first sednit uefi rootkit unveiled
play

First Sednit UEFI Rootkit Unveiled Jean-Ian Boutin | Senior Malware - PowerPoint PPT Presentation

May 24, 2023 •32 likes •912 views

First Sednit UEFI Rootkit Unveiled Jean-Ian Boutin | Senior Malware Researcher Frdric Vachon | Malware Researcher Frdric Vachon Malware Researcher @Freddrickk_ Agenda What is Sednit LoJack and Past research Compromised

  1. First Sednit UEFI Rootkit Unveiled Jean-Ian Boutin | Senior Malware Researcher Frédéric Vachon | Malware Researcher

  2. Frédéric Vachon Malware Researcher @Freddrickk_

  3. Agenda • What is Sednit • LoJack and Past research • Compromised LoJack agents • UEFI Rootkit and related tools

  4. Sednit (AKA Fancy Bear/APT28/STRONTIUM/etc) • Espionage group active since the early 2000s • Very visible in the past few years as allegedly behind these notorious hacks

  5. Sednit (AKA Fancy Bear/APT28/STRONTIUM/etc) • Espionage group active since the early 2000s • Very visible in the past few years as allegedly behind these notorious hacks • Democratic National Committee (DNC)

  6. Sednit (AKA Fancy Bear/APT28/STRONTIUM/etc) • Espionage group active since the early 2000s • Very visible in the past few years as allegedly behind these notorious hacks • Democratic National Committee (DNC) • World Anti-Doping Agency (WADA)

  7. Sednit (AKA Fancy Bear/APT28/STRONTIUM/etc) • Espionage group active since the early 2000s • Very visible in the past few years as allegedly behind these notorious hacks • Democratic National Committee (DNC) • World Anti-Doping Agency (WADA) • TV5 Monde • etc

  8. Sednit (AKA Fancy Bear/APT28/STRONTIUM/etc) • Espionage group active since the early 2000s • Very visible in the past few years as allegedly behind these notorious hacks • Democratic National Committee (DNC) • World Anti-Doping Agency (WADA) • TV5 Monde • etc

  9. Sednit (AKA Fancy Bear/APT28/STRONTIUM/etc) • Espionage group active since the early 2000s • Very visible in the past few years as allegedly behind these notorious hacks • Democratic National Committee (DNC) • World Anti-Doping Agency (WADA) • TV5 Monde • etc

  10. Example of phishing email

  11. Computrace/LoJack

  12. Absolute Software

  13. Past Research

  14. Black Hat USA 2009 • Exposed design vulnerabilities in agent

  15. LoJack Architecture back then

  16. Configuration file vulnerability

  17. Configuration file vulnerability

  18. Configuration file vulnerability

  19. Digging in

  20. LoJax - Cat is out of the bag • Found modified small agent • Links old Sednit domains to Lojax domains

  21. Where is the attack?

  22. Where is the attack?

  23. Changed only configuration file? • Almost, and used only one agent version to do so…

  24. Changed only configuration file? • Almost, and used only one agent version to do so… • Bulk detection now possible – time to dive in

  25. The Balkans, Central and Eastern Europe victims • Few organizations hit • Military and diplomatic organizations • Presence of several Sednit tools in the organization

  26. Analyst ramblings

  27. autochk.exe mechanism?

  28. autochk.exe mechanism?

  29. autochk.exe vs. autoche.exe

  30. autochk.exe vs. autoche.exe

  31. autochk.exe vs. autoche.exe

  32. RWEverything • Found on some organizations with LoJax compromise • info_efi.exe

  33. RWEverything • Uefi read tool

  34. RWEverything • Legitimate software using legitimate kernel driver • Not the first time it is reused for other purposes

  35. Did they get there?

  36. Down the rings we go

  37. ReWriter_read.exe • Tool to dump SPI flash memory content found alongside LoJax sample IOCTL code Description 0x22280c Writes to memory mapped I/O space 0x222808 Reads from memory mapped I/O space 0x222840 Reads a dword from given PCI Configuration Register 0x222834 Writes a byte to given PCI Configuration Register

  38. ReWriter_read.exe • Contains *lots* of debug strings • Consists of the following operations • Log information on BIOS_CNTL register • Locate BIOS region base address • Read UEFI firmware content and dump it to a file

  39. ReWriter_binary.exe • Contains *lots* of debug strings • Uses RWEverything’s driver • Consists of the following operations • Add the rootkit to the firmware • Write it back to the SPI flash memory

  40. Patching the UEFI firmware

  41. Unified Extensible Firmware Interface (UEFI) • Replacement for the legacy BIOS • New standard for firmware development • Provides a set of services to UEFI applications • Boot services • Runtime services • No more MBR/VBR

  42. Driver Execution Environment (DXE) Drivers • PE/COFF images • Abstract the hardware • Produce UEFI standard interface • Register new services (protocols) • Loaded during the DXE phase of the Platform initialization • Loaded by the DXE dispatcher (DXE Core)

  43. UEFI firmware layout • Located in the BIOS region of the SPI flash memory • Contains multiple volumes • Volumes contain files identified by GUIDs • File contain sections • One of these sections is the actual UEFI image • It’s more complex than that but it suffices for our purpose

  44. SPI flash memory layout

  45. SPI flash memory layout

  46. SPI flash memory layout

  47. SPI flash memory layout

  48. BIOS region layout

  49. BIOS region layout

  50. BIOS region layout

  51. BIOS region layout

  52. Parsing the firmware volumes • Parses all the firmware volumes of the UEFI firmware • Looks for 4 specific files • Ip4Dxe (8f92960f-2880-4659-b857-915a8901bdc8) • NtfsDxe (768bedfd-7b4b-4c9f-b2ff-6377e3387243) • SmiFlash (bc327dbd-b982-4f55-9f79-056ad7e987c5) • DXE Core

  53. Ip4Dxe and DXE Core • Used to find the firmware volume to install the rootkit • All DXE drivers are usually in the same volume • DXE Core may be in a different volume • The chosen volume will be the one with enough free space available

  54. NtfsDxe and SmiFlash • NtfsDxe the AMI NTFS driver • Will be removed if found • SmiFlash metadata are not used • SmiFlash is a known-vulnerable DXE driver

  55. Adding the rootkit • Creates a FFS file header (EFI_FFS_FILE_HEADER) • Append the Rootkit file • Write it at the end of the DXE drivers volume or the DXE Core volume • Checks if there’s enough free space available

  56. Write the compromised firmware to the SPI Flash memory

  57. BIOS Write Protection Mechanisms • Platform exposes write protection mechanisms • Need to be properly configured by the firmware • We’ll only cover relevant protections to our research • Won’t cover Protected Range Registers • Exposed via the BIOS Control Register (BIOS_CNTL)

  58. BIOS Write Protection Mechanisms • To write to the BIOS region BIOS Write Enable (BIOSWE) must be set to 1 • BIOS Lock Enable (BLE) allows to lock BIOSWE to 0

  59. BIOS Write Protection Mechanisms • To write to the BIOS region BIOS Write Enable (BIOSWE) must be set to 1 • BIOS Lock Enable (BLE) allows to lock BIOSWE to 0

  60. BIOS Write Protection Mechanisms • The implementation of BLE is vulnerable • When BIOSWE is set to 1, its value change in BIOS_CNTL • A System Management Interrupt (SMI) is triggered • The SMI handler sets BIOSWE back to 0 • The SMI handler must be implemented by the firmware

  61. BIOS Write Protection Mechanisms • What if we write to the SPI flash memory before the SMI handler sets BIOSWE to 0? • Race condition vulnerability (Speed racer) • A thread continuously set BIOSWE to 1 • Another thread tries to write data • Works on multicore processors and single core processors with hyper-threading enabled

  62. BIOS Write Protection Mechanisms • Platform Controller Hub family of Intel chipsets introduces a fix for this issue • The firmware must set this bit

  63. BIOS Write Protection Mechanisms • Platform Controller Hub family of Intel chipsets introduces a fix for this issue • The firmware must set this bit

  64. ReWriter_Binary.exe • ReWriter_Binary.exe checks these settings • Checks if the platform is properly configured • Implements the exploit for the race condition

  65. Writing process decision tree

  66. Writing process decision tree

  67. Writing process decision tree

  68. Writing process decision tree

  69. Let’s take a step back • Software implementation to flash firmware remotely • Hacking Team’s UEFI rootkit needed physical access • We extracted the UEFI rootkit • Looked at ESET’s UEFI scanner telemetry • And…

  70. Let’s take a step back • Found the UEFI rootkit in the SPI flash memory of a victim’s machine • First publicly known UEFI rootkit to be used in a cyber-attack

  71. UEFI Rootkit

  72. UEFI Rootkit • DXE Driver loaded by the DXE Dispatcher • File Name • SecDxe • File GUID • 682894B5-6B70-4EBA-9E90-A607E5676297

  73. UEFI Rootkit Workflow

  74. UEFI Rootkit Workflow

  75. UEFI Rootkit Workflow

  76. UEFI Rootkit: SecDxe • Notify function • Installs NTFS driver • Drops autoche.exe and rpcnetp.exe • Patch a value in the Windows Registry

  77. UEFI Rootkit: NTFS driver • NTFS driver needed to get file-based access to Windows’ partition • Hacking Team’s NTFS driver from HT’s leak • NtfsDxe project from vector-edk

  78. UEFI Rootkit: Dropping files

  79. UEFI Rootkit: Dropping files

  80. UEFI Rootkit: Dropping files

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UEFI is not your enemy Leif Lindholm LinuxTag 2014 Background What is UEFI What is good

UEFI is not your enemy Leif Lindholm LinuxTag 2014 Background What is UEFI What is good

UEFI is not your enemy Leif Lindholm LinuxTag 2014 Background What is UEFI What is good about it? What is bad about it? Final bits Overview UEFI has managed to acquire a bit of a bad reputation in the open source/free software

560 views • 33 slides
LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 1 UEFI Forum Update and Open

LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 1 UEFI Forum Update and Open

LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 1 UEFI Forum Update and Open Source Community Benefits Mark Doran President, UEFI Forum Intel Fellow Agenda About the Forum Current areas of focus Testing and

624 views • 27 slides
JTAG-based UEFI Debug and Trace UEFI 2020 Virtual Plugfest July 14, 2020 Presented by Alan

JTAG-based UEFI Debug and Trace UEFI 2020 Virtual Plugfest July 14, 2020 Presented by Alan

presented by JTAG-based UEFI Debug and Trace UEFI 2020 Virtual Plugfest July 14, 2020 Presented by Alan Sguigna, ASSET InterTech, Inc. www.uefi.org 1 Meet the Presenter Alan Sguigna Vice President, Sales & Customer Service Member

630 views • 16 slides
LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 3 LUV Shack: An Automated Linux

LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 3 LUV Shack: An Automated Linux

LinuxCon Europe UEFI Mini-Summit 7 October 2015 Session 3 LUV Shack: An Automated Linux Kernel and UEFI Firmware Testing Infrastructure Matt Fleming, Intel Linux* UEFI Validation Project Started in January 2014 Custom Linux

493 views • 21 slides
Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me

Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me

Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me Software-Consultant ERP, Supply Chain Contributor to U-Boot since 2017 Maintainer of the UEFI sub-system since 02/2019 I Want a Network Drive Many

598 views • 28 slides
Firmware Test Suite - Uses, Development, Contribution and GPL Fall 2017 UEFI Seminar and Plugfest

Firmware Test Suite - Uses, Development, Contribution and GPL Fall 2017 UEFI Seminar and Plugfest

presented by Firmware Test Suite - Uses, Development, Contribution and GPL Fall 2017 UEFI Seminar and Plugfest November 1, 2017 Alex Hung - Canonical Ltd UEFI Plugfest October 2017 www.uefi.org 1 Agenda Introduction Installation

922 views • 31 slides
Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do

Dont Tell Joanna, The Virtualized Rootkit Is Dead Agenda Who we are and what we do Virtualization 101 Vitriol/Hyperjacking (and other HVM Rootkits) Why detecting HVMs arent as difficult as you think Pro Forma Punditry

428 views • 41 slides
Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit

Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit

Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking

297 views • 17 slides
Setup For Failure: Defea0ng UEFI Secure Boot Corey

Setup For Failure: Defea0ng UEFI Secure Boot Corey

Setup For Failure: Defea0ng UEFI Secure Boot Corey Kallenberg @coreykal Sam Cornwell @ssc0rnwell Xeno Kovah @xenokovah John BuGerworth

1.22k views • 84 slides
Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy

Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems Yuriy Bulygin (@c7zero) CanSecWest 2013 Outline 1 UEFI BIOS Outline 1 UEFI BIOS 2 Measured/Trusted Boot Outline 1 UEFI BIOS 2 Measured/Trusted Boot 3 The

906 views • 90 slides
Physics of Injection-induced Earthquakes Unveiled by Seismic Wave Analysis and Numerical Models

Physics of Injection-induced Earthquakes Unveiled by Seismic Wave Analysis and Numerical Models

Physics of Injection-induced Earthquakes Unveiled by Seismic Wave Analysis and Numerical Models Yihe Huang University of Michigan Injection-induced earthquakes : Earthquakes induced by fluid injection related to energy technologies including

756 views • 32 slides
Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

674 views • 53 slides
Lifecycle for Firmware Presented by UEFI Forum October 23, 2019 Welcome & Introductions

Lifecycle for Firmware Presented by UEFI Forum October 23, 2019 Welcome & Introductions

How to Create a Secure Development Lifecycle for Firmware Presented by UEFI Forum October 23, 2019 Welcome & Introductions Moderator: Brian Richardson Panelist: Eric Johnson Firmware Ecosystem Development Manager Engineering Manager

423 views • 38 slides
Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop

Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop

Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop Hardware Enablement Team This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License Topics What / why? Pre-kernel:

434 views • 16 slides
Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE

Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE

Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE Server class PowerPC KVM port Nested SVM Founding member of SUSE ARM team Booting on ARM Booting on ARM Boot ROM Booting on ARM Boot

2.09k views • 160 slides
Rootkit-Resistant Disks Stephen McLaughlin CSE 544 - Systems Security, SP 2010 in conjunction

Rootkit-Resistant Disks Stephen McLaughlin CSE 544 - Systems Security, SP 2010 in conjunction

1.07k views • 49 slides
Hybrid 5 tests: Lab characterizatjon and Irradiatjons 20 th internatjonal workshop on DEPFET

Hybrid 5 tests: Lab characterizatjon and Irradiatjons 20 th internatjonal workshop on DEPFET

Hybrid 5 tests: Lab characterizatjon and Irradiatjons 20 th internatjonal workshop on DEPFET detectors and applicatjons 11 th 14 th May 2016, Seeon J. Dingfelder, L. Germic, T. Hemperek, C. Hnig, H Krger, F. Lttjcke, C. Marinas, B.

855 views • 51 slides
Crystal Structure Prediction by Vertex Removal in Euclidean Space Duncan Adamson , Argyrios

Crystal Structure Prediction by Vertex Removal in Euclidean Space Duncan Adamson , Argyrios

Crystal Structure Prediction by Vertex Removal in Euclidean Space Duncan Adamson , Argyrios Deligkas, Vladimir V. Gusev and Igor Potapov University of Liverpool, Department of Computer Science April 4, 2020 What is a Crystal ? Crystals are a

456 views • 29 slides
Nanodomain states of strontium ferrites and their structural transformations Uliana Ancharova

Nanodomain states of strontium ferrites and their structural transformations Uliana Ancharova

Nanodomain states of strontium ferrites and their structural transformations Uliana Ancharova (ISSCM SB RAS) Zakhar Vinokurov (BIC SB RAS) Svetlana Cherepanova (BIC SB RAS) Synchrotron and Free electron laser Radiation: generation and

545 views • 18 slides
SPARKS CH301 ELECTRONS and COMPOUNDS UNIT 2 Day 8 What are we going to learn today? Electron

SPARKS CH301 ELECTRONS and COMPOUNDS UNIT 2 Day 8 What are we going to learn today? Electron

SPARKS CH301 ELECTRONS and COMPOUNDS UNIT 2 Day 8 What are we going to learn today? Electron Configuration and Bonding Employ the concept of resonance Use formal charge to help predict best possible Lewis structure INDIVIDUAL

794 views • 21 slides
Outline for Today Friday, Nov. 2 Chapter 7: Periodic Trends E ff ective Nuclear Charge

Outline for Today Friday, Nov. 2 Chapter 7: Periodic Trends E ff ective Nuclear Charge

Outline for Today Friday, Nov. 2 Chapter 7: Periodic Trends E ff ective Nuclear Charge Atomic Size Ionization Energy Activation Energy Effective Nuclear Charge Why do orbitals with the same principal quantum number, n,

321 views • 21 slides
Me Carbonate Equilibria From Pankow David Reckhow CEE 680 #39 2 1 CEE 680 Lecture

Me Carbonate Equilibria From Pankow David Reckhow CEE 680 #39 2 1 CEE 680 Lecture

CEE 680 Lecture #39 4/6/2020 Print version Updated: 6 April 2020 Lecture #39 Precipitation and Dissolution: Metal Carbonates (Stumm & Morgan, Chapt.7) Benjamin; Chapter 8.7 8.15 David Reckhow CEE 680 #39 1 Me Carbonate

265 views • 5 slides
Print version Updated: 5 April 2020 Lecture #39 Precipitation and Dissolution: Metal Carbonates

Print version Updated: 5 April 2020 Lecture #39 Precipitation and Dissolution: Metal Carbonates

Print version Updated: 5 April 2020 Lecture #39 Precipitation and Dissolution: Metal Carbonates (Stumm & Morgan, Chapt.7) Benjamin; Chapter 8.7-8.15 David Reckhow CEE 680 #39 1 Me-Carbonate Equilibria From Pankow David Reckhow

534 views • 10 slides
Cavity tuning with dielectrics Daniel Bowring, Srinivasulu Gollapudi, Shashank Priya, Chiara

Cavity tuning with dielectrics Daniel Bowring, Srinivasulu Gollapudi, Shashank Priya, Chiara

Cavity tuning with dielectrics Daniel Bowring, Srinivasulu Gollapudi, Shashank Priya, Chiara Salemi, Andrew Sonnenschein, Alvin Tollestrup 2 nd Workshop on Microwave Cavities and Detectors for Axion Research 13 January 2017 Motivation

282 views • 17 slides

More recommend