The clock is ticking for Windows and Linux users to update cryptographic keys that protect their systems against firmware-based UEFI infections, a pernicious form of malware that loads before operating system and antimalware protections start.
Beginning June 24, three certificates that cryptographically verify that each piece of firmware and software that loads during system boot will expire. The Microsoft-signed certificates are the linchpins of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all firmware that loads during system startup to ensure it originates from a trusted provider, such as the manufacturer of the motherboard the system runs on.
Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to the BIOS, both of which begin the initial boot sequence. Because these bootkits load before the OS and most other code, they can be difficult to detect. Once installed, they typically load malware onto the OS that steals credentials, backdoors the system, or performs other malicious actions. Even when the OS is disinfected, the bootkit can reinfect the system. Bootkits survive OS reinstallations as well.
A Brief History of Bootkits
The genesis of bootkits dates back to the early 1980s with the creation of several pieces of malware that targeted Apple II machines during the boot process. They spread in the wild through floppy disks that ostensibly contained pirated games.
Windows bootkits gained notice in the early 2000s as proofs of concept developed by researchers of offensive security. BootRoot, a bootkit demonstrated at the 2005 Black Hat security conference, is likely the first such instance. The malware infected the Network Driver Interface, which streamlined communications between network protocol drivers enabling service such as TCP/IP network adapter drivers. In the years following, similar PoCs included Vbootkit, the Stoned Bootkit, and Mebroot. There were many more.
In 2012, a new form of bootkit was demonstrated. Instead of targeting machines through the BIOS or master boot record, one such bootkit attacked Mac OS X systems by infecting the EFI, a package of firmware that started the boot process. A second very primitive bootkit targeted Windows 8 machines by infecting the UEFI bootkit, the predecessor to the UEFI. Around 2013, a researcher demonstrated a more advanced UEFI bootkit for Windows named Dreamboat.
The first known case of a real-world attack targeting the UEFI came in 2018 with the discovery of malware dubbed LoJax. A repurposed version of legitimate anti-theft software known as LoJack, it was created by the Kremlin-backed hacking group tracked under names including Sednit, Fancy Bear, and APT 28. The malware was installed remotely using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.
In 2020, researchers unearthed the second known instance of real-world malware attacking the UEFI. Each time an infected device rebooted, its UEFI checked whether a malicious file was present in the Windows startup folder and, if not, installed it. Researchers from Kaspersky, the security provider that discovered the malware, named it “MosaicRegressor.” Researchers have yet to determine how the compromised UEFIs became infected. Since then, a handful of new UEFI bootkits have come to light. They are tracked under names including ESpecter, FinSpy, and MoonBounce.
Necessity Is the Mother of Invention
In response to the more menacing threat of UEFI bootkits, Microsoft worked with device makers to develop Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of firmware loaded during startup is trusted by a computer’s manufacturer. Secure Boot is designed to create a chain of trust that prevents attackers from replacing the intended bootup firmware with malicious firmware. If a single link in the startup chain isn’t recognized, Secure Boot will prevent the device from starting.
Then in 2023, researchers discovered LogoFail, a series of critical vulnerabilities found UEFIs booting up just about every Windows and Linux system in the world. An image-parsing bug in the software that presented hardware manufacturers’ logos during bootup allowed attackers to bypass Secure Boot and infect the UEFI with malicious firmware.
