ESET discovers first-ever in-the-wild UEFI rootkit

ESET announced that its researchers has discovered a cyberattack that used a UEFI rootkit to establish a presence on the victims’ computers. Dubbed LoJax by ESET, this rootkit was part of a campaign run by the infamous Sednit group against several high-profile targets in Central and Eastern Europe and is the first-ever publicly known attack of this kind.

“Although, in theory we were aware that UEFI rootkits existed, our discovery confirms they are used by an active APT group. So they are no longer just an attractive topic at conferences, but a real threat,” comments Jean-Ian Boutin, ESET senior security researcher who led the research into LoJax and Sednit’s campaign.

UEFI rootkits are extremely dangerous formidable tools for the launch of cyberattacks. They serve as a key to the whole computer, are hard to detect and able to survive cybersecurity measures such as reinstallation of the operating system or even a hard disk replacement. Moreover, even cleaning a system that was infected with a UEFI rootkit requires knowledge well beyond the reach of a typical user, such as flashing the firmware.

Sednit, also known as APT28, STRONTIUM, Sofacy or Fancy Bear, is one of the most active APT groups and has been operating since at least 2004. Allegedly, the Democratic National Committee hack that affected the 2016 US elections, the hacking of global television network TV5Monde, the World Anti-Doping Agency email leak, and many others are believed to be the work of Sednit.

This group has in its arsenal a diversified set of malware tools, several examples of which ESET researchers have documented in their white paper as well as in numerous blogposts on WeLiveSecurity.

In a statement, the company said “the discovery of the first-ever in-the-wild UEFI rootkit serves as a wake-up call for users and their organizations who often ignore the risks connected with firmware modifications.”

“Now there is no excuse for excluding firmware from regular scanning. Yes, UEFI-facilitated attacks are extremely rare, and up to now, they were mostly limited to physical tampering with the target computer. However, such an attack, should it succeed, would lead to the full control of a computer, with nearly total persistence,” comments Jean-Ian Boutin.

ESET claims it is the only major provider of endpoint security solutions to add a dedicated layer of protection, ESET UEFI Scanner, designed to detect malicious components in a PC’s firmware.

“Thanks to the ESET UEFI Scanner, both our consumer and business customers are in a good position to spot such attacks and defend themselves against them,” concludes Juraj Malcho, Chief Technology Officer at ESET.

ESET’s analysis of the Sednit campaign that uses the first-ever in-the-wild UEFI rootkit is described in the detail in the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group” white paper.