August 2, 2022
David Redekop

This Week In Nerd News #83 UEFI rootkits expose an ugly truth

THIS WEEK IN NERD NEWS 83 - Nerds On Site

THIS WEEK IN NERD NEWS #83

In all of history, war tactics included information warfare. If you could get people to believe in lies, as intended by its leadership, it was a way to change a culture to favour the leadership’s priorities. In fact, it has always been one of the most powerful long-term tools in their arsenal. In a modern example, if you consider deceived Russians that still believe that the “Special military operation” is about freeing Ukrainians, then those Russian individuals will not pose a threat to the Kremlin, and might even help them.

So how does this relate to technology?

Well, in computers we have the BIOS, or the more modern version of it, which is called UEFI. The operating system has no visibility to what the UEFI code or instructions are. These UEFI instructions just initialize the hardware. So it’s analogous to creating a person’s worldview. It makes sense then, that this is a high value target for attackers to compromise. If they can compromise the UEFI, it is invisible to the operating system, invisible to applications, invisible to endpoint security.

YouTube video

Discovery of new UEFI rootkit exposes an ugly truth

The attacks are invisible to us. If this was used in 2016 already, we need to consider what tools the criminals have in 2022. In any case, the good news is, if and when UEFI makes a network connection, at that point the threats can be contained and prevented from ever reaching out to begin with.

Turns out they’re not all that rare. We just don’t know how to find them.

Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.

Read More: Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us

Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computer

The nature of SEO poisoning makes this a very real threat, and without network-based zero trust defenses, no amount of user education or other mechanisms are likely to defend against it.

The operators of the Gootkit access-as-a-service (AaaS) malware have resurfaced with updated techniques to compromise unsuspecting victims.

“In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files,” Trend Micro researchers Buddy Tancio and Jed Valderama said in a write-up last week.

Read More: Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers

Did Russia’s biggest ISP just try and steal Apple network traffic?

This is just another reminder of how vulnerable we still are in the world of BGP. While globally the threat is mitigated to a large degree compared to where we were a year ago, very little actually prevents this type of regional traffic stealing other than that it’ll be visible and obvious, and reported on.

Traffic hijack attempt? Or honest mistake?

Russia’s biggest internet services provider has apparently tried to re-route traffic made by Apple service users through its own servers.

Read More: Did Russia’s biggest ISP just try and steal Apple network traffic?

Why CISA wants to release a new version of its Zero Trust Maturity Model

To quote directly from the well-reasoned article: “The anxieties over ransomware threats are so high that 74% of IT decision-makers believe ransomware should be considered a matter of national security.”

As part of the digital transformation race, cloud adoption has continued to accelerate across the enterprise. But despite its growth, the trends show many IT and security leaders are still not confident in their organization’s ability to ensure secure cloud access due to ever-evolving cybersecurity risks.

Read More: Why CISA wants to release a new version of its Zero Trust Maturity Model

Attackers Have ‘Favorite’ Vulnerabilities to Exploit

“Nearly one in three, or 31%, of incidents analyzed by Unit 42 in its 2022 “Incident Response Report” resulted from attackers gaining access to the enterprise environment by exploiting a software vulnerability”. If we analyze the number of zero days, patches, year over year, it’s clear that we haven’t reached peak vulnerability yet. We have work to do!

While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.

Read More: Attackers Have ‘Favorite’ Vulnerabilities to Exploit

Did you know?

DALL-E 2 is getting some buzz with people everywhere signing up on the waiting list. It shows how far advanced Artificial Intelligence is becoming in the area of image generation.