Last Week someone just hacked the infamous Hacking Team, The Italy-based cyber weapons manufacturer and leaked a huge trove of 400GB internal data, including:
- Emails
- Hacking tools
- Zero-day exploits
- Surveillance tools
- Source code for Spyware
- A spreadsheet listing every government client with date of purchase and amount paid
Hacking Team is known for its advanced and sophisticated Remote Control System (RCS) spyware, also known as Galileo, which is loaded with lots of zero-day exploits and have ability to monitor the computers of its targets remotely.
Today, Trend Micro security researchers found that the Hacking Team "uses a UEFI (Unified Extensible Firmware Interface) BIOS Rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems."
That clearly means, even if the user reinstalls the Operating System, formats the hard disk, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.
According to researchers, Hacking Team's rootkit malware is only able to target UEFI BIOS systems developed by Insyde and AMI vendors, used by the majority of computer and laptop manufacturers.
However, at this time researchers are not sure whether the malware can complete the rootkit installation without physical access to the target machine, as the installation requires BIOS flashing process that can't be done without rebooting into the machine into UEFI (Unified Extensible Firmware Interface) shell.
The BIOS rootkit analysis done by Trend Micro researchers was only made possible due to the Spyware source code leaked online in the Hacking Team data dumps.
So far, three Adobe Flash zero-day vulnerabilities and an Android zero-day exploit have been discovered from the Hacking Team leaked files, although this BIOS rootkit spreads more light on the team's activities.
The affected victims are yet unknown. However to keep yourself safe, we recommend you always to keep your BIOS up-to-date and protected by enabling password. Also, make sure to enable UEFI SecureFlash.