• WARNING: Moonbounce Malware (UEFI boot/rootkit)

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » WARNING: Moonbounce Malware (UEFI boot/rootkit)

    Author
    Topic
    #2421022

    An early (in-the-wild) discovery of malware that can survive drive formats and OS reinstalls by infecting the UEFI allows the payload to remain persistant.

    Further detailed info over on csoonline

    So, my understanding is, if you have secure boot enabled, it should prevent infection, if you don’t….

    It’s now becoming apparent as to why Win11 pre-requisites were issued for upgrades. Thereagain, Microsoft did warn users bypassing Win11 installation pre-requisites could face problems, now open to interpretation and not just OS patches going forward…

    Pending multiple AV definition updates

    "-rw-rw-rw-" extreme computing
    2 users thanked author for this post.
    Viewing 10 reply threads
    Author
    Replies
    • #2421029

      Thankfully only larger networks it seems. (Of course, I could add a “for now” as identifying a platform from the network side isn’t that difficult as the MAC address has significant information.)

      I tried (and failed) at explaining..

      https://www.askwoody.com/forums/topic/firmware-issues/#post-2419614

       

    • #2421039

      An early (in-the-wild) discovery of malware that can survive drive formats and OS reinstalls by infecting the UEFI allows the payload to remain persistant.

      From the link: “This type of modification implies the attackers had access to the original firmware image. This can be achieved if attackers had remote access to the machine and administrative privileges to extract and flash the firmware.”

      It needs a multi-purpose vector.  In addition, it won’t be able to survive a motherboard replacement.  I lost two PC’s in a house fire in 2011, but only the hardware.  The systems were intact in drive images on protected offline HDD’s, and restored on replacement hardware.

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      We all have our own reasons for doing the things that we do. We don't all have to do the same things.

      2 users thanked author for this post.
    • #2421077

      Well, as to why anyone would wish to replace a motherboard for an infection is beyond logic.

      Not having secure boot enabled assists injection no matter how it’s delivered, as per the OP linked article it is ‘assumed’ at this stage with good reason.

      The infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint

      which makes it difficult to establish the source.

      Ref from the horses mouth:
      https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

      "-rw-rw-rw-" extreme computing
      • #2421118

        Well, as to why anyone would wish to replace a motherboard for an infection is beyond logic.

        I fail to grasp why getting rid of a piece of hardware which is the singular hiding place of an eradicable piece of malware is illogical.

        Not having secure boot enabled assists injection no matter how it’s delivered, as per the OP linked article it is ‘assumed’ at this stage with good reason.

        “Secure boot” has already been shown to be vulnerable quite some time ago.  Secure boot is in hardware.  Disabling that piece of hardware disables that particular vector, as well.

        And this particular malware is clearly designed for ‘big game’, not home users or small business.  I run as a standard user, no administrative privileges, not easy to exploit that type of malware at standard user level.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        We all have our own reasons for doing the things that we do. We don't all have to do the same things.

        1 user thanked author for this post.
    • #2421100

      Microsoft did warn users bypassing Win11 installation pre-requisites could face problems

      Did Microsoft (or one of its “affiliated”) developed Moonbounce Malware to push users into new hardware and Windows 11 ? /s

      1 user thanked author for this post.
      • #2421414

        I’m glad you said it before I did.

        We're getting Sticker Shock everywhere now, not just car dealers.

    • #2421154

      OK. Lets be plain. Consider the way in which the Moonbounce malware is introduced into the driver stack. Now consider what UEFI software acts in that area and how the Windows drivers take over from it. Clearer visibility of the flaws in the driver code in that area to attackers may well reveal driver weaknesses as yet undisclosed which may well need to be addressed by firmware updates. Consider also that those drivers also operate in the Windows setup and PE environments also (which is why you should no longer get setup screens you can’t see properly). This driver functionality is handy for enabling on line restoration of the software by large OEMs, but whilst the BIOS software might be sound, the boot process of a downloaded installation media of course may not be patched to the same degree as the main operating system, and yet may still be exposed to the Internet via the active UEFI drivers early in the boot process leaving the door open for weaknesses there to be exploited, perhaps more so if an older version is installing as the machine has been factory defaulted from the factory image on the hard disk.

      As I previously indicated in the other thread, the desktop machines would not be the prize target – attackers would want to “own” the servers and then they can do as they will with the rest of the network as it’s usually in all ways subservient. Imaging if this was leveraged and you find you can’t access the server as that was the seat of a malware problem which didn’t show up until it rebooted after a Windows update..

      https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/

      Such attackers really don’t care if they break a machine or two. Overall that increases the fear factor and encourages victims to pay the ransom.

      Cue complaints about there being no business users here etc, etc. Thing is we’re all connected to several businesses through the Internet. Right now.

      • #2421235

        Consider the way in which the Moonbounce malware is introduced into the driver stack.

        Indeed.

        From the link: “This type of modification implies the attackers had access to the original firmware image. This can be achieved if attackers had remote access to the machine and administrative privileges to extract and flash the firmware.

        I’m not concerned.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        We all have our own reasons for doing the things that we do. We don't all have to do the same things.

    • #2421282

      I’m not worried either – they won’t come for us directly. Of course an attacker knows what hardware they’re attacking and what the latest drivers are so when a CVE comes up for those there is a small but not zero chance they could find a way to use that flaw to gain the elevation needed (pre boot being the ultimate elevation, of course.)- it’s all about the big stuff, not us, but as a whole spread of programs on PCs update from various sources and a compromised server could have an impact on the rest of us..

      Consider say a server in the menial task of hosting firmware updates for an ISP’s modems. The firmware would be encrypted on a “by serial number” basis before sending, as having the same encryption credentials across all the devices (or deploying it unencrypted) would be plain crazy as then breaking one device would break all anyway, so if that server could be “got at” (or is transiently insecure because it doesn’t reboot at inconvenient times) the vanilla modem firmware would be on there and if they can reverse engineer a PC motherboard to own a server, the only real difference with re-engineering the modem software would be the tool set you need as it’ll be a lesser processor.. but also have no sort of AV to get in the way. It’ll be a case of replace the source code, and watch it deploy.. maybe a mirai botnet but without needing an initial problem in the software at the end affected. That malware never affected anyone..

      To decide to be worried you’d have to be concerned as to if for example Askwoody is hosted off a server under Susan’s desk, or at a hosting platform. Seems unlikely it’s stand alone but we’re all connecting to it.. its providing content to our browsers..at the next browser CVE  we’d be open to whatever it could be deceived into sending, but we don’t worry about it.. but I hope discussing the changing profile of security makes everyone that bit more aware..

      • #2421299

        Of course an attacker knows…

        From the link: “This type of modification implies the attackers had access to the original firmware image. This can be achieved if attackers had remote access to the machine and administrative privileges to extract and flash the firmware.

        To paraphrase, if attackers had remote access to the machine and administrative privileges to extract and flash the firmware, this attack might be plausible.

        Assuming an ‘attacker’ can get through all that, all I have to do is a ‘dead-board’ jumper UEFI reset-to-default, or replace my motherboard, and restore my drive images.  That’s not what I would call “persistent”; throw it out with the trash.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        We all have our own reasons for doing the things that we do. We don't all have to do the same things.

        1 user thanked author for this post.
    • #2421344

      <p style=”text-align: left;”>To paraphrase it some more .. if there’s a security problem with a UEFI network driver a machine could be targeted as it reboots after updates to exploit that weakness in order to achieve elevation in the context of the UEFI shell, rather than the operating system, with aim of effecting changes to the machine at a firmware level, without any interference from the operating system.</p>
      <p style=”text-align: left;”>Secure boot ought to have stopped the problem so I’d propose that’s the weak point.. This time they added a driver which could be enumerated (and thus should have thrown secure boot issues) , but what if attackers changed to modifying the image of an existing driver – far harder to detect a change in the code in an existing item than an addition of a new item to the table. If course there’s signing to be worked with but if you can see the whole firmware you can likely see how that works or how to side step that.</p>
      The concern here is much BIOS code is modular, common code being used across many versions, and some of it is even open source (Tianocore) so perhaps we should be a little vigilant..

      For example the attached is a BIOS update file set for the old Intel DH67. What is the  penultimate file? What does that mean now in the context of the previous – is the name random or intentional.. ?

      Of course that hardware is out of support so it’s on its own..

      after all, not many of these are high severity-

      https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=tianocore&search_type=all&isCpeNameSearch=false

       

      • #2421413

        .. if there’s a security problem with a UEFI network driver…

        Assuming an ‘attacker’ can get through all that, all I have to do is a ‘dead-board’ jumper UEFI reset-to-default, or replace my motherboard, and restore my drive images. That’s not what I would call “persistent”; throw it out with the trash.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        We all have our own reasons for doing the things that we do. We don't all have to do the same things.

    • #2421383

      Consider ISP injection and subsequent distribution..

      "-rw-rw-rw-" extreme computing
    • #2421407

      Looks like AMI are already all over the problem – with a hardware solution.. and they’ve put some figures to it..

      https://www.ami.com/ami-hrot/

    • #2421415

      This is what I deem to be persistent:

      I lost two PC’s in a house fire in 2011, but only the hardware. The systems were intact in drive images on protected offline HDD’s, and restored on replacement hardware.

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      We all have our own reasons for doing the things that we do. We don't all have to do the same things.

    • #2422155

      Perhaps they don’t even need to break into  server at all – check out the bottom section of this..

      https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/

      Perhaps the default password is never good enough.. and password reuse is now asking for problems.

    Viewing 10 reply threads
    Reply To: WARNING: Moonbounce Malware (UEFI boot/rootkit)

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.