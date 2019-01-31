|
|[September 27, 2018]
|
New, Stealthy, First-of-its-Kind Malware Used by Fancy Bear to Target Governments, ESET Discovers
ESET (News - Alert) announced today that a new cyberattack campaign is underway via the
infamous hacking group commonly referred to in the US as Fancy Bear (and
aka Sednit, as ESET calls the group). It is the first malware observed
to successfully infect the firmware component of a device called UEFI
(which was formerly known as BIOS), a core and critical component of a
computer.
The malware dubbed "LoJax" by ESET researchers is the
first-ever-in-the-wild UEFI rootkit detected in a cyberattack that
establishes a presence on a victim's computers. The LoJax rootkit was
part of a campaign run by Fancy Bear against several high-profile
targets in Central and Eastern Europe and is the first-ever publicly
known attack of this kind.
"Although we were aware in theory that UEFI rootkits existed, our
discovery confirms that they are used by an active advanced persistent
threat group," said Jean-Ian Boutin, the ESET senior security researcher
who led the LoJax research. "These attacks targeting the UEFI are a real
threat, and anyone in the crosshairs of Sednit [Fancy Bear] should be
watching their networks and devices very closely."
UEFI rootkits are extremely dangerous formidable tools used, we now
know, to launch successful cyberattacks. They serve as a key to the
whole computer, are hard to detect and are able to survive even such
intense cybersecurity measures as reinstalling the operating system or
replacing the hard disk. Moreover, even cleaning a system that was
infected with a UEFI rootkit requires knowledge well beyond the reach of
a typical user, such as flashing the firmware.
Fancy Bear is one of the most active APT (News - Alert) groups and has been operating
since at least 2004. The Democratic National Committee hack that
occurred during the 2016 presidential elections, the hacking of global
television network TV5Monde, the World Anti-Doping Agency email leak,
and many others are believed to be the work of Fancy Bear.
This group has in its arsenal a diversified set of malware tools,
several examples of which ESET researchers have documented in their
technical white
paper, as well as in numerous blog
posts on WeLiveSecurity.
The discovery of this first-ever in-the-wild UEFI rootkit serves as a
wake-up call for those organizations and users who tend to ignore the
risks connected with firmware modifications.
"Now, there is no excuse for excluding firmware from regular scanning,"
said Boutin. "Yes, UEFI-facilitated attacks are extremely rare, and up
to now, they were mostly limited to physical tampering with the target
computer. However, such an attack, should it succeed, would lead to full
control of a computer by the attacker, with nearly total persistence."
ESET is the only major provider of endpoint security solutions to offer
a dedicated layer of protection, "ESET UEFI Scanner," designed to detect
malicious components in a PC's firmware. The UEFI Scanner is included in
all of ESET's latest consumer and business Windows products.
"Thanks to the ESET UEFI Scanner, both our consumer and business
customers are in a good position to spot such attacks and defend
themselves against them," noted Juraj Malcho, chief technology officer
at ESET.
ESET's analysis of the Fancy Bear (or "Sednit," as ESET references the
group in technical documents) campaign that uses the first-ever
in-the-wild UEFI rootkit is described in detail in the "LoJax:
First UEFI rootkit found in the wild, courtesy of the Sednit group"
white paper.
About ESET
For 30 years, ESET® has
been developing industry-leading IT security software and services for
businesses and consumers worldwide. With solutions ranging from endpoint
security to encryption and two-factor authentication, ESET's
high-performing, easy-to-use products give individuals and businesses
the peace of mind to enjoy the full potential of their technology. ESET
unobtrusively protects and monitors 24/7, updating defenses in real time
to keep users safe and businesses running without interruption. Evolving
threats require an evolving IT security company. Backed by R&D
facilities worldwide, ESET became the first IT security company to earn 100
Virus Bulletin VB100 awards, identifying every single "in-the-wild"
malware without interruption since 2003. For more information, visit www.eset.com or
follow us on LinkedIn, Facebook and Twitter.
View source version on businesswire.com: https://www.businesswire.com/news/home/20180927005126/en/
[ Back To TMCnet.com's Homepage ]