Fancy Bear Have A Nasty New Weapon

Uploaded on 2018-09-28 in INTELLIGENCE-Hot Spots-Russia, GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW, TECHNOLOGY--Hackers

Russia’s GRU spy agency has secretly developed and deployed new malware that’s virtually impossible to eradicate, capable of surviving a complete wipe of a target computer’s hard drive, and allows the Kremlin’s hackers to return again and again. 

The malware, uncovered by the European security company ESET, works by rewriting the code flashed into a computer’s UEFI chip, a small slab of silicon on the motherboard that controls the boot and reboot process. Its apparent purpose is to maintain access to a high-value target in the event the operating system gets reinstalled or the hard drive replaced, changes that would normally kick out an intruder.  

It’s proof that the hackers known as Fancy Bear “may be even more dangerous than previously thought,” company researchers wrote in a blog post. They’re set to present a paper on the malware at the Blue Hat security conference recently.
US intelligence agencies have identified Fancy Bear as two units within Russia’s military intelligence directorate, the GRU, and last July Robert Mueller indicted 12 GRU officers for Fancy Bear’s US election interference hacking.

The advanced malware shows the Kremlin’s continued investment in the hacking operation that staged some of the era’s most notorious intrusions, including the 2016 Democratic National Committee hack. 

The GRU’s hackers have been active for at least 12 years, breaching NATO, Obama’s White House, a French television station, the World Anti-Doping Agency, countless NGOs, and military and civilian agencies in Europe, Central Asia, and the Caucasus. Last year, they targeted Democratic Sen. Claire McCaskill, who’s facing a hotly contested 2018 re-election race. 
“There’s been no deterrence to Russian hacking,” said former FBI counterterrorism agent Clint Watts, a research fellow at the Foreign Policy Research Institute. “And as long as there’s no deterrence, they’re not going to stop, and they’re going to get more and more sophisticated.”

As sophisticated as it is, Russia’s new malware works only on PCs with security weaknesses in the existing UEFI configuration. It also isn’t the first code to hide in the UEFI chip. 

Security researchers have demonstrated the vulnerability with proof-of-concept code in the past, and a 2015 leak showed that commercial spyware manufacturer Hacking Team offered UEFI persistence as an option in one of their products. There’s even evidence that Fancy Bear borrowed snippets of Hacking Team’s code, ESET said.  

Last year, a WikiLeaks dump revealed that the CIA used its own malware called “DerStarke” to maintain long-term access to hacked MacOS machines using the same technique. But until now such an attack has never been spotted in the wild on a victim computer. The first public whiff of Russia’s new malware emerged last March, when Arbor Networks’ ASERT team reported finding malware designed to look like a component of the theft-recovery app Absolute LoJack. Absolute LoJack works much like Apple’s Find My iPhone app, allowing laptop owners to attempt to geo-locate a computer after a theft, or to remotely wipe their sensitive files from the missing machine. The hackers copied one piece of the app, a background process that maintains contact with Absolute Software’s server, and changed it to report to Fancy Bear’s command-and-control servers instead.

ESET researchers call the malware LoJax. They suspected they were seeing just one piece of a larger puzzle, and started looking for additional LoJax components in Eastern Europe and the Balkans, where LoJax was popping up on hacked machines alongside better-known Fancy Bear implants like Seduploader, X-Agent, and X-Tunnel. They found a new component of LoJax designed to access technical details of a computer’s UEFI chip, and surmised that Fancy Bear was moving to the motherboard. Eventually they found the proof in another component called “ReWriter_binary” that actually rewrote vulnerable UEFI chips, replacing the vendor code with Fancy Bear’s code.

Fancy Bear’s UEFI code works as a bodyguard for the counterfeit LoJack agent. At every reboot, the hacked chip checks to make sure that Windows malware is still present on the hard drive, and if it’s missing, reinstalls it. The researchers so far have found only one computer with an infected UEFI chip among many with the fake LoJack component, which makes them think the former is only rarely deployed. And by all evidence, the entire project is relatively new. 

“The LoJax campaign started at least in early 2017,” said Jean-Ian Boutin, a senior malware researcher at ESET. “We don’t know exactly when the UEFI rootkit was used for the first time, but our first detection came in early 2018.”

“The GRU is following a developmental model that’s very sophisticated,” said Watts. “They have programmers who seem to be top-notch and they appear to rapidly deploy their cyber weapons not long after they develop them.”

The ESET researchers said the new malware should be taken as a warning. “The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats,” the researchers wrote. “Such targets should always be on the lookout for signs of compromise.”

Daily Beast

You Might Also Read: 

Just Who Are Russia's Cyber Warriors?:

Former MI5 Chief Wants Retaliatory Attacks On Russia:
 

 

« Hackers Stealing High Grade Academic Research
UK Builds 2,000-Strong Offensive Cyber Force »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Consult Hyperion

Consult Hyperion

Consult Hyperion is an independent strategic and technical consultancy specialising in digital identity and secure electronic transactions.

Metrarc

Metrarc

Metrarc has developed a ground-breaking technology called ICMetrics™ for deriving secure encryption keys from the properties of digital systems without the need to store any of the encryption keys.

Secon Cyber Security

Secon Cyber Security

Secon Cyber Security is an Advanced Managed Security Services Provider with long standing experience of providing cyber security solutions to customers ranging from small to large enterprises.

ITonlinelearning

ITonlinelearning

ITonlinelearning specialises in providing professional certification courses to help aspiring and seasoned IT professionals develop their careers.

Level39 (L39)

Level39 (L39)

Level39 is the world's most connected tech community, with over 200 tech startups and scaleups based onsite.

Prompt

Prompt

Prompt supports the creation of partnerships and the setting up of industrial-institutional applied R&D projects for all ICT sectors.

Cyemptive Technologies

Cyemptive Technologies

Cyemptive's CyberSlice technology preempts and remove threats before they take hold, in seconds, compared to other’s hours, days, weeks and even months.

Cyber Security Advisor

Cyber Security Advisor

Notice how sophisticated the cybersecurity market is. Think how would you pick the security provider, assess your company, and be sure of your security decisions? Cyber Security Advisor is the answer!

BT Security

BT Security

BT provides telecommunications and network infrastructure services to keep businesses around the world connected and secure.

QuantiCor Security

QuantiCor Security

QuantiCor Security is one of the world’s leading developers and manufacturers of quantum computer resistant security solutions for IT infrastructures and the Internet of Things (IoT).

Halogen Group

Halogen Group

Halogen Group is the leading Security Solutions Provider in West Africa. Services encompass Physical Security, Electronic Security, Virtual & Cyber Security, Risk Assessments and Training.

Sekoia.io

Sekoia.io

Sekoia.io is a European cybersecurity company whose mission is to develop the best protection capabilities against cyber-attacks.

ConductorOne

ConductorOne

ConductorOne is building the identity security platform for the modern workforce.

SecureCyber

SecureCyber

Secure Cyber Defense offers industry-leading technology and managed detection and response solutions.

London AI Safety Research (LASR)

London AI Safety Research (LASR)

London AI Safety Research Labs is a technical AI Safety research programme focussed on reducing the risk of loss of control to advanced AI.

AI EdgeLabs

AI EdgeLabs

AI EdgeLabs is a powerful and autonomous cybersecurity AI platform that helps security teams respond immediately to ongoing attacks and protect Edge/IoT infrastructures.