Padlock and computer codeIt always seems that someone somewhere is trying to destroy what we are always trying to protect, and as an IT Managed Service Provider (MSP) and Managed Security Service Provider (MSSP) that is doubly true. The latest from the East is an attack method that was built probably after the “Wikileaks CIA Vault 7 UEFI Rootkit docs” were released. It is a malware rootkit that can spread onto your computers’ base systems to make the physical computer completely compromised. Basically, the rootkit (malware for our purposes) rewrites the UEFI and is hosted on the Flash RAM… or in non-Techno-babble, the system processes that allow your computer to run at all will be the play thing of a malicious person or persons.

UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyberattacks, as they are hard to detect and able to survive security measures such as operating system reinstallation and even a hard disk replacement…  However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system. – Welivesecurity

The Sednit group, which is the group the US Dept. of Justice has slated for the 2016 Democratic National Committee (DNC) hack, has their fingerprints all over the release of these malicious tools to the hacking public. The tools, though extremely effective are not widely used compared to other malware. However, the fact they have been found “in the wild” at all is a terrible omen of things to come.

What can you do? First, you can contact your own MSP and ask them to check your flash RAM configurations. Second, because of their location the only real means of getting this type of malware on your computer is through phishing… and that is solved through Security Awareness Training for you and your employees. That is the single most effective step to take on preventing phishing attacks.

1) Alexis Dorais-Joncas, security intelligence team lead at ESET said: “Organizations should review the Secure Boot configuration on [all] their hardware and make sure they are configured properly to prevent unauthorized access to the firmware memory.

2) The black hats behind this are known for their recent headlines about major, high profile attacks… So, these guys are not leaving Russia anytime soon…That leaves spear phishing as their go-to strategy to penetrate targets. So, this is another excellent reason to step your users through new-school security awareness training, because social engineering is how these bad guys get into your network. –KnowBe4

In summary, worse things in the hacking and malware world are going to be coming for small businesses and unsuspecting individuals soon. The attacks are getting more sophisticated, and far harder to beat. The bad guys are pros. However, right now we can take common sense precautions for ourselves and our business to remove these malicious and effective tools as a threat.

Published on 10/2/2018 by Ben Ranieri