More threat operations have been setting their sights on UEFI, bootloaders, and other pre-operating system environments in a bid to facilitate persistence while bolstering stealth, according to Cybernews.
Bootloaders have been infiltrated through the exploitation of storage, network, and console input, with the BlackLotus bootkit leveraging a Windows bootloader flaw, tracked as CVE-2022-21894m to circumvent SecureBoot, and the GRUB2 bootloader's BootHole defect allowing persistent bootkit installationwithout deactivating SecureBoot, a report from Eclypsium revealed. Moreover, malicious bootloaders have been leveraged by EFILock ransomware to hinder system booting. "Mismatched bootloaders can be exploited to bypass Secure Boot or load unsigned, malicious payloads. UEFI Shell in boot order may allow attackers to gain interactive access before the OS loads," said Eclypsium researchers. Attacks aimed at device firmware were also regarded by researchers to be very challenging to combat. "Remediation requires a combination of firmware restoration, Secure Boot enforcement, and ongoing monitoring empowering defenders to reclaim the 'home-field advantage' and prevent attackers from creating their playing field at the firmware level," researchers added.
Bootloaders have been infiltrated through the exploitation of storage, network, and console input, with the BlackLotus bootkit leveraging a Windows bootloader flaw, tracked as CVE-2022-21894m to circumvent SecureBoot, and the GRUB2 bootloader's BootHole defect allowing persistent bootkit installationwithout deactivating SecureBoot, a report from Eclypsium revealed. Moreover, malicious bootloaders have been leveraged by EFILock ransomware to hinder system booting. "Mismatched bootloaders can be exploited to bypass Secure Boot or load unsigned, malicious payloads. UEFI Shell in boot order may allow attackers to gain interactive access before the OS loads," said Eclypsium researchers. Attacks aimed at device firmware were also regarded by researchers to be very challenging to combat. "Remediation requires a combination of firmware restoration, Secure Boot enforcement, and ongoing monitoring empowering defenders to reclaim the 'home-field advantage' and prevent attackers from creating their playing field at the firmware level," researchers added.
