Jump to content

Rootkit found in Asus & Gigabyte Intel 8th Gen Chipset UEFI firmware

rcmaehl
 Share

Summary

A rootkit has been found inside Asus & Gigabyte UEFI firmware. The method of infection is currently unknown

 

Media
Map of, currently known, infected devices

Map of, currently known, infected devices

 

Quotes

Quote

...Hackers have been using since, at least 2016, malware that lies... undetected in the firmware images for some motherboards... a UEFI rootkit. Researchers at... Kaspersky called it CosmicStrand but an earlier variant of the threat was discovered by... Qihoo360, who named it Spy Shadow Trojan. It is unclear how the threat actor managed to inject the rootkit into the firmware images... but researchers found the malware on machines with ASUS and Gigabyte motherboards. 

The... UEFI... is what connects a computer’s operating system with the firmware of the underlying hardware. UEFI code is the first to run during a computer’s booting sequence, ahead of the operating system and the security solutions available. Malware planted in the UEFI firmware image is not only difficult to identify but is also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive. Mark Lechtik, who was involved in the research, explains that the compromised firmware images came with a modified CSMCORE DXE driver. Kaspersky was able to determine that the CosmicStrand UEFI rootkit was lodged in firmware images of Gigabyte or ASUS motherboards that have in common designs using the H81 chipset. It is unclear how the implant was placed on the infected computers. Victims identified by Kaspersky also provide few clues...; the identified infected systems belong to private individuals in China, Iran, Vietnam, and Russia that could not be linked to an organization or industry. The first widespread report about a UEFI rootkit found in the wild, LoJax, came in 2018 from ESET. Almost four years later and accounts of UEFI malware attacks in the wild have grown more frequent, and it wasn’t just advanced hackers exploring this option:

 

My thoughts

It looks like we're eventually going to need a UEFI anti-malware with UEFI rootkits are slowly ramping up in usage. Although, knowing manufacturers, they'd probably lock the firmware updates to actual UEFI chips you swap out with a newer version like in the olden days. Regardless, these attacks are continuing, and there's no easily way to detect them within the OS as is.

 

Sources

Securelist

Ars Technica

Bleeping Computer (quote source)

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, rcmaehl said:

they'd probably lock the firmware updates to actual UEFI chips you swap out with a newer version like in the olden days

I, for one, support this move. Seems easier than potentially bricking via BIOS flash anyways. Or at least give us the option to put an EEPROM in if we want flashing, or standard ROM if we want security.

Main System (Byarlant): Ryzen 7 3800XT | Asus B350-F Strix | EK 240mm Basic AIO | 16GB G.Skill DDR4 3200MT/s CAS-14 | XFX RX 5600 XT THICC II | Samsung 960 PRO 512GB / Samsung 970 EVO 500GB / Crucial MX500 2TB / Crucial MX500 500GB / WD White 7200RPM 8TB | Corsair RM750X | Mellanox ConnectX-3 10G NIC | Hyte Y60 Case | Dell U3415W Monitor | Microsoft Modern Keyboard

 

Laptop (Narrative): Lenovo Flex 5 81X20005US | Ryzen 5 4500U | 16GB RAM (soldered) | Vega 6 Graphics | SKHynix P31 1TB NVMe SSD | Intel AX200 Wifi (all-around awesome machine)

 

TrueNAS Server (Veda): Xeon E3-1241v3 | Supermicro X10SLL-F | Corsair H60 | 32GB Micron DDR3L ECC 1600MHz | 4x 10TB WD Whites / 4x 14TB Seagate Exos / 2x 1TB HGST 2.5" / 1x Samsung PM961 128GB SSD / 1x Kingston 16GB SSD | Seasonic Prime Fanless 500W | Mellanox ConnectX-3 10G NIC | LSI 9207-8i LBA | Fractal Design Node 804 Case (side panels swapped to show off drives)


Media Center/Video Capture (Jesta Cannon): Ryzen 5 1600X | ASRock B450M Pro4 R2.0 | Noctua NH-L12S | 16GB Crucial DDR4 3200MT/s CAS-22 | EVGA GTX750Ti SC | UMIS NVMe SSD 256GB / Seagate 1.5TB HDD | Corsair CX450M | Hauppauge ImpactVCB-PCIe | Mellanox ConnectX-2 10G NIC | LG UH12NS30 BD-ROM | Silverstone Sugo SG-11 Case

 

Camera: Sony ɑ7II (w/ Meike Grip) | Sony SEL24240 | Samyang 35mm ƒ/2.8 | Sony SEL50F18F | Sony SEL2870 (kit lens) | PNY Elite Perfomance SDXC cards


Tablet (---): Samsung Galaxy Tab A 8"
 

Spoiler

Laptop (Rozen-ZuluSony VAIO VPCF13WFX | Core i7-740QM | 8GB Patriot DDR3 | GT 425M | Kingston 120GB SSD | Blu-ray Drive | Intel 7260 Wifi (lived a good life, retired with honor)


Tablet (ReGZ): Asus T102HA (BIOS clock doesn't tick, loses time when sleep/off) (I kill tablets with disturbing regularity)

Tablet (Unicorn): Surface Pro 2 (battery will reset total capacity to current charge, leading Windows to think it's always 100% charged until it dies)

Tablet (Loto): Dell Venue 8 Pro (screen discoloration issues, wouldn't update to Windows 10)

Tablet: iPad 2 16GB (WiFi died, basically useless after that)

Testbed/Old Desktop (Kshatriya): Xeon X5470 @ 4.0GHz | ZALMAN CNPS9500 | Gigabyte EP45-UD3L | 8GB Nanya DDR2 400MHz | XFX HD6870 DD | OCZ Vertex 3 Max-IOPS 120GB | Corsair CX430M (?) | HooToo USB 3.0 PCIe Card | NZXT H230 Case (mostly intact, but some parts have been scavenged)

Link to comment
Share on other sites

Link to post
Share on other sites

I've found articles indicating this was discovered in a secondhand H81 motherboard in China. LGA1150-socket, fourth / fifth-gen Intels, I think? However, there's no guarantee these are the only boards affected.

MODERATE TO SEVERE AUTISTIC, COMPLICATED WITH COVID FOG

 

Due to the above, I've likely revised posts <30 min old, and do not think as you do.

THINK BEFORE YOU REPLY!

Link to comment
Share on other sites

Link to post
Share on other sites

 

Quote

It is unclear how the implant was placed on the infected computers. Victims identified by Kaspersky also provide few clues...; the identified infected systems belong to private individuals in China, Iran, Vietnam, and Russia that could not be linked to an organization or industry.

So... not present in official UEFI firmwares from manufacturers' websites that 99% of users download from.

 

If you're installing UEFI firmware coming from other sources and you get infected, that's on you; the same as with normal software.

 

I guess we'll have to wait and see if the news tells us whether the attacker had physical access to the computers or not, before or after they were sold or deployed.

 

I doubt it's a coincidence that 4 out of 4 of the countries mentioned have authoritarian regimes and/or high corruption.

Link to comment
Share on other sites

Link to post
Share on other sites

38 minutes ago, rcmaehl said:

 

 

My thoughts

It looks like we're eventually going to need a UEFI anti-malware with UEFI rootkits are slowly ramping up in usage. Although, knowing manufacturers, they'd probably lock the firmware updates to actual UEFI chips you swap out with a newer version like in the olden days. Regardless, these attacks are continuing, and there's no easily way to detect them within the OS as is.

 

Sources

Securelist

Ars Technica

Bleeping Computer (quote source)

 

In an ideal situation, being able to flash the UEFI firmware would be easy, but requires you to physically do something inside the PC (Eg flip a jumper/switch.)  The problem, even on existing boards, is that it's easy to trick the PC into "recovery" from Overclocking tools, where it flashes the firmware. That should not be a thing. 

 

The best we can really hope for the board vendors to release firmware fingerprints that the OS then "dumps the firmware" to check if the firmware is intended for that board, and if it doesn't match, prompt the user (ignore = this is a change I made, halt = I didn't make this change)

 

Unfortunately most users are not capable of understanding error messages (eg BSOD's) and will ignore it. 

 

The alternative is to start putting firmware on user-serviceable sockets.

Link to comment
Share on other sites

Link to post
Share on other sites

10 minutes ago, RainfallWithin said:

 

So... not present in official UEFI firmwares from manufacturers' websites that 99% of users download from.

 

If you're installing UEFI firmware coming from other sources 

 

Is this what "could not be linked to an organization or industry" means or does it mean there was no common thread among the victims like them working for a certain company or type of organization a hacker would want to target?

 

I'm not seeing where it says clearly whether this was in non-official UEFI BIOS releases people were using or whether it was in the releases from the manufacturer sites (although that would be rather astounding). 

Your "PC master race" thing is cringe. 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Honestly, I don't think the current details really tell us jack shit. There's no evidence that it only targets H81 motherboards like the article I found, only that an H81 is the only specific chipset named thus far. This smacks of some Dark Side Sith "Order 66" stuff to me, unless someone has a hard-on for either Gigabyte or Asus and the vulnerability just happens to impact the other also. And, they've only named GB and Asus so far. No evidence to suggest any others are or are not impacted.

MODERATE TO SEVERE AUTISTIC, COMPLICATED WITH COVID FOG

 

Due to the above, I've likely revised posts <30 min old, and do not think as you do.

THINK BEFORE YOU REPLY!

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, Middcore said:

Is this what "could not be linked to an organization or industry" means or does it mean there was no common thread among the victims like them working for a certain company or type of organization a hacker would want to target?

Yes.

 

13 minutes ago, Middcore said:

I'm not seeing where it says clearly whether this was in non-official UEFI BIOS releases people were using or whether it was in the releases from the manufacturer sites (although that would be rather astounding). 

What caused the UEFI firmware to be infected in the first place is unknown. I'm sure if they knew if any of the users were using non-official releases they would say so

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, An0maly_76 said:

Honestly, I don't think the current details really tell us jack shit. There's no evidence that it only targets H81 motherboards like the article I found, only that an H81 is the only specific chipset named thus far. This smacks of some Dark Side Sith "Order 66" stuff to me, unless someone has a hard-on for either Gigabyte or Asus and the vulnerability just happens to impact the other also. And, they've only named GB and Asus so far. No evidence to suggest any others are or are not impacted.

They really don't. Unless, and until, the UEFI rootkit starts taking control of the OS, there's no way for anti-malware to know that the UEFI is infected as it can just hide itself from the OS.

 

It's incredibly hard to get an idea of how many devices are infected until they act and that is what happened here for these devices (Specifically, a new user account was created on the devices along with malware being downloaded and run). 

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, RainfallWithin said:

 

So... not present in official UEFI firmwares from manufacturers' websites that 99% of users download from.

 

If you're installing UEFI firmware coming from other sources and you get infected, that's on you; the same as with normal software.

 

I guess we'll have to wait and see if the news tells us whether the attacker had physical access to the computers or not, before or after they were sold or deployed.

 

I doubt it's a coincidence that 4 out of 4 of the countries mentioned have authoritarian regimes and/or high corruption.

Makes you question those boards used in those AliExpress builds content creators love to make. Makes you also question the entirety of the second hand market because stuff like this has always been a concern. Does the OS that comes pre-installed have something sinister hidden in it? More technical people would just know to nuke the drive and do a fresh re-install, but most people buying a cheap second hand computer probably won't bother to. Now we have to worry about this on a hardware (remember the whole Foxconn scare back in 2018?) and firmware level.  

Intel® Core™ i7-12700 | GIGABYTE B660 AORUS MASTER DDR4 | Sapphire Radeon HD 7850 2GB OC | 32GB Corsair Vengeance® RGB Pro DDR4 | Samsung 850 EVO 250GB | WD Green 1.5TB | Windows 11 Pro

Sony MDR-V250 | GNT-500 | Logitech G610 Orion Brown | Logitech G402 | Samsung C27JG5  | ASUS ProArt PA238QR

Intel® Core™ i7-7600U | Seagate 500GB HDD | 16GB DDR4 | Windows 10 Enterprise | HP EliteBook 850 G4

Intel® Core™ i5-8520U | WD Blue M.2 250GB | 1TB Seagate FireCuda | 8GB DDR4 | Windows 11 Home | ASUS Vivobook 15 

Intel® Core™ i7-3520M | GT 630M | 16 GB Corsair Vengeance® DDR3 | Samsung 850 EVO 250GB | macOS Catalina  Lenovo IdeaPad P580

iPhone 12 Mini (iOS 15.6) | iPhone XR (iOS 15.6) |  iPad Mini (iOS 9.3.5) | KZ AZ09 Pro x KZ ZSN Pro X

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, BlueChinchillaEatingDorito said:

Makes you question those boards used in those AliExpress builds content creators love to make. Makes you also question the entirety of the second hand market because stuff like this has always been a concern. Does the OS that comes pre-installed have something sinister hidden in it? More technical people would just know to nuke the drive and do a fresh re-install, but most people buying a cheap second hand computer probably won't bother to. Now we have to worry about this on a hardware (remember the whole Foxconn scare back in 2018?) and firmware level.  

In Russia the firmware modding community is one of the biggest and most advanced in the world.

So it's possible that a popular BIOS mod was infected or that a bad actor bought lots of PCs,installed the infected BIOS and sold them on the second hand market.

 

As for China and Vietnam i have no clue why it's happening there as well,could be imported second hand PCs that were affected from the bad actors i mentioned.

A PC Enthusiast since 2011
AMD Ryzen 5 2600@4.1GHz | GIGABYTE GTX 1660 GAMING OC @ Core 2085MHz Memory 5000MHz
Cinebench R15: 1349cb | Unigine Superposition 1080p Extreme: 3566
Link to comment
Share on other sites

Link to post
Share on other sites

10 hours ago, BlueChinchillaEatingDorito said:

Makes you question those boards used in those AliExpress builds content creators love to make. Makes you also question the entirety of the second hand market because stuff like this has always been a concern. Does the OS that comes pre-installed have something sinister hidden in it? More technical people would just know to nuke the drive and do a fresh re-install, but most people buying a cheap second hand computer probably won't bother to. Now we have to worry about this on a hardware (remember the whole Foxconn scare back in 2018?) and firmware level.  

People who buy cheap used Motherboards off eBay as well. They don't care if it takes a couple extra days if they're getting a good bang for their buck. 😬

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

*Looks at map of affected devices.* Ah I think I know which glowing organization is behind this one.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, Beskamir said:

*Looks at map of affected devices.* Ah I think I know which glowing organization is behind this one.

Stuxnet 2

 

If it hadn't been for an outside nation adding additional code to Stuxnet, it may have been years more before it was found.

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

good thing I'm on AMD?

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

A few theories:

  1. Kaspersky isn't exactly in good graces in the US. Could be a contrived story designed to inspire confidence in their brand. Seems unlikely, though, because allegations of ties to Russian state sponsorship would likely deter the un-ban of the software in the US, and I doubt that Russian sources would knowingly concoct a story that reflects badly on Chinese allies.
  2. The malware was developed by "less-than-friends" of Russia/China and the similarities to Chinese code are an attempt to obfuscate the real source. As @rcmaehl put it: "Stuxnet 2."
  3. Since some Chinese companies have been developing their own PC CPUs and chipsets, maybe this is/was meant to sabotage existing x86 manufacturers or extract data useful in further development of their own designs. This seems highly unlikely, but thought I'd throw it out there.

None of these theories should be taken as anything other than wild speculation, though.

Engineering Student, electronics enthusiast, maker. My devices/tech:

Spoiler

Desktop (Main): i7-7700k/GTX1060 6GB Strix/32" Curved QLED monitor

Desktop (HTPC): Ryzen 3-3200G/RX 580

Laptop: HP 15.6" 1080p/Ryzen 7-2700U/Vega10 iGPU

Phone: Samsung Galaxy Z Fold 3

Dev Boards: TI MSP430/Arduino Uno/Raspberry Pi 4/esp32

Sound: Sony WH-1000XM4, HyperX Quadcast

Camera: Sony a6300 w/ 18-135mm kit lens

Link to comment
Share on other sites

Link to post
Share on other sites

16 hours ago, Nimoy007 said:

Seems unlikely, though, because allegations of ties to Russian state sponsorship would likely deter the un-ban of the software in the US

Usage of Kaspersky products isn't banned in the US. Only government entities are banned from using it.

 

 

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Looking at the comments in Kaspersky's article, it seems the only solutions if you're one of the infected ones is to either re-flash of the BIOS firmware or replace the motherboard.

 

image.thumb.png.37b6161377c953937b1c182b45742fd6.png

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

19 hours ago, captain_to_fire said:

Looking at the comments in Kaspersky's article, it seems the only solutions if you're one of the infected ones is to either re-flash of the BIOS firmware or replace the motherboard.

 

image.thumb.png.37b6161377c953937b1c182b45742fd6.png

That's correct 

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

On 7/30/2022 at 11:38 AM, rcmaehl said:

That's correct 

It would be possible for such a firmware to persist between firmware flashes if the flashing process happens once the existing firmware is loaded this is common on many motherboards you might well need to detach the firmware memory chip, nuke it (or throw it away and replace it) and then re-init it with clean firmware. 

Link to comment
Share on other sites

Link to post
Share on other sites

Time to bring back Mask ROMs?

My eyes see the past…

My camera lens sees the present…

Link to comment
Share on other sites

Link to post
Share on other sites

  • 1 month later...
4 hours ago, Superboy said:

Hello

 

Can anyone tell me if it has been found in this motherboard?

ASUS ROG Strix B360-F Gaming, S-1151

I don't have to click on your link. You can check if the information right in the motherboard name matches the known list of affected Intel chips:

 

Your Motherboard name: ASUS ROG Strix B360-F Gaming, S-1151

Your Motherboard's chipset: B360

 

List of affected Intel chips:

  1. H81 chipsets

(Surprisingly, infections have only been found on motherboards with H81 chipsets.)

 

Please check for yourself if B360 is in the above list of one Intel chipset, and if it is, then you will need to replace your motherboard.

 

It is possible there is more UEFI malware out there. Fortunately this article gave specific details about the known infected motherboards.

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, sounds said:

I don't have to click on your link. You can check if the information right in the motherboard name matches the known list of affected Intel chips:

 

Your Motherboard name: ASUS ROG Strix B360-F Gaming, S-1151

Your Motherboard's chipset: B360

 

List of affected Intel chips:

  1. H81 chipsets

(Surprisingly, infections have only been found on motherboards with H81 chipsets.)

 

Please check for yourself if B360 is in the above list of one Intel chipset, and if it is, then you will need to replace your motherboard.

 

It is possible there is more UEFI malware out there. Fortunately this article gave specific details about the known infected motherboards.

 

Didt know it was linking. its  a link to komplett.dk where i bought it

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×