015 data leak from Italian surveillance software maker Hacking Team revealed that the company was offering a UEFI rootkit to its law enforcement and government customers.<\/p>\n<p>Documents leaked recently by WikiLeaks about the U.S. CIA&#8217;s cybercapabilities revealed that the agency purportedly has <a href=\"http:\/\/www.computerworld.com\/article\/3184490\/security\/newly-leaked-documents-show-low-level-cia-mac-and-iphone-hacks.html\" target=\"_blank\">UEFI &#8220;implants&#8221; for Mac computers<\/a>.<\/p>\n<p>However, instead of demonstrating a rootkit, the Cylance researchers chose to show that ransomware can also benefit from the high-privilege position and persistence of UEFI.<\/p>\n<p>Figuring out that malicious code is actually installed inside a computer&#8217;s low-level firmware is hard to begin with, and removing it can also be complicated because it requires reflashing a clean UEFI image.<\/p>\n<p>Gigabyte plans to release a firmware update for GB-BSi7H-6500 this month to resolve the vulnerabilities but won&#8217;t patch GB-BXi7-5775 because that model has reached its end of life, the CERT Coordination Center at Carnegie Mellon University said in <a href=\"https:\/\/www.kb.cert.org\/vuls\/id\/507496\" target=\"_blank\">an advisory<\/a>.<\/p>\n<p>In response to the recent CIA revelations, Intel Security released a tool that can help computer administrators verify if their firmware has any malicious code.<\/p>\n<p>One limiting factor for UEFI vulnerabilities is that they rarely work for a large number of computers. That&#8217;s because there are several firmware\/BIOS vendors in the world that provide their reference UEFI implementations to computer manufacturers, which then further customize them by adding their own code.<\/p>\n<p>This means that there&#8217;s a lot of fragmentation in the firmware of modern computers, and a vulnerability in the UEFI of a motherboard from one manufacturer is not guaranteed to work on products from other vendors or from the same vendor.<\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3186880\/security\/uefi-flaws-can-be-exploited-to-install-highly-persistent-ransomware.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt1.staticworld.net\/images\/idgnsImport\/2015\/08\/id-2956980-security-100600858-large.3x2.jpg\"\/><\/p>\n<p><strong>Credit to Author: Lucian Constantin| Date: Mon, 03 Apr 2017 11:31:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p>Over the past few years, the world has seen ransomware threats advance from living inside browsers to operating systems, to the bootloader, and now to the low-level firmware that powers a computer&#8217;s hardware components.<\/p>\n<p>Earlier this year, a team of researchers from security vendor Cylance demonstrated a proof-of-concept ransomware program that ran inside a motherboard&#8217;s Unified Extensible Firmware Interface (UEFI) &#8212; the modern BIOS.<\/p>\n<p>On Friday, at the Black Hat Asia security conference, the team revealed how they did it: By exploiting vulnerabilities in the firmware of two models of ultra compact PCs from Taiwanese computer manufacturer Gigabyte Technology.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3186880\/security\/uefi-flaws-can-be-exploited-to-install-highly-persistent-ransomware.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11073,714,11079],"class_list":["post-7217","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-malware-vulnerabilities","tag-security","tag-windows-pcs"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7217"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7217\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7217"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}