LoJax: First UEFI rootkit found in wild, implanted in Lojack, possible RUS conn - Sensationalist Headlines

Security blog (including whitepaper): https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ Article from The Register: https://www.theregister.co.uk/2018/09/28/uefi_rootkit_apt28/ According to infosec biz ESET, a firmware rootkit dubbed LoJax targeted Windows PCs used by government organizations in the Balkans as well as in central and eastern Europe. The chief suspects behind the software nasty are the infamous Fancy Bear (aka Sednit aka Sofacy aka APT28) hacking crew, elsewhere identified as a unit of Russian military intelligence. That's the same Fancy Bear that's said to have hacked the US Democratic Party's servers, French telly network TV5, and others. The malware is based on an old version of a legit application by Absolute Software called LoJack for Laptops, which is typically installed on notebooks by manufacturers so that stolen devices can be found. The code hides in the UEFI firmware, and phones home to a backend server over the internet. Thus, if the computer is nicked, it will silently reveal its current location to its real owner. Essentially, the miscreants compromise a machine, gain administrator privileges, and then try to alter the motherboard firmware to include a malicious UEFI module that, if successful, installs and runs LoJax every time the computer is normally booted. This malicious code thus gets to work before the OS and antivirus tools kick in. Changing the hard drive or reinstalling the operating system is no good – the malware is stored in the system's builtin SPI flash, and reinstalls itself on the new or wiped disk. Once up and alive, LoJax contacts command-and-control servers that are disguised as normal websites and are known to be operated by Russian intelligence. It then downloads its orders to carry out. We're told by ESET that Secure Boot, if enabled, should stop LoJax from injecting itself into the firmware storage, because the code won't have a valid digital signature and should be rejected during startup. Be aware, though, this requires a sufficiently strong Secure Boot configuration: it has to be able to thwart administrator-level malware with read-write access to the UEFI storage. There are firmware settings that can thwart the flash installation simply by blocking write operations. If BIOS write-enable is off, BIOS lock-enable is on, and SMM BIOS write-protection is enabled, then the malware can't write itself to the motherboard's flash storage. Alternatively, wiping the disk and firmware storage will get rid of this particular rootkit strain. Modern systems should be able to resist malicious firmware overwrites, we're told, although ESET said it found at least one case of LoJax in the PC's SPI flash.

UEFI malware is really neat in that some implementations (e.g. some chromebooks) require a hardware switch/key combination pressed (with a giant warning showed) to disable the requirements that the UEFI image is signed. Most systems have that on (secure boot as mentioned in article) there are some older UEFI implementations that either start with secure boot off or dont even have it, and I think Windows even does some preliminary checks of the UEFI firmware.e

I'm thinking everything pre-Windows 8 doesn't have Secure Boot.

"Increasingly nervous man insists that he still doesn't need to upgrade from Windows 7"

But windows 10 is bad because uh uh hmm

Windows 10 is bad but the alternative is worse.

There is literally nothing wrong with w10 other than the intrinsic issues with Windows.

that's a bit redundant, innit?

I mean, not really. Vista and 8 had a ton of problems that weren't intrinsic windows problems.

how can those problems not be intrinsic to windows that's like saying a car with an engine that has a chance to spontaneously explode doesn't have a problem intrinsic to the vehicle because it's "just the engine"

And 10 has plently of problems that were either introduced with 10 or made worse than previous versions, what's the difference?

What are you saying, exactly? I'm saying that all version of windows have some problems that are the same (caused by their legacy stack, these problems are the intrinsic ones), and some versions have version-unique issues. Windows 10 has no version-unique issues that affect a typical user, other than the ones caused by the user interface being transitional (that are getting better with every update). By comparison, vista had horrible stability and compatibility problems, and 8 had a UI so janky that it was nearly nonfunctional.

It is the engine, because you can replace the engine and get a car that works.. ????? Do you have any kind of non-linear thinking? When you break a single part of something do you go "oh no its fucked" and throw it out?

No but if I have the BWM with that problem I'll certainly say "yeah, that BMW model has issues", it's really semantics and redundant to say "Windows 10 doesn't have any rproblems other than the usual Windows problems", it's still a fucking Windows 10 problem even if it's not unique to it lmao.

also wow fuck you too buddy

Lmao windows 10 stability is terrible, it has updates that wipe settings and break it's own shit forcing you to reset it if you don't want to bluescreen constantly... after upgrading from a fresh install. After working with numerous w10 pcs and i'm convinced the people who claim they've never had an issue are lying about how many of these processes they've actually gone through with w10 or about how long they've actually used it, just because the breakage and mode of breakage is so consistent accross different systems. Udates break it because they fired a boatload of testing staff and now they basically rely on regular full reinstalls. On windows 7 you never needed to reinstall the OS that regularly and even major service pack updates didn't just break shit and require reinstalls or "resets". That makes all of this a windows 10 specific issue, not to mention the objectively worsened control and privacy issues on w10

Pretty much forced to use Win10 for new drivers and security, MS will never stop forcing things.

Which features are you talking about?

I have been using Win10 since it launched, on the same PC, never reinstalled it, I have upgraded some hardware, never reinstalled it, it updates when I am sleeping, never reinstalled it. Windows 10 isn;t perfect but its a huge leap forward from 8, and for a consumer or prosumer it works great, in fact I like it more than 7

My biggest gripe with W10 was automatic updates, but on the only computer I have that has it, eventually the problem fixed itself because the updater randomly fucking broke all on its own with zero user intervention from me. It keeps begging me to fix it. 10/10 coding job, Microsoft https://files.facepunch.com/forum/upload/2014/166bc071-fb8f-4021-aff2-863d8e302d9e/image.png Serious talk, if it weren't for the borderline forced updates and W10 being pushy about using its shit ("[x thing] is faster with Edge" popups, Office 365 or whatever it was promotional messages, etc.) and actively changing my settings without my permission when I would reboot (which could just be a bug, I have no idea) I would have actually switched on my primary computer already. But as long as I have fucking ANYTHING pushed or forced on me like that that Windows 7 doesn't do, that I can't disable without either A. Shelling out extra cash I don't have for Pro version, or B. Lobotomizing half of the OS to manually break the features I don't want, I do not want to touch Windows 10. It's really unfortunate because it would be a very great OS, perhaps better than 7 even, if it weren't for those absolutely destructively annoying flaws. On top of that, I'm painfully aware that it makes my computer not-so-secure running on a barely-anymore-supported OS.

windows 10 isn't bad, it's just subpar. It has so many awesome things going for it but the marketing teams and whatnot are likely the ones dragging it down.

Well even more GPOs have been phased out without official word with no replacement. They're making it more difficult to navigate traditional domain settings in favor of Azure. The stability of the start menu and search indexing is still absolute ass, Windows 7 search indexing was definitely less comprehensive but it was at least consistent. They're removing configuration menus with no real feature parity for the new stuff. Logon services as a whole seems to be far less stable than previous versions of Windows. These are just the issues I've had to deal with today.

Windows 10 functions "well" if you leave everything on default. The moment you try to customize anything, it will find any opportunity to completely break in new and unexpected ways compared to previous versions. I've actually stopped bothering trying to be a power user because of how finicky it is. I guess it gives me better security overall but I'd be lying if I said I wasn't deeply annoyed by it.

I have custoimized the shit out of it, the trick is disabling all of M$'s bullshit with PS scripts

If you need to upgrade to Windows 10 but cannot stand all the bullshit (I can't), get a Windows 10 LTSB key on eBay and find the ISO knocking around somewhere. It removes EVERYTHING about Windows 10 that people hate. No Candy Crush, no Minecraft, no Cortana, no Store. If you want to add in things like Store or Edge after the fact, it's possible. It will never force an update on you, never force a restart, never turn settings back on, and you can turn off the telemetry.

I've had an update break everything horribly too often to have the willpower to do that anymore.

I don't know any software admin nor enthusiast who had an end to their bitching about whatever software they're familiar with, save for maybe the CLI guys running void.

It's almost like the software industry cares more about pushing new features than security or stability.

I'm actually currently trying my hand at UEFI bootkits for fun. Really, really interesting stuff. Before people start to say shit about GPT/UEFI, I can assure you it can't be any worse than MBR/BIOS.

In my experience Win10 is 'good enough' for business use, but the more complex your business is and the more software you rely upon you're more likely to run into inexplicable problems. I moved about 200 machines from 7 to 10 but all we used was O365, ERP/CRM software, a handful of CAD installs and basic in-house programs. (Construction company) All the software worked without a hitch really, the big problem for us was a lot of OLD peripherals/printers that simply didn't work with 10 no matter what. We also had a weird problem with the screen auto-lock getting stuck on 1 minute regardless of user settings, which also happened to the IT team's small number of Win8 machines. If I recall right it ended up being a registry issue.