Attacks can be blocked by enabling Secure Boot

Sep 28, 2018 11:08 GMT  ·  By

ESET uncovered a new ongoing cyber attack, a UEFI rootkit being actively used by the Sednit (aka Fancy Bear) APT group to compromise governmental targets from Central and Eastern Europe.

The threat group behind the attack, also known as APT28, STRONTIUM, and Sofacy, are the first cybercriminals who successfully compromised computing systems using a UEFI rootkit.

Among Sednit's previous victims are the US Democratic National Committee (DNC), TV5Monde, the World Anti-Doping Agency, and a handful of other high profile targets.

As reported by ESET, "the LoJax rootkit was part of a campaign run by Fancy Bear against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind."

LoJax attacks work by injecting a malicious UEFI module within the system's SPI flash memory which will download and run malware while the operating system boots up, providing the rootkit owner with administrator-level privileges on the compromised computer.

The biggest issue is that once LoJax successfully penetrates a computer's UEFI firmware, the rootkit will survive OS reinstalls and storage device changes.

Enabling Secure Boot is the best way to block LoJax from compromising your machine

There is very little regular users could do to mitigate such an infection, seeing that the only way you can get rid of it would be to re-flash the memory chips with a clean copy of the firmware, an operation only professionals should try, or change the computer's motherboard altogether.

Users with Secure Boot enabled will be protected by default since this Windows feature will automatically block any malicious software components from running while the operating system boots up.

If you haven't yet enabled Secure Boot on your device, you can do so by going into the UEFI systems and toggle on the Secure Boot system setting.

ESET's research team managed to link LoJax with the Sednit APT group after finding out that the command-and-control (C&C) servers used by LoJax were also used by the SedUploader backdoor during other attack campaigns.

Photo Gallery (2 Images)

Rootkit
Boot process of a LoJax-infected system
Open gallery