I want my write protect jumper back.
Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.
While researchers from fellow security firm Qihoo360 reported on an earlier variant of the rootkit in 2017, Kaspersky and most other Western-based security firms didn’t take notice. Kaspersky’s newer research describes in detail how the rootkit—found in firmware images of some Gigabyte or Asus motherboards—is able to hijack the boot process of infected machines. The technical underpinnings attest to the sophistication of the malware.
I want my write protect jumper back.Me too. Its such a ridiculously simple solution to bios security.
I want my write protect jumper back.
Perhaps it is time to throw some love towards coreboot, then?
Perhaps it is time to throw some love towards coreboot, then?I have few expectations and hopes for the x86 (aka Wintel) platform future
(..)
But yeah, ARM in particular is in a much better position, wrt. implementations that push their support upstream to mainline Linux, and do not rely on binary blobs. There are surprisingly many of them.
(.)
My reading is the rootkit is on the SPI flash containing the UEFI bootstrapper. So how did it get onto the SPI flash in the first place? Seems more of a state sponsored firmware upgrade in the supply chain, rather than the homework of some random hacksters.
I want my write protect jumper back.
Me too. Its such a ridiculously simple solution to bios security.
If I were to think about how to efficiently separate computation and display rendering with a concise compositor/protocol, I'd definitely start by looking at what OpenGL ES 2.0 provides, as that's what Mali 400/450 supports.)
My reading is the rootkit is on the SPI flash containing the UEFI bootstrapper. So how did it get onto the SPI flash in the first place? Seems more of a state sponsored firmware upgrade in the supply chain, rather than the homework of some random hacksters.
Affected devices
Although we were unable to discover how the victim machines were infected initially, an analysis of their hardware sheds light on the devices that CosmicStrand can infect. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image.
In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.
Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario). Qihoo’s initial report indicates that a buyer might have received a backdoored motherboard after placing an order at a second-hand reseller. We were unable to confirm this information.
I would be interested to know where those mobos where manufactured. One supply chain 'overlap' for both Asus and Gigabyte is Taiwan; a territory that China has long wanted to annex. But as Qihoo suggests, there may be a bad actor in the retail chain.
I would be interested to know where those mobos where manufactured. One supply chain 'overlap' for both Asus and Gigabyte is Taiwan; a territory that China has long wanted to annex. But as Qihoo suggests, there may be a bad actor in the retail chain.i got my mobo in 2015, if the rootkit came from factory, i'm not sure its effectiveness on newer windows10/11. i did upgrade the firmware some years ago, if the rootkit is embedded in the image file, there must be a way of detecting it... but then, its not my normal joe skill. i'll keep my faith on my avast antivirus... most importantly the rootkit will call home to its C2 server to get its payload, i think we can detect if our PC will try to call that server right? as long as it doesnt touch my personal files, i think i wont worry too much...
So is this a threat? Only if that C2 server is hot.
Any of you PC geeks know of a BIOS probe toolkit that can hex dump the flash without opening the case?
I want my write protect jumper back.
I want my write protect jumper back.I'm not very familiar with those Flash chips used to store BIOS code, I guess hardware write protection and QPI operation maybe not compatible.
only if they have access to your PC or you click the firmware update from manufacturer through uefi bios utility.