Deep-rooted firmware cyberthreats put defenders in a bind

Recent cyberthreats targeting firmware technology have underscored how tricky it is to weed out malware that can start wreaking havoc before infected computers even boot up.

There are options for dealing with run-of-the-mill malware infections: A compromised computer doesn’t have to be thrown into the nearest trash can. But such an extreme response may be tempting for defenders dealing with attackers who burrow deep into a little-known part of practically every modern computer system.

The Unified Extensible Firmware Interface (UEFI) is an essential part of the boot process for most personal computers, and it has come under fire in several high-profile hacking campaigns. The UEFI can be saved to a standard drive, but because it’s so critical, it’s often stored directly on the motherboard.

Traditional malware removal methods like rebooting a system to remove in-memory implants, wiping a drive or reinstalling the operating system won’t have any effect on the UEFI.

Mandiant senior reverse engineer Mark Lechtik told README that responding to a UEFI incident can be “essentially as costly or even more costly than just removing all the machines that are in the network and just putting in new machines instead.”

That doesn’t mean the UEFI is impossible to manage. Manufacturers can release updated versions of their UEFI firmware. But unlike an operating system update, which can usually be installed remotely, flashing a UEFI update often requires direct access to the motherboard where it’s stored. It can also be a more involved (and time consuming) process.

Lechtik told README that UEFI’s extensibility — the ability to make changes or add new features to the firmware with relative ease— can make it appealing to manufacturers but frustrating for administrators. Every device is likely to have a slightly different method for obtaining an updated version of the UEFI and flashing it to the affected system, so fixes to clear out malware may not scale. Some vendors make installing these updates fairly easy, but in many cases, it’s a multi-step process.

All of which means that UEFI is a nearly ubiquitous part of modern systems that is necessary for those systems to function, difficult to monitor from the confines of the host operating system, and a headache to manage in the best of times. Exploiting these factors could give attackers a way to all but guarantee their malware remains on a system.

UEFI-based attacks

These aren’t theoretical concerns. ESET revealed the first UEFI rootkit discovered in the wild, LoJax, in 2018. Kaspersky disclosed two similar campaigns, MosaicRegressor and MoonBounce, in 2020 and 2022. Lechtik investigated both attacks: He was a senior security researcher at Kaspersky’s Global Research and Analysis Team before he joined Mandiant.

All three campaigns — LoJax, MosaicRegressor, and MoonBounce — were used to deliver Windows malware to infected systems. Because of the way UEFI works, the attackers were able to make sure their malware remained on those systems, even if defenders managed to remove it from Windows proper. The UEFI implant would simply reinfect the systems upon reboot.

“The ability to inflict a malicious action prior to the operating system being fully loaded and any subsequent protection being activated makes the exploitation of a UEFI vulnerability difficult to detect and defend against,” ESET chief security evangelist Tony Anscombe told README. He noted the severity of the threat depends on the specific vulnerability in the interface. A flaw that requires physical access to a device to exploit, for example, doesn’t carry the same weight as a security issue that can be exploited remotely.

Unfortunately, the same factors that make UEFI a compelling target for attackers mean that any vulnerabilities are likely to have an outsized impact.

Lenovo’s long-lasting vulnerabilities

ESET disclosed in April three vulnerabilities it discovered in the UEFI firmware drivers used by Lenovo in hundreds of laptop models. Lenovo committed to releasing firmware updates for many but not all of the affected products, which are used by millions of people around the world. And releasing an update hardly guarantees people will secure their systems: Most users are notoriously lax when it comes to actually installing updates, even though Lenovo offers several ways to update the BIOS or UEFI on its products, which makes the flaws easier to address than UEFI vulnerabilities in many other products.

The nature of UEFI vulnerabilities and the attacks that exploit them could make the widespread nature of the flaws — which took Lenovo six months to address following ESET’s disclosure — even more troublesome.

Or, perhaps, these issues will become part of the new usual.

Lechtik and Anscombe both said that UEFI will be an area of interest for the foreseeable future.

“Bad actors will endeavor to take advantage of any opportunity,” Anscombe said, “and as there are more UEFI capable devices in market and the skill sets involved in exploiting vulnerabilities in UEFI become more widespread, it is highly probable that there will be more attacks targeting these systems.”

That doesn’t mean the sky is falling. Lechtik said technologies like Trusted Platform Modules and Secure Boot can make it more difficult for attackers to leverage UEFI against their intended victims, and as more campaigns like LoJax and MoonBounce are uncovered, security professionals are increasingly likely to be familiar with attacks targeting UEFI.

Unfortunately, firmware-based attacks won’t stop with UEFI. HP revealed on June 28 that 83% of the 1,100 IT professionals it surveyed said that “firmware attacks against laptops and PCs now pose a significant threat,” with 67% saying that “protecting against, detecting, and recovering from firmware attacks has become more difficult and time-consuming due to the increase in home working” resulting from the COVID-19 pandemic.

These firmware-based threats won’t necessarily target UEFI. Instead they can go after the firmware that allows devices like printers — which, according to HP, 76% of IT decision makers say “pose a significant threat” —to work with PCs. Some 80% of respondents told HP they “are worried about their capacity to respond to endpoint firmware attacks.”

UEFI is just the beginning.