Friday, May 20, 2022
manilastandard.net
ADVERTISEMENT
  • About
  • News
    • Top Stories
    • National
    • World News
    • Pinoy Abroad
    • Features
  • Opinion
    • Editorial
    • Columns
    • Soundbytes
  • LGUs
    • NCR
    • Luzon
    • Visayas
    • Mindanao
  • Business
    • Corporate
    • Economy & Trade
    • Stocks
    • Money
    • Agri & Mining
    • Power & Tech
    • IT & Telecom
  • Sports
    • Basketball
    • Volleyball
    • Fightsports
    • Active
    • Sports Plus
    • One Championship
    • Columns
  • Entertainment
    • TV & Movies
    • Celebrity Profiles
    • Music & Concerts
    • Digital Media
    • Columns
  • Lifestyle
    • Food
    • Culture & Media
    • Fashion
    • Health and Home
    • Leisure
    • Shopping
    • Columns
  • Others
    • Pets
    • Pop.Life
      • Newsmakers
      • Hangouts
      • A-Pop
      • Post Its
      • Performances
      • Malls & Bazaars
      • Hobbies & Collections
    • Technology
      • Gadgets
      • Computers
      • Business
      • Tech Plus
    • MS ON THE ROAD
      • Sedan
      • SUV
      • Truck
      • Bike
      • Accessories
      • Motoring Plus
      • Commuter’s Corner
    • Home & Design
      • Residential
      • Commercial
      • Construction
      • Interior
    • Spotlight
    • Gallery
      • Photos
      • Videos
    • Events
      • Seminars
      • Exhibits
      • Community
    • Biyahero
      • Travel Features
      • Travel Reels
      • Travel Logs
  • Advertise with Us
No Result
View All Result
  • About
  • News
    • Top Stories
    • National
    • World News
    • Pinoy Abroad
    • Features
  • Opinion
    • Editorial
    • Columns
    • Soundbytes
  • LGUs
    • NCR
    • Luzon
    • Visayas
    • Mindanao
  • Business
    • Corporate
    • Economy & Trade
    • Stocks
    • Money
    • Agri & Mining
    • Power & Tech
    • IT & Telecom
  • Sports
    • Basketball
    • Volleyball
    • Fightsports
    • Active
    • Sports Plus
    • One Championship
    • Columns
  • Entertainment
    • TV & Movies
    • Celebrity Profiles
    • Music & Concerts
    • Digital Media
    • Columns
  • Lifestyle
    • Food
    • Culture & Media
    • Fashion
    • Health and Home
    • Leisure
    • Shopping
    • Columns
  • Others
    • Pets
    • Pop.Life
      • Newsmakers
      • Hangouts
      • A-Pop
      • Post Its
      • Performances
      • Malls & Bazaars
      • Hobbies & Collections
    • Technology
      • Gadgets
      • Computers
      • Business
      • Tech Plus
    • MS ON THE ROAD
      • Sedan
      • SUV
      • Truck
      • Bike
      • Accessories
      • Motoring Plus
      • Commuter’s Corner
    • Home & Design
      • Residential
      • Commercial
      • Construction
      • Interior
    • Spotlight
    • Gallery
      • Photos
      • Videos
    • Events
      • Seminars
      • Exhibits
      • Community
    • Biyahero
      • Travel Features
      • Travel Reels
      • Travel Logs
  • Advertise with Us
No Result
View All Result
manilastandard.net
No Result
View All Result
Home Technology Tech Plus

More elusive, persistent: Third-known firmware bootkit shows major advancement

Manila Standard DigitalbyManila Standard Digital
January 24, 2022, 6:20 pm
in Tech Plus, Technology
Reading Time: 5 mins read
A A
83
SHARES
Share on FacebookShare on TwitterShare on Email

Kaspersky’s researchers have uncovered the third case of a firmware bootkit in the wild. Dubbed MoonBounce, this malicious implant is hidden within a computer’s Unified Extensible Firmware Interface (UEFI) firmware, an essential part of computers, in the SPI flash, a storage component external to the hard drive. Such implants are notoriously difficult to remove and are of limited visibility to security products. 

Having first appeared in the wild in the spring of 2021, MoonBounce demonstrates a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits. Kaspersky researchers have attributed the attack with considerable confidence to the well-known advanced persistent threat (APT) actor APT41.

UEFI firmware is a critical component in the vast majority of machines; its code is responsible for booting up the device and passing control to the software that loads the operating system. This code rests in what’s called SPI flash, a non-volatile storage external to the hard disk. If this firmware contains malicious code, then this code will be launched before the operating system, making malware implanted by a firmware bootkit especially difficult to delete; it can’t be removed simply by reformatting a hard drive or reinstalling an OS. What’s more, because the code is located outside of the hard drive, such bootkits’ activity goes virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device.

MoonBounce is only the third reported UEFI bootkit found in the wild. It appeared in the spring of 2021 and was first discovered by Kaspersky researchers when looking at the activity of their Firmware Scanner, which has been included in Kaspersky products since the beginning of 2019 to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images. When compared to the two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce demonstrates significant advancement with a more complicated attack flow and greater technical sophistication. 

The implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence. Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a command & control server in order to retrieve further malicious payloads, which we were unable to retrieve. It’s worth noting that the infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint.

ADVERTISEMENT

While analyzing MoonBounce, Kaspersky researchers uncovered several malicious loaders and post-exploitation malware across several nodes of the same network. This includes ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys threat actor. 

The exact infection vector remains unknown, however, it is assumed that the infection occurs through remote access to the targeted machine. In addition, while LoJax and MosaicRegressor utilized additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack.

In the overall campaign against the network in question, it was evident that the attackers carried out a wide range of actions, such as archiving files and gathering network information. Commands used by attackers throughout their activity suggest they were interested in lateral movement and exfiltration of data, and, given that a UEFI implant was used, it is likely the attackers were interested in conducting ongoing espionage activity. 

Kaspersky researchers have attributed MoonBounce with considerable confidence to APT41, which has been widely reported to be a Chinese-speaking threat actor that’s conducted cyberespionage and cybercrime campaigns around the world since at least 2012. In addition, the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors. 

So far, the firmware bootkit has only been found in a single case. However, other affiliated malicious samples (e.g. ScrambleCross and its loaders) have been found on the networks of several other victims.

“While we can’t definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one other to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” adds Denis Legezo, senior security researcher with GReAT.

“Perhaps more importantly, this latest UEFI bootkit shows same notable advancements when compared to MosaicRegressor, which we reported on back in 2020. In fact, transforming a previously benign core component in firmware to one that can facilitate malware deployment on the system is an innovation that was not seen in previous comparable firmware bootkits in the wild and makes the threat far stealthier. We predicted back in 2018 that UEFI threats would gain in popularity, and this trend does appear to be materializing. We would not be surprised to find additional bootkits in 2022. Fortunately, vendors have begun paying more attention to firmware attacks, and more firmware security technologies, such as BootGuard and Trusted Platform Modules, are gradually being adopted,” comments Mark Lechtik, senior security researcher with the Global Research and Analysis Team (GReAT) at Kaspersky.

For a more detailed analysis of MoonBounce, read the full report on Securelist. 

In order to stay protected from UEFI bootkits like MoonBounce, Kaspersky recommends:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years. 
  • For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response. 
  • Use a robust endpoint security product that can detect the use of firmware, such as Kaspersky Endpoint Security for Business.
  • Regularly update your UEFI firmware and only use firmware from trusted vendors.
  • Enable Secure Boot by default, notably BootGuard and TPMs where applicable
Tags: advanced persistent threatKasperskyMoonBounce
ADVERTISEMENT
Manila Standard Digital

Manila Standard Digital

Related Posts

DFNN posts 884% EBITDA growth quarter on quarter in 2022

byManilaStandard
May 19, 2022, 1:17 pm
0
153
DFNN posts 884% EBITDA growth quarter on quarter in 2022

In line with DFNN’s projections in the second half of 2021, revenue for the three months ended March 31, 2022...

Read more

Upgrade and win! Samsung makes an awesome 2022 with new Galaxy A Series

byManila Standard Digital
May 18, 2022, 6:10 pm
0
171
Upgrade and win! Samsung makes an awesome 2022 with new Galaxy A Series

Samsung continues to prove that awesome is for everyone this 2022. This year alone, Samsung expanded the Galaxy A Series,...

Read more

PIE Channel delivers fun, prizes on TV, online starting May 23

byManila Standard Digital
May 18, 2022, 6:00 pm
0
138
PIE Channel delivers fun, prizes on TV, online starting May 23

New revolutionary TV and digital channel PIE, short for Pinoy Interactive Entertainment, is here to give the traditional viewing experience...

Read more

How these top-performing sellers grow their businesses thru Shopee’s mega sales

byMST Tech
May 18, 2022, 3:46 pm
0
220
How these top-performing sellers grow their businesses thru Shopee’s mega sales

In the Philippines, double day dates such as 9.9 and 11.11 have become highly anticipated due to shopping festivals offered...

Read more

HUAWEI Ads wins Best Platform Development Award at MDA d Awards 2022

byMST Tech
May 18, 2022, 3:20 pm
0
160
HUAWEI Ads wins Best Platform Development Award at MDA d Awards 2022

Malaysia– HUAWEI Ads, the digital advertising arm by Huawei, won the Best Platform Development Award (Bronze) in the Malaysian Digital...

Read more

Forum focuses on Women Empowerment; Nominations for Asia CEO Awards InLife Young Shero of theYear open

byMST Tech
May 18, 2022, 1:07 pm
0
322
Forum focuses on Women Empowerment; Nominations for Asia CEO Awards InLife Young Shero of theYear open

“The future is female.” These are words coming from InLife Executive Chairperson Nina D. Aguas as she addressed the audience...

Read more

Stories you may like

  • Ex-Naga dad links Leni’s brother-in-law to illegal drugs

    Ex-Naga dad links Leni’s brother-in-law to illegal drugs

    35839 shares
    Share 14336 Tweet 8960
  • Of course, it was BBM’s project

    30241 shares
    Share 12096 Tweet 7560
  • INC endorses BBM, Sara

    28666 shares
    Share 11466 Tweet 7167
  • Duterte’s seven biggest achievements

    18221 shares
    Share 7288 Tweet 4555
  • Marcos leads SWS survey on presidentiables at 50%

    13537 shares
    Share 5415 Tweet 3384

Print Edition

View More

Recent Posts

  • Still popular
  • Gilas PH bludgeons Vietnam for 4th straight win
  • Food output recovery bleak
  • Palace blames COVID for increase in poverty
  • Singapore welcomes Marcos win, invites him for state visit
  • PDP-Laban reaffirms support for Romualdez for Speaker
  • Sotto warns halt in canvass to set off Charter crisis
  • PH slides to 4th in medal standing

Advertisement

Latest News

PDP-Laban reaffirms support for Romualdez for Speaker

byMaricel Cruz
May 20, 2022, 12:55 am
0
139
House leader pays tribute to Justice Lazaro

Officials and members of ruling party PDP-Laban on Thursday affirmed their support for House Majority Leader and Leyte 1st District...

Read more

Sotto warns halt in canvass to set off Charter crisis

byMacon Ramos-Aranetaand2 others
May 20, 2022, 12:50 am
0
155
Poland beauty is Miss World, PH bet Top 13

Outgoing Senate President Vicente Sotto III warned Thursday of a constitutional crisis if Congress would stop the official canvass of...

Read more

PH slides to 4th in medal standing

byReira U. Mallari
May 20, 2022, 12:45 am
0
143
House leader pays tribute to Justice Lazaro

HANOI—Locked in a bitter fight for third place with Indonesia and Singapore, the Philippines managed just two golds courtesy of...

Read more

House leader pays tribute to Justice Lazaro

byMaricel Cruz
May 20, 2022, 12:40 am
0
163
House leader pays tribute to Justice Lazaro

House Majority Leader and Leyte 1st District Rep. Martin Romualdez led legal celebrities in paying tribute to the late Court...

Read more

DOH: Another COVID surge possible

byWillie Casas
May 20, 2022, 12:35 am
0
145
COVID-19 cases dip below 10k; PH secures vax

A senior Department of Health official warned Thursday of a possibility of another COVID-19 surge if a new immune-escaping variant...

Read more

Advertisement

ADVERTISEMENT
Facebook Twitter Instagram Youtube

ABOUT US

Manila Standard

Manila Standard website (manilastandard.net), launched in August 2002, extends the newspaper’s reach beyond its traditional readers and makes its brand of Philippine news and opinion available to a much wider and geographically diverse readership here and overseas.

Digital Edition

In tone and content, the online edition mirrors the editorial thrust of the newspaper. While hewing to the traditional precepts of fairness and objectivity, MS believes the news of the day need not be staid, overly long or dry. Stories are succinct, readable and written in a lively style that has become a hallmark of the newspaper.

Download – Today’s Paper

Search

No Result
View All Result

6th Floor Universal Re Bldg., 106 Paseo De Roxas cor. Perea Street, Legaspi Village, 1226 Makati City Philippines

Trunklines: 832-5554, 832-5556, 832-5558

© 2021 Manila Standard - Designed and Developed by Neitiviti Studios.

No Result
View All Result
  • About
  • News
    • Top Stories
    • National
    • World News
    • Pinoy Abroad
    • Features
  • Opinion
    • Editorial
    • Columns
    • Soundbytes
  • LGUs
    • NCR
    • Luzon
    • Visayas
    • Mindanao
  • Business
    • Corporate
    • Economy & Trade
    • Stocks
    • Money
    • Agri & Mining
    • Power & Tech
    • IT & Telecom
  • Sports
    • Basketball
    • Volleyball
    • Fightsports
    • Active
    • Sports Plus
    • One Championship
    • Columns
  • Entertainment
    • TV & Movies
    • Celebrity Profiles
    • Music & Concerts
    • Digital Media
    • Columns
  • Lifestyle
    • Food
    • Culture & Media
    • Fashion
    • Health and Home
    • Leisure
    • Shopping
    • Columns
  • Pop.Life
    • Newsmakers
    • Hangouts
    • A-Pop
    • Post Its
    • Performances
    • Malls & Bazaars
    • Hobbies & Collections
  • Technology
    • Gadgets
    • Computers
    • Business
    • Tech Plus
  • MS ON THE ROAD
    • Sedan
    • SUV
    • Truck
    • Bike
    • Accessories
    • Motoring Plus
    • Commuter’s Corner
  • Home & Design
    • Residential
    • Commercial
    • Construction
    • Interior
  • Spotlight
  • Gallery
    • Photos
    • Videos
  • Events
    • Seminars
    • Exhibits
    • Community
  • Biyahero
    • Travel Features
    • Travel Reels
    • Travel Logs
  • Pets
  • Advertise with Us

© 2021 Manila Standard - Designed and Developed by Neitiviti Studios.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Install Manila Standard Web App

Install App