In 2012, the cybersecurity landscape witnessed the emergence of a novel bootkit that shifted the paradigm of attacks on computer systems. Unlike traditional methods that exploited the BIOS or master boot record, this innovative bootkit specifically targeted Mac OS X systems by infiltrating the EFI, a crucial firmware package responsible for initiating the boot process. Meanwhile, a rudimentary bootkit aimed at Windows 8 machines made its debut by compromising the UEFI bootkit, which served as a precursor to the more advanced UEFI.
By 2013, the research community had unveiled a more sophisticated UEFI bootkit for Windows, aptly named Dreamboat, showcasing the rapid evolution of these threats. However, it wasn’t until 2018 that the first documented instance of a real-world attack on UEFI surfaces, marked by the discovery of malware known as LoJax. This malware, a repurposed variant of legitimate anti-theft software LoJack, was attributed to a Kremlin-backed hacking group recognized by various names, including Sednit, Fancy Bear, and APT 28. The installation of LoJax was executed remotely through malware tools capable of reading and overwriting segments of the UEFI firmware’s flash memory.
Fast forward to 2020, when researchers uncovered the second known case of real-world malware targeting UEFI. This particular strain exhibited a unique behavior: upon each reboot of the infected device, its UEFI would verify the presence of a malicious file in the Windows startup folder, and if absent, it would proceed to install it. Dubbed “MosaicRegressor” by the Kaspersky research team that identified it, the origins of the compromised UEFIs remain a mystery. Since then, a series of new UEFI bootkits have emerged, identified by names such as ESpecter, FinSpy, and MoonBounce, further complicating the cybersecurity landscape.
Necessity is the mother of invention
In light of the escalating threat posed by UEFI bootkits, Microsoft has taken proactive measures in collaboration with device manufacturers to establish Secure Boot. This industry-standard protocol employs cryptographic signatures to verify that each piece of firmware loaded during the startup process is trusted by the computer’s manufacturer. The primary objective of Secure Boot is to forge a chain of trust, effectively thwarting attackers from substituting legitimate bootup firmware with malicious alternatives. Should any link in this critical startup chain fail to be recognized, Secure Boot will intervene, preventing the device from initiating, thereby safeguarding users from potential threats.
