UEFI Bootkit | Breaking Cybersecurity News | The Hacker News

The  Glupteba  botnet has been found to incorporate a previously undocumented Unified Extensible Firmware Interface ( UEFI ) bootkit feature, adding another layer of sophistication and stealth to the malware. "This bootkit can intervene and control the [operating system] boot process, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to detect and remove," Palo Alto Networks Unit 42 researchers Lior Rochberger and Dan Yashnik  said  in a Monday analysis. Glupteba is a fully-featured information stealer and backdoor capable of facilitating illicit cryptocurrency mining and deploying proxy components on infected hosts. It's also known to leverage the Bitcoin blockchain as a backup command-and-control (C2) system, making it  resilient to takedown efforts . Some of the other functions allow it to deliver additional payloads, siphon credentials, and credit card data, perform ad fraud, and even exploit routers to ga...

The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface ( UEFI ) bootkit called  BlackLotus . To that end, the agency is  recommending  that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an  advanced  crimeware solution that was first spotlighted in October 2022 by Kaspersky. A UEFI bootkit capable of bypassing Windows Secure Boot protections, samples of the malware have since emerged in the wild. This is accomplished by taking advantage of a known Windows flaw called Baton Drop ( CVE-2022-21894 , CVSS score: 4.4) discovered in vulnerable  boot loaders  not added into the  Secure Boot DBX revocation list . The vulnerability was addressed by Microsoft in January 2022. This loophole could be exploited by threat actors to replace fully patched b...

Are you tired of dealing with outdated security tools that never seem to give you the full picture? You're not alone. Many organizations struggle with piecing together scattered information, leaving your apps vulnerable to modern threats. That's why we're excited to introduce a smarter, unified approach: Application Security Posture Management (ASPM). ASPM brings together the best of both worlds by connecting your code insights with real-time runtime data. This means you get a clear, holistic view of your application's security. Instead of reacting to threats, ASPM helps you prevent them. Imagine reducing costly retrofits and emergency patches with a proactive, shift-left strategy—saving you time, money, and stress. Join Amir Kaushansky, Director of Product Management at Palo Alto Networks, as he walks you through how ASPM is changing the game. In this free webinar , you'll learn to: Close the Security Gaps: Understand why traditional AppSec tools fall short and how ASPM fills ...

A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot defenses, making it a potent threat in the cyber landscape. "This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET  said  in a report shared with The Hacker News. UEFI bootkits  are deployed in the FAT32 system partition and allow full control over the operating system (OS) boot process, thereby making it possible to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges. Offered for sale at $5,000 (and $200 per new subsequent version), the powerful and persistent toolkit is programmed in Assembly and C and is 80 kilobytes in size. It also features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine. Details about B...

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines. Tracked as  CVE-2022-4020 , the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G. The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with  discovering  the flaw is ESET researcher Martin Smolár, who previously disclosed  similar bugs  in Lenovo computers. Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with  boot loaders , leading to severe consequences. This includes  granting  the attacker complete control over the operating system loading process as well as "disable or bypass protections t...

Cybersecurity researchers on Tuesday revealed details of a previously undocumented  UEFI  (Unified Extensible Firmware Interface) bootkit that has been put to use by threat actors to backdoor Windows systems as early as 2012 by modifying a legitimate Windows Boot Manager binary to achieve persistence, once again demonstrating how technology meant to secure the environment prior to loading the operating system is increasingly becoming a "tempting target." Slovak cybersecurity firm ESET codenamed the new malware "ESPecter" for its ability to persist on the EFI System Partition ( ESP ), in addition to circumventing Microsoft Windows Driver Signature Enforcement to load its own unsigned driver that can be used to facilitate espionage activities such as document theft, keylogging, and screen monitoring by periodically capturing screenshots. The intrusion route of the malware remains unknown as yet. "ESPecter shows that threat actors are relying not only on UEFI ...