WARNING: Moonbounce Malware (UEFI boot/rootkit)

Topic

New Reply

An early (in-the-wild) discovery of malware that can survive drive formats and OS reinstalls by infecting the UEFI allows the payload to remain persistant.

Further detailed info over on csoonline

So, my understanding is, if you have secure boot enabled, it should prevent infection, if you don’t….

It’s now becoming apparent as to why Win11 pre-requisites were issued for upgrades. Thereagain, Microsoft did warn users bypassing Win11 installation pre-requisites could face problems, now open to interpretation and not just OS patches going forward…

Pending multiple AV definition updates

Windows - commercial by definition and now function...

2 users thanked author for this post.

Kirsty, Alex5723

Reply | Quote

Replies

Thankfully only larger networks it seems. (Of course, I could add a “for now” as identifying a platform from the network side isn’t that difficult as the MAC address has significant information.)

I tried (and failed) at explaining..

https://www.askwoody.com/forums/topic/firmware-issues/#post-2419614

 

Reply | Quote

Microfix wrote:

An early (in-the-wild) discovery of malware that can survive drive formats and OS reinstalls by infecting the UEFI allows the payload to remain persistant.

From the link: “This type of modification implies the attackers had access to the original firmware image. This can be achieved if attackers had remote access to the machine and administrative privileges to extract and flash the firmware.”

It needs a multi-purpose vector.  In addition, it won’t be able to survive a motherboard replacement.  I lost two PC’s in a house fire in 2011, but only the hardware.  The systems were intact in drive images on protected offline HDD’s, and restored on replacement hardware.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

2 users thanked author for this post.

DriftyDonN, RetiredGeek

Reply | Quote

Well, as to why anyone would wish to replace a motherboard for an infection is beyond logic.

Not having secure boot enabled assists injection no matter how it’s delivered, as per the OP linked article it is ‘assumed’ at this stage with good reason.

The infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint

which makes it difficult to establish the source.

Ref from the horses mouth:
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

Windows - commercial by definition and now function...

Reply | Quote

Microfix wrote:

Well, as to why anyone would wish to replace a motherboard for an infection is beyond logic.

I fail to grasp why getting rid of a piece of hardware which is the singular hiding place of an eradicable piece of malware is illogical.

Microfix wrote:

Not having secure boot enabled assists injection no matter how it’s delivered, as per the OP linked article it is ‘assumed’ at this stage with good reason.

“Secure boot” has already been shown to be vulnerable quite some time ago.  Secure boot is in hardware.  Disabling that piece of hardware disables that particular vector, as well.

And this particular malware is clearly designed for ‘big game’, not home users or small business.  I run as a standard user, no administrative privileges, not easy to exploit that type of malware at standard user level.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Kirsty

Reply | Quote

Microfix wrote:

Microsoft did warn users bypassing Win11 installation pre-requisites could face problems

Did Microsoft (or one of its “affiliated”) developed Moonbounce Malware to push users into new hardware and Windows 11 ? /s

1 user thanked author for this post.

Charlie

Reply | Quote

I’m glad you said it before I did.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

OK. Lets be plain. Consider the way in which the Moonbounce malware is introduced into the driver stack. Now consider what UEFI software acts in that area and how the Windows drivers take over from it. Clearer visibility of the flaws in the driver code in that area to attackers may well reveal driver weaknesses as yet undisclosed which may well need to be addressed by firmware updates. Consider also that those drivers also operate in the Windows setup and PE environments also (which is why you should no longer get setup screens you can’t see properly). This driver functionality is handy for enabling on line restoration of the software by large OEMs, but whilst the BIOS software might be sound, the boot process of a downloaded installation media of course may not be patched to the same degree as the main operating system, and yet may still be exposed to the Internet via the active UEFI drivers early in the boot process leaving the door open for weaknesses there to be exploited, perhaps more so if an older version is installing as the machine has been factory defaulted from the factory image on the hard disk.

As I previously indicated in the other thread, the desktop machines would not be the prize target – attackers would want to “own” the servers and then they can do as they will with the rest of the network as it’s usually in all ways subservient. Imaging if this was leveraged and you find you can’t access the server as that was the seat of a malware problem which didn’t show up until it rebooted after a Windows update..

https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/

Such attackers really don’t care if they break a machine or two. Overall that increases the fear factor and encourages victims to pay the ransom.

Cue complaints about there being no business users here etc, etc. Thing is we’re all connected to several businesses through the Internet. Right now.

Reply | Quote

oldguy wrote:

Consider the way in which the Moonbounce malware is introduced into the driver stack.

Indeed.

bbearren wrote:

From the link: “This type of modification implies the attackers had access to the original firmware image. This can be achieved if attackers had remote access to the machine and administrative privileges to extract and flash the firmware.”

I’m not concerned.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I’m not worried either – they won’t come for us directly. Of course an attacker knows what hardware they’re attacking and what the latest drivers are so when a CVE comes up for those there is a small but not zero chance they could find a way to use that flaw to gain the elevation needed (pre boot being the ultimate elevation, of course.)- it’s all about the big stuff, not us, but as a whole spread of programs on PCs update from various sources and a compromised server could have an impact on the rest of us..

Consider say a server in the menial task of hosting firmware updates for an ISP’s modems. The firmware would be encrypted on a “by serial number” basis before sending, as having the same encryption credentials across all the devices (or deploying it unencrypted) would be plain crazy as then breaking one device would break all anyway, so if that server could be “got at” (or is transiently insecure because it doesn’t reboot at inconvenient times) the vanilla modem firmware would be on there and if they can reverse engineer a PC motherboard to own a server, the only real difference with re-engineering the modem software would be the tool set you need as it’ll be a lesser processor.. but also have no sort of AV to get in the way. It’ll be a case of replace the source code, and watch it deploy.. maybe a mirai botnet but without needing an initial problem in the software at the end affected. That malware never affected anyone..

To decide to be worried you’d have to be concerned as to if for example Askwoody is hosted off a server under Susan’s desk, or at a hosting platform. Seems unlikely it’s stand alone but we’re all connecting to it.. its providing content to our browsers..at the next browser CVE  we’d be open to whatever it could be deceived into sending, but we don’t worry about it.. but I hope discussing the changing profile of security makes everyone that bit more aware..

Reply | Quote

oldguy wrote:

Of course an attacker knows…

bbearren wrote:

From the link: “This type of modification implies the attackers had access to the original firmware image. This can be achieved if attackers had remote access to the machine and administrative privileges to extract and flash the firmware.”

To paraphrase, if attackers had remote access to the machine and administrative privileges to extract and flash the firmware, this attack might be plausible.

Assuming an ‘attacker’ can get through all that, all I have to do is a ‘dead-board’ jumper UEFI reset-to-default, or replace my motherboard, and restore my drive images.  That’s not what I would call “persistent”; throw it out with the trash.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

RetiredGeek

Reply | Quote

<p style=”text-align: left;”>To paraphrase it some more .. if there’s a security problem with a UEFI network driver a machine could be targeted as it reboots after updates to exploit that weakness in order to achieve elevation in the context of the UEFI shell, rather than the operating system, with aim of effecting changes to the machine at a firmware level, without any interference from the operating system.</p>
<p style=”text-align: left;”>Secure boot ought to have stopped the problem so I’d propose that’s the weak point.. This time they added a driver which could be enumerated (and thus should have thrown secure boot issues) , but what if attackers changed to modifying the image of an existing driver – far harder to detect a change in the code in an existing item than an addition of a new item to the table. If course there’s signing to be worked with but if you can see the whole firmware you can likely see how that works or how to side step that.</p>
The concern here is much BIOS code is modular, common code being used across many versions, and some of it is even open source (Tianocore) so perhaps we should be a little vigilant..

For example the attached is a BIOS update file set for the old Intel DH67. What is the  penultimate file? What does that mean now in the context of the previous – is the name random or intentional.. ?

Of course that hardware is out of support so it’s on its own..

after all, not many of these are high severity-

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=tianocore&search_type=all&isCpeNameSearch=false

 

Reply | Quote

oldguy wrote:

.. if there’s a security problem with a UEFI network driver…

bbearren wrote:

Assuming an ‘attacker’ can get through all that, all I have to do is a ‘dead-board’ jumper UEFI reset-to-default, or replace my motherboard, and restore my drive images. That’s not what I would call “persistent”; throw it out with the trash.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Consider ISP injection and subsequent distribution..

Windows - commercial by definition and now function...

Reply | Quote

Looks like AMI are already all over the problem – with a hardware solution.. and they’ve put some figures to it..

https://www.ami.com/ami-hrot/

Reply | Quote

This is what I deem to be persistent:

bbearren wrote:

I lost two PC’s in a house fire in 2011, but only the hardware. The systems were intact in drive images on protected offline HDD’s, and restored on replacement hardware.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Perhaps they don’t even need to break into  server at all – check out the bottom section of this..

https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/

Perhaps the default password is never good enough.. and password reuse is now asking for problems.

Reply | Quote