For years, some Gigabyte and Asus motherboards carried UEFI malware

nanoguy

Posts: 1,243   +24
Staff member
In context: Security firm ESET discovered the first UEFI rootkit that had been used in the wild back in 2018. This type of persistent threat used to be the subject of theoretical discussions among security researchers, but over the past years, it's become clear that it's a lot more common than previously thought, despite being relatively hard to develop.

This week, Kaspersky researchers revealed a new firmware rootkit dubbed "CosmicStrand," which is believed to be the work of an unknown group of Chinese malicious actors.

Researchers explain that the rootkit was discovered in firmware images of several Asus and Gigabyte motherboards equipped with an Intel H81 chipset, one of the longest-living Haswell-era chipsets that was finally discontinued in 2020.

Since UEFI firmware is the first piece of code that runs when you turn a computer on, this makes CosmicStrand particularly hard to remove compared to other types of malware. Firmware rootkits are also harder to detect and pave the way for hackers to install additional malware on a target system.

Simply wiping the storage in your PC won't remove the infection, and neither will replacing storage devices altogether. UEFI is essentially a small operating system that lives inside a non-volatile memory chip, usually soldered on the motherboard. This means that removing CosmicStrand requires special tools to reimage the flash chip while the PC is powered off. Anything else would leave your computer in an infected state.

So far, it appears only Windows systems in countries like Russia, China, Iran, and Vietnam have been compromised. However, the UEFI implant has been used in the wild since late 2016, which raises the possibility that this type of infection is more common than previously assumed.

Back in 2017, security firm Qihoo360 discovered what could have been an early variant of CosmicStrand. In more recent years, researchers found additional UEFI rootkits such as MosaicRegressor, FinSpy, ESpecter, and MoonBounce.

As for CosmicStrand, it's a very potent malware that's less than 100 kilobytes in size. Not much is known about how it ended up on the target systems, but the way it works is simple. First, it infects the boot process by setting so-called "hooks" into certain points of the execution flow, thus adding the functionality the attacker needs to modify the Windows kernel loader before it is executed.

From there, the attackers can install another hook in the form of a function in the Windows kernel that is called in a subsequent boot process. This function deploys a shellcode in memory that can contact a command-and-control server and download additional malware on the infected PC.

CosmicStrand can also disable kernel protections like PatchGuard (known as Microsoft Kernel Patch Protection), which is a crucial Windows security feature. There are also some similarities in terms of code patterns between CosmicStrand and malware related to the MyKings botnet, which has been used to deploy cryptominers on victims' computers.

Kaspersky researchers are worried that CosmicStrand may be one of many firmware rootkits that have managed to stay hidden for years. They note that "the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later."

Permalink to story.

 

Plutoisaplanet

Posts: 759   +1,202
So far, it appears only Windows systems in countries like Russia, China, Iran, and Vietnam have been compromised
Wow... Can it be? Is anybody thinking same as me? Can it be?? No... Or yes??
Was literally coming into the comments to suggest the same šŸ¤£
 

quadibloc

Posts: 364   +243
This is a particularly dangerous technique, and now that apparently the good guys have been caught using it, the bad guys will copy it.
Of course, while some motherboards let you flash the BIOS from a memory stick before booting, that still requires the computer to be turned on, so apparently this technique will not be able to be dealt with by that.
But it is clear how motherboard manufacturers can deal with this, going forwards. Have a physical switch among all those connectors on the back of the motherboard. If that switch is set to the off position, the motherboard doesn't boot up - an alternative BIOS, in genuine ROM, not in flash memory, is used, with which to flash the BIOS. Of course, though, some microprocessors have on-chip flash memory for security processors... but if one dedicates a pin on the processor to performing a similar function, even that could be dealt with.
 

bviktor

Posts: 957   +1,401
So far, it appears only Windows systems in countries like Russia, China, Iran, and Vietnam have been compromised
Wow... Can it be? Is anybody thinking same as me? Can it be?? No... Or yes??
"a new firmware rootkit dubbed "CosmicStrand," which is believed to be the work of an unknown group of Chinese malicious actors"
 

kiwigraeme

Posts: 1,196   +872
From my 1 minute reading - except for a cheap media server - most of us won't have this -or business computer built cheap ie we would use for example the z87 . My oldest PC I5 2500K is on an GA-Z77X-D3H MB - that's Ivy - so should be fine
Latest PCs are AMD
 

Uncle Al

Posts: 9,076   +8,106
Hmmmmm ..... perhaps a backward plunge is needed ...... anyone for an analog computer??? :)
 

envirovore

Posts: 510   +948
TechSpot Elite

wiyosaya

Posts: 7,955   +6,999
They note that "the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later."
Really? As if no one could have predicted that a supposed, secure modification like UEFI would be the target of hack attempts? I think the industry was in a deep, deep, deep sleep if they felt that confident of the "improvement".
Some more info on this
Affects the H81 chipset.
Requires physical access to the machine, and an install of another form of malware before installation of this payload.

I can't believe PC gamer of all places has more info on this than here or ArsTechnica (which has far more detail than here about it, and where I first read about it).

https://www.pcgamer.com/uefi-malware-discovered-in-gigabyte-and-asus-h81-motherboard-firmware/
I agree it does not seem likely that the malware gets installed after it leaves the manufacturer, but here's the thing - suppose that somehow, it gets into the manufacturer's hands and they fail to detect it. It seems to me that it would be possible for every H81 MB that goes out the door from the manufacturer to have the malware built-in.
 

envirovore

Posts: 510   +948
TechSpot Elite
Really? As if no one could have predicted that a supposed, secure modification like UEFI would be the target of hack attempts? I think the industry was in a deep, deep, deep sleep if they felt that confident of the "improvement".

I agree it does not seem likely that the malware gets installed after it leaves the manufacturer, but here's the thing - suppose that somehow, it gets into the manufacturer's hands and they fail to detect it. It seems to me that it would be possible for every H81 MB that goes out the door from the manufacturer to have the malware built-in.

While I'm skeptical that's the case as I just feel that would be very difficult to pull off during the chain of the manufacturing process, I suppose it's also not entirely outside the realm of possibility either.

I guess if you really want to take that and run with it though, it'd seem more plausible when taking the affected regions into account *if* manufacturing is being done with localization in mind (US/Euro/Japan markets get one version, China/Russia get a slight reversion), therefore allowing for specific targeted execution and monitoring.

(Edit) though I suppose a switch based on whatever settings are used when the machine is configured to determine localization could be enough as well? I feel like that's make sense, but it's a bit more advanced than my knowledge goes)

I'm doubtful, but wouldn't that be the sh*t if it came to light.
 

Reallyhow

Posts: 94   +198
Really? As if no one could have predicted that a supposed, secure modification like UEFI would be the target of hack attempts? I think the industry was in a deep, deep, deep sleep if they felt that confident of the "improvement".

I agree it does not seem likely that the malware gets installed after it leaves the manufacturer, but here's the thing - suppose that somehow, it gets into the manufacturer's hands and they fail to detect it. It seems to me that it would be possible for every H81 MB that goes out the door from the manufacturer to have the malware built-in.

That's the thing - The UEFI BIOS is built by teams of engineers. If one library / dependency they use is compromised, they're boned. I can't really speak to whether they can review the code of every element they use. You would hope there are people that work at the company who audit the code. Maybe they missed it, maybe they added it. Maybe someone further along the line in distribution added it.

In terms of why software can't detect it - I don't think anything really scans UEFI, and even if it does, software isn't typically advanced enough to step through compiled code which isn't misbehaving
 

Tantor

Posts: 349   +629
The Secure List article doesn't mention Linux. Also they say that you just need to flash the bios.
 

Vanderlinde

Posts: 154   +103
You have to look at the larger picture. Who would benefit from installing such malware into motherboards being distributed among country's or even continents?
 

Gezzer

Posts: 287   +145
Some more info on this
Affects the H81 chipset.
Requires physical access to the machine, and an install of another form of malware before installation of this payload.

I can't believe PC gamer of all places has more info on this than here or ArsTechnica (which has far more detail than here about it, and where I first read about it).

https://www.pcgamer.com/uefi-malware-discovered-in-gigabyte-and-asus-h81-motherboard-firmware/

Actually PC gamer is closely affiliated with Maximum PC which is much more tech orientated. So closely affiliated in fact that when the parent company shut down the Max PC site they simply rolled all it's content and contributors into the PC gamer site.
 

pmshah

Posts: 184   +43
How stupid can people be? It is like using a condom and feeling secure of not getting infected by a know AIDS infected *****.
 

Gastec

Posts: 256   +130
Just another weapon in the ongoing cyber war between China and the West, or better said between Chino-Mongo-Rusland and the rest of the world. And to think these motherboards and chips we are using are MADE IN CHINA, made by the enemy. How smart is that? :)