Researchers of ESET discovered LoJax, the first active rootkit of UEFI. The team demonstrated that Sednit operators used different components of LoJax malware to reach government organizations.
ESET, a leader in proactive threat detection, announced the discovery of the first cyberattack that uses a UEFI rootkit to infect and achieve persistence in the victim’s device. Called LoJax, by ESET, this rootkit is part of the first attack of this type discovered in the world and belongs to a campaign of the group of cybercriminals Sednit.
UEFI rootkits are very dangerous tools in the world of cybercrime because they allow to take control of the device independently of the operating system used, they are difficult to discover and can survive even to the most common measures Used in security departments, such as reinstalling the system or replacing the hard drive. In addition, the cleaning of a system infected by a UEFI rootkit must be carried out by specialized professionals with high level knowledge.
“We were aware of the existence of UEFI rootkits but the discovery made by our researchers reveals its use by an active and well-known group of cybercriminals. It is not a proof of concept to show in a security conference, but of a real threat, advanced and persistent, “says Josep Albors, director of research and awareness of ESET.
Sednit-also known as APT28, Strontium, Sofacy or Fancy Bear-is the group responsible for the attack. It is an active cybercriminals group since 2004, to whom the U.S. Department of Justice accused of being responsible for the attack on the Democratic National Committee that took place before the 2016 elections in the United States. It is also presumed that the group is behind the attack on the Global television network TV5Monde; The World Anti-Doping Agency (WADA) post-filtering, and others around the world.
The discovery of this UEFI rootkit used as an attack tool for the first time is a wake-up call to users and organizations that ignore the risks of an ultraconnected world. “This discovery should serve to incorporate, once and for all, the regular analysis also of the firmware of the devices used in an organization. It is true that UEFI attacks are extremely rare and so far limited to the manipulation of the affected device, but an attack like the bare can get an attacker to obtain complete control of the device with a persistence practically total, “recalls Albors.
ESET, with Eset UEFI Scanner, is the only manufacturer of the security industry that adds a dedicated layer of protection in endpoint solutions specifically designed to detect malicious components in device firmware.