Rootkit found in Asus & Gigabyte Intel 8th Gen Chipset UEFI firmware

[rcmaehl]

Summary

A rootkit has been found inside Asus & Gigabyte UEFI firmware. The method of infection is currently unknown

 

Media

Map of, currently known, infected devices

 

Quotes

Quote

...Hackers have been using since, at least 2016, malware that lies... undetected in the firmware images for some motherboards... a UEFI rootkit. Researchers at... Kaspersky called it CosmicStrand but an earlier variant of the threat was discovered by... Qihoo360, who named it Spy Shadow Trojan. It is unclear how the threat actor managed to inject the rootkit into the firmware images... but researchers found the malware on machines with ASUS and Gigabyte motherboards. 

The... UEFI... is what connects a computer’s operating system with the firmware of the underlying hardware. UEFI code is the first to run during a computer’s booting sequence, ahead of the operating system and the security solutions available. Malware planted in the UEFI firmware image is not only difficult to identify but is also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive. Mark Lechtik, who was involved in the research, explains that the compromised firmware images came with a modified CSMCORE DXE driver. Kaspersky was able to determine that the CosmicStrand UEFI rootkit was lodged in firmware images of Gigabyte or ASUS motherboards that have in common designs using the H81 chipset. It is unclear how the implant was placed on the infected computers. Victims identified by Kaspersky also provide few clues...; the identified infected systems belong to private individuals in China, Iran, Vietnam, and Russia that could not be linked to an organization or industry. The first widespread report about a UEFI rootkit found in the wild, LoJax, came in 2018 from ESET. Almost four years later and accounts of UEFI malware attacks in the wild have grown more frequent, and it wasn’t just advanced hackers exploring this option:

 

My thoughts

It looks like we're eventually going to need a UEFI anti-malware with UEFI rootkits are slowly ramping up in usage. Although, knowing manufacturers, they'd probably lock the firmware updates to actual UEFI chips you swap out with a newer version like in the olden days. Regardless, these attacks are continuing, and there's no easily way to detect them within the OS as is.

 

Sources

Securelist

Ars Technica

Bleeping Computer (quote source)

[AbydosOne]

3 minutes ago, rcmaehl said:

they'd probably lock the firmware updates to actual UEFI chips you swap out with a newer version like in the olden days

I, for one, support this move. Seems easier than potentially bricking via BIOS flash anyways. Or at least give us the option to put an EEPROM in if we want flashing, or standard ROM if we want security.

[An0maly_76]

I've found articles indicating this was discovered in a secondhand H81 motherboard in China. LGA1150-socket, fourth / fifth-gen Intels, I think? However, there's no guarantee these are the only boards affected.

[RainfallWithin]

 

Quote

It is unclear how the implant was placed on the infected computers. Victims identified by Kaspersky also provide few clues...; the identified infected systems belong to private individuals in China, Iran, Vietnam, and Russia that could not be linked to an organization or industry.

So... not present in official UEFI firmwares from manufacturers' websites that 99% of users download from.

 

If you're installing UEFI firmware coming from other sources and you get infected, that's on you; the same as with normal software.

 

I guess we'll have to wait and see if the news tells us whether the attacker had physical access to the computers or not, before or after they were sold or deployed.

 

I doubt it's a coincidence that 4 out of 4 of the countries mentioned have authoritarian regimes and/or high corruption.

[Kisai]

38 minutes ago, rcmaehl said:

 

 

My thoughts

It looks like we're eventually going to need a UEFI anti-malware with UEFI rootkits are slowly ramping up in usage. Although, knowing manufacturers, they'd probably lock the firmware updates to actual UEFI chips you swap out with a newer version like in the olden days. Regardless, these attacks are continuing, and there's no easily way to detect them within the OS as is.

 

Sources

Securelist

Ars Technica

Bleeping Computer (quote source)

 

In an ideal situation, being able to flash the UEFI firmware would be easy, but requires you to physically do something inside the PC (Eg flip a jumper/switch.)  The problem, even on existing boards, is that it's easy to trick the PC into "recovery" from Overclocking tools, where it flashes the firmware. That should not be a thing. 

 

The best we can really hope for the board vendors to release firmware fingerprints that the OS then "dumps the firmware" to check if the firmware is intended for that board, and if it doesn't match, prompt the user (ignore = this is a change I made, halt = I didn't make this change)

 

Unfortunately most users are not capable of understanding error messages (eg BSOD's) and will ignore it. 

 

The alternative is to start putting firmware on user-serviceable sockets.

[Middcore]

10 minutes ago, RainfallWithin said:

 

So... not present in official UEFI firmwares from manufacturers' websites that 99% of users download from.

 

If you're installing UEFI firmware coming from other sources 

 

Is this what "could not be linked to an organization or industry" means or does it mean there was no common thread among the victims like them working for a certain company or type of organization a hacker would want to target?

 

I'm not seeing where it says clearly whether this was in non-official UEFI BIOS releases people were using or whether it was in the releases from the manufacturer sites (although that would be rather astounding). 

[An0maly_76]

Honestly, I don't think the current details really tell us jack shit. There's no evidence that it only targets H81 motherboards like the article I found, only that an H81 is the only specific chipset named thus far. This smacks of some Dark Side Sith "Order 66" stuff to me, unless someone has a hard-on for either Gigabyte or Asus and the vulnerability just happens to impact the other also. And, they've only named GB and Asus so far. No evidence to suggest any others are or are not impacted.

[rcmaehl]

13 minutes ago, Middcore said:

Is this what "could not be linked to an organization or industry" means or does it mean there was no common thread among the victims like them working for a certain company or type of organization a hacker would want to target?

Yes.

 

13 minutes ago, Middcore said:

I'm not seeing where it says clearly whether this was in non-official UEFI BIOS releases people were using or whether it was in the releases from the manufacturer sites (although that would be rather astounding). 

What caused the UEFI firmware to be infected in the first place is unknown. I'm sure if they knew if any of the users were using non-official releases they would say so

[rcmaehl]

1 minute ago, An0maly_76 said:

Honestly, I don't think the current details really tell us jack shit. There's no evidence that it only targets H81 motherboards like the article I found, only that an H81 is the only specific chipset named thus far. This smacks of some Dark Side Sith "Order 66" stuff to me, unless someone has a hard-on for either Gigabyte or Asus and the vulnerability just happens to impact the other also. And, they've only named GB and Asus so far. No evidence to suggest any others are or are not impacted.

They really don't. Unless, and until, the UEFI rootkit starts taking control of the OS, there's no way for anti-malware to know that the UEFI is infected as it can just hide itself from the OS.

 

It's incredibly hard to get an idea of how many devices are infected until they act and that is what happened here for these devices (Specifically, a new user account was created on the devices along with malware being downloaded and run). 

[BlueChinchillaEatingDorito]

5 hours ago, RainfallWithin said:

 

So... not present in official UEFI firmwares from manufacturers' websites that 99% of users download from.

 

If you're installing UEFI firmware coming from other sources and you get infected, that's on you; the same as with normal software.

 

I guess we'll have to wait and see if the news tells us whether the attacker had physical access to the computers or not, before or after they were sold or deployed.

 

I doubt it's a coincidence that 4 out of 4 of the countries mentioned have authoritarian regimes and/or high corruption.

Makes you question those boards used in those AliExpress builds content creators love to make. Makes you also question the entirety of the second hand market because stuff like this has always been a concern. Does the OS that comes pre-installed have something sinister hidden in it? More technical people would just know to nuke the drive and do a fresh re-install, but most people buying a cheap second hand computer probably won't bother to. Now we have to worry about this on a hardware (remember the whole Foxconn scare back in 2018?) and firmware level.  

[Vishera]

5 hours ago, BlueChinchillaEatingDorito said:

Makes you question those boards used in those AliExpress builds content creators love to make. Makes you also question the entirety of the second hand market because stuff like this has always been a concern. Does the OS that comes pre-installed have something sinister hidden in it? More technical people would just know to nuke the drive and do a fresh re-install, but most people buying a cheap second hand computer probably won't bother to. Now we have to worry about this on a hardware (remember the whole Foxconn scare back in 2018?) and firmware level.  

In Russia the firmware modding community is one of the biggest and most advanced in the world.

So it's possible that a popular BIOS mod was infected or that a bad actor bought lots of PCs,installed the infected BIOS and sold them on the second hand market.

 

As for China and Vietnam i have no clue why it's happening there as well,could be imported second hand PCs that were affected from the bad actors i mentioned.

[jagdtigger]

Just put a write protect switch/jumper on the mobo.....

[rcmaehl]

10 hours ago, BlueChinchillaEatingDorito said:

Makes you question those boards used in those AliExpress builds content creators love to make. Makes you also question the entirety of the second hand market because stuff like this has always been a concern. Does the OS that comes pre-installed have something sinister hidden in it? More technical people would just know to nuke the drive and do a fresh re-install, but most people buying a cheap second hand computer probably won't bother to. Now we have to worry about this on a hardware (remember the whole Foxconn scare back in 2018?) and firmware level.  

People who buy cheap used Motherboards off eBay as well. They don't care if it takes a couple extra days if they're getting a good bang for their buck. 

[Beskamir]

*Looks at map of affected devices.* Ah I think I know which glowing organization is behind this one.

[rcmaehl]

1 minute ago, Beskamir said:

*Looks at map of affected devices.* Ah I think I know which glowing organization is behind this one.

Stuxnet 2

 

If it hadn't been for an outside nation adding additional code to Stuxnet, it may have been years more before it was found.

[williamcll]

good thing I'm on AMD?

[Nimoy007]

A few theories:

1. Kaspersky isn't exactly in good graces in the US. Could be a contrived story designed to inspire confidence in their brand. Seems unlikely, though, because allegations of ties to Russian state sponsorship would likely deter the un-ban of the software in the US, and I doubt that Russian sources would knowingly concoct a story that reflects badly on Chinese allies.
2. The malware was developed by "less-than-friends" of Russia/China and the similarities to Chinese code are an attempt to obfuscate the real source. As @rcmaehl put it: "Stuxnet 2."
3. Since some Chinese companies have been developing their own PC CPUs and chipsets, maybe this is/was meant to sabotage existing x86 manufacturers or extract data useful in further development of their own designs. This seems highly unlikely, but thought I'd throw it out there.

None of these theories should be taken as anything other than wild speculation, though.

[captain_to_fire]

16 hours ago, Nimoy007 said:

Seems unlikely, though, because allegations of ties to Russian state sponsorship would likely deter the un-ban of the software in the US

Usage of Kaspersky products isn't banned in the US. Only government entities are banned from using it.

 

 

[captain_to_fire]

Looking at the comments in Kaspersky's article, it seems the only solutions if you're one of the infected ones is to either re-flash of the BIOS firmware or replace the motherboard.

 

[rcmaehl]

19 hours ago, captain_to_fire said:

Looking at the comments in Kaspersky's article, it seems the only solutions if you're one of the infected ones is to either re-flash of the BIOS firmware or replace the motherboard.

 

That's correct 

[hishnash]

On 7/30/2022 at 11:38 AM, rcmaehl said:

That's correct 

It would be possible for such a firmware to persist between firmware flashes if the flashing process happens once the existing firmware is loaded this is common on many motherboards you might well need to detach the firmware memory chip, nuke it (or throw it away and replace it) and then re-init it with clean firmware. 

[Zodiark1593]

Time to bring back Mask ROMs?

[Superboy]

Hello

 

Can anyone tell me if it has been found in this motherboard?

ASUS ROG Strix B360-F Gaming, S-1151

[sounds]

4 hours ago, Superboy said:

Hello

 

Can anyone tell me if it has been found in this motherboard?

ASUS ROG Strix B360-F Gaming, S-1151

I don't have to click on your link. You can check if the information right in the motherboard name matches the known list of affected Intel chips:

 

Your Motherboard name: ASUS ROG Strix B360-F Gaming, S-1151

Your Motherboard's chipset: B360

 

List of affected Intel chips:

1. H81 chipsets

(Surprisingly, infections have only been found on motherboards with H81 chipsets.)

 

Please check for yourself if B360 is in the above list of one Intel chipset, and if it is, then you will need to replace your motherboard.

 

It is possible there is more UEFI malware out there. Fortunately this article gave specific details about the known infected motherboards.

[Superboy]

5 hours ago, sounds said:

I don't have to click on your link. You can check if the information right in the motherboard name matches the known list of affected Intel chips:

 

Your Motherboard name: ASUS ROG Strix B360-F Gaming, S-1151

Your Motherboard's chipset: B360

 

List of affected Intel chips:

1. H81 chipsets

(Surprisingly, infections have only been found on motherboards with H81 chipsets.)

 

Please check for yourself if B360 is in the above list of one Intel chipset, and if it is, then you will need to replace your motherboard.

 

It is possible there is more UEFI malware out there. Fortunately this article gave specific details about the known infected motherboards.

 

Didt know it was linking. its  a link to komplett.dk where i bought it