What to Know About Unified Extensible Firmware Interface (UEFI) Hidden Spyware

Some cyberattack methods are well-known. Both IT professionals and regular employees know to be alert for phishing scams, suspicious attachments and compromised USB drives. Cybersecurity teams guard company networks against more sophisticated schemes, like supply chain attacks. They monitor systems and machines and deploy antivirus software to sniff out malware. If malware is found or suspected on a device, a hard drive reformat and reinstall can wipe clean any infection… or so we thought until Unified Extensible Firmware Interface (UEFI) infiltration came along.

The efforts listed here are effective against most cyberattacks, but determined criminals have developed advanced methods that evade traditional cybersecurity efforts — even the popular wipe-and-reload method; they hide spyware in the Unified Extensible Firmware Interface on company laptops. This type of spyware is rare, but researchers recently discovered hidden malware in the UEFI on some Windows 10 business machines.

Read on to find out everything you need to know about hidden UEFI spyware.

The UEFI is a pre-boot environment stored on firmware rather than on a hard disk or a solid-state drive. The recently-discovered UEFI spyware makes it possible for criminals to directly deliver hacking tools or malware to the infected computer from this pre-boot environment. These tools could allow hackers to steal documents, log keystrokes to steal passwords and exfiltrate the stolen info via the internet.

Hiding malware in the UEFI is particularly clever because antivirus and anti-malware software has virtually no ability to scan this memory type. UEFI malware evades both traditional detection methods and standard remediation practices because it is stored on firmware in the pre-boot environment. The malware discovered in a recent attack could reinstall the hacking tools on the operating system of the computer even if found and removed. A concerning consequence of this is that the malware would also remain even if cybersecurity teams wiped and reloaded a machine or swapped out the hard drive, as it doesn’t live on the hard drive at all.

The good news is that it’s tough for cyber criminals to load malware into a machine’s UEFI. The malware has to be customized to a specific machine model. For example, malware intended to infect the UEFI of a Dell Latitude E6320 would only work on that model and no other. It’s also difficult to load the malware. To inject an infected version of the firmware into the UEFI memory requires malicious actors to abuse a firmware update, such as a BIOS Flash. Firmware updates aren’t everyday activities and are generally performed by IT teams rather than users, which is another reason these extremely effective UEFI attacks are rare.

UEFI spyware attacks require custom-written hacking tools and determined efforts to infect victims’ machines. So far, all known attacks of this type have come from state-sponsored hacking groups with specific, high-value targets.

A UEFI attack discovered in 2018 is suspected of having come from Russian state-sponsored hackers. More recently, UEFI spyware victims were people associated with African, Asian and European diplomatic entities and NGOs. Based on clues in the malware code, experts suspect the attack came from a group sponsored by North Korea.

UEFI Cybersecurity Best Practices

Depending on your industry, it may be unlikely that you will be targeted by a state-sponsored UEFI attack. However, it’s always a good idea to follow best practices when working on your own machines or those of your customers. Here are some simple but effective ways to protect against UEFI attacks.

Ensure Your Machines Are Running Legitimate Firmware Versions
When you download new firmware or drivers to install on a machine, check that the files are digitally signed to ensure authenticity. If they are not signed, check the hash value of the file against the hash provided by the vendor to make sure they match. Taking these steps significantly reduces the risk that you are running firmware infected with malware

Regularly Reflash Pre-Boot Environments of High-Profile Or Vulnerable Machines
If you suspect malware on a machine, beyond just wiping and reloading the hard drive with a fresh copy of the operating system, consider adding a flash of the pre-boot environment as part of your wipe-and-reload procedures. Flashing the pre-boot environment with a digitally-signed copy of the files from the device manufacturer will clean out any malware living there (essentially doing a wipe-and-reload of the pre-boot environment in addition to the hard drive). You can also perform this step specifically when traveling users return from high-risk countries as part of the cleaning process for that device.

Leave Updates to Your IT Services Team
Employees often decide to “save time” by installing software and updates on their own. Users are much less likely to follow your security and validation procedures, ensuring that the updates they are installing are relevant, meaningful, compatible with current systems and digitally signed by hardware and software manufacturers. When not following these procedures, there’s a much greater chance that they are installing illegitimate updates full of spyware, ransomware or other nasty malware you don’t want on your system. Provide cybersecurity awareness training to reinforce that your team should rely on the IT department or provider for software patches and updates. Stress that they should not install these things independently.

Secure IT Solutions

Maintaining good cybersecurity requires time, people, resources and constant vigilance. At designDATA, we do the hard work of keeping up with all the latest cyberattack methods and the most effective cybersecurity solutions to protect our customers from cybercrime. Check out our free cybersecurity resources for some great steps you can take to protect your organization.

Require Relevant Cybersecurity Awareness Training
Train employees on relevant security topics such as "how to recognize phishing attacks," "proper password management" and "company cybersecurity best practices." Adequate training resources are available, and leaders should make sure their employees participate regularly.

Ready to take the next step? Let’s connect! Book a Security Assessment with one of our cybersecurity experts to see how we can help you.