Thursday, October 7, 2021

A couple of thoughts about the recent UEFI bootkit discoveries

So, anyway, you've probably noticed that two "new" UEFI bootkits were announced in the last couple of weeks. One is ESPector (so named by our friends at ESET), and the other is FinSpy.

ESPector has roots that go back to 2014-ish, but the main difference here is that they've found a way to bypass signature checking, and to gain persistence in the system partition... not quite in the firmware, but a separate partition on disk that is not easy to look at.

Whenever I see something like that, I think, "Wait ... if this gang has found a way to bypass signature checking, how do we know that this is the only version of the bootkit?" After all, they've had six or seven years to work on this.

The answer to this question, of course, is that we don't know. Not many people/products look at the system partition.

FinSpy is interesting from another angle.

FinSpy was originally developed by the Hacking Team, which was dox'd in 2016. Among the documents leaked was the source code to their VectorEdk UEFI rootkit (the product known as FinSpy). The Hacking Team's business model was to sell their product to law enforcement, and governmenrt bodies, ala NSO with Pegasus. This doxing effectively killed the Hack Team business, but it has now resurfaced, with a new, and improved, FinSpy, which was what the guys at Kaspersky found.

Now, that's all very well, but the thing that concerns me is that the source code to VectorEdk/FinSpy is still freely available for download on GitHub.

Does anyone really believe that this single company/group will be the only one to have developed new versions of this rootkit?

If anyone does believe that, I would like to sell you some ocean front property in Arizona. It's very cheap, and a bargain. ;)

Heads up, folks. Something evil, this way comes.

Please pay attention to your firmware.