Hacking Team Uses UEFI BIOS Rootkit

[jos]

Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.

 

They have written a procedure specifically for Insyde BIOS (a very popular BIOS vendor for laptops).  However, the code can very likely work on AMI BIOS as well.

 

The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system.

 

We’ve found that Hacking Team developed a help tool for the users of their BIOS rootkit, and even provided support for when the BIOS image is incompatible:

 

 

 

The hacking team was just terrible.. 

 

Source: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/

 

[Swndlr]

Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaand we're all done for.

 

[AlwaysFSX]

Use UEFI they said. It's secure they said.

[Sidiox]

Damn that is bad. Reminds me  of BadBios and that one FireWire firmware hack.

[HalGameGuru]

I thought BIOS firmwares were too sensitive to changes in code and size for this kind of stuff to be so easily done?

[Unlikelyjoker]

Well if your Tony Stark this isn't an issue.

[Bananasplit_00]

Damn that is bad. Reminds me of BadBios and that one FireWire firmware hack.

I still have FireWire on my PC and I bought it around the time USB 3.0 became a thing, WHAT AM I SUPOSED TO DO WITH THIS SHIT IT JUST TAKES UP SPACE ON MY CASE

[qwertywarrior]

UEFI has always been a bad idea from the start, it didnt fix many of the issues legacy bios had and added larger surface area for security issues many opposed it .

it should have been coreboot

[brownninja97]

UEFI has always been a bad idea from the start, it didnt fix many of the issues legacy bios had and added larger surface area for security issues many opposed it .

it should have been coreboot

a read a few articles about that when it was first coming around, i thought the main thing they wanted to fix with a UEFI was security and while they are at it make add a GUI because text based scared the new comers

[HalGameGuru]

How does this bode for something like intercepted PC's or motherboards in the factory or in transit? How quickly could you infect computers headed for sensitive use cases?

[Psykomantis00]

How does this bode for something like intercepted PC's or motherboards in the factory or in transit? How quickly could you infect computers headed for sensitive use cases?

 

 

Lets say you work for Company X and you need new routers for your network for a system upgrade. You email/call the manufacturer and make a purchase of 5 enterprise routers. Company B packages the equipment and ships it out to you. Somewhere along the line the routers are intercepted and they are infected with the tainted firmware, repackaged and put back on a truck. You get the package and install them into the core of your network. Now the attacker has access to your network and you'll never know, never be able to kick them off the network without replacing tainted equipment that you don't know is there. This type of attack could happen in one day, maybe it delays the shipping, maybe not. It wouldn't take long though. 

 

Now keep in mind for a second that this has already happened. 

 

http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden

[GoodBytes]

Secure boot and Secure Flash (some boards put them together) needs to be disabled for it to work.
Make sure Secure boot/flash is enabled, as suggested in the article, and you are good.

 

The only way to by-pass this is the UEFI maker or motherboard manufacture is careless and leaks out the digital signature needed to update the UEFI. Or the hackers where able to get it, and sign their own thing.

[DEDRICK]

Couldn't you just use Intel Flash ToolKit to erase the bios and rewrite it while in Windows? Not flash, erase and rewrite

[linuxfan66]

Secure boot and Secure Flash (some boards put them together) needs to be disabled for it to work.

Make sure Secure boot/flash is enabled, as suggested in the article, and you are good.

The only way to by-pass this is the UEFI maker or motherboard manufacture is careless and leaks out the digital signature needed to update the UEFI. Or the hackers where able to get it, and sign their own thing.

Home users have secure boot on by default now... For new pcs anyway and all uefi attacks I've seen require local access...

[Snickerzz]

And that's why soldered on Bios chips are dumb

[Doobeedoo]

Terrible. I knew it this will happen eventually. But still wow, this is bad.

[linuxfan66]

I would say the scariest thing would be buying uefi PC rootkitting the uefi... Then stealing people info using it.

[HalGameGuru]

Lets say you work for Company X and you need new routers for your network for a system upgrade. You email/call the manufacturer and make a purchase of 5 enterprise routers. Company B packages the equipment and ships it out to you. Somewhere along the line the routers are intercepted and they are infected with the tainted firmware, repackaged and put back on a truck. You get the package and install them into the core of your network. Now the attacker has access to your network and you'll never know, never be able to kick them off the network without replacing tainted equipment that you don't know is there. This type of attack could happen in one day, maybe it delays the shipping, maybe not. It wouldn't take long though. 

 

Now keep in mind for a second that this has already happened. 

 

http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden

 

I'm not sure why, but as easy as you made that sound and how its happened before makes me queasy.

[Kamina]

I'm not scared.

[sof006]

Use UEFI they said. It's secure they said.

It is. If you turn on UEFI SecureFlash. Its not if you leave it disabled. Your fault if you do lol