Fancy Bear is at it again, unleashes new threat that attacks PC firmware

Fancy Bear is at it again, unleashes new threat that attacks PC firmware

Not that long ago, cyberwarfare seemed like something straight out of Hollywood movies – non-threatening, futuristic and, most importantly, distant. Even if somehow became possible, it wasn’t supposed to happen for a long time. However, technology growth happened very fast and here we are now, with 5G Internet just around the corner, high-speed browsing and an ability to download and upload huge amounts of information in a matter of minutes. And cyberwarfare is gaining momentum, with hacking groups from all over the world coming to the forefront.

One of such groups is Fancy Bear, coming from Russia and believed to be linked to Kremlin itself. It’s also known as APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM, and it targets government, military, and security organizations, especially Transcaucasian and NATO-aligned states. It’s suspected in cyber attacks on the German parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.

It’s also suspected of leaking Hillary Clinton’s emails during the 2016 USA presidential campaign and now the researchers from security company ESET say that they have discovered new malware developed by the group. It’s called Lojax, due to the similarity with LoJack security software and is capable of merging itself with computer’s firmware and thus avoid discovery. Eliminating it isn’t an easy task by any means – it can hide itself from conventional methods of discovery, security software is powerless against it and even such trusty ways of returning things back to normal as formatting the hard drive or installing a new one won’t help here.

When the threat gets on a targeted device, it’s pretty much open season for people controlling it – they can do whatever they want, whenever they want. The virus can steal personal information, put various types of other threats, including ransomware, on the computer and perform a variety of other actions. Removing this additional malware doesn’t really do anything, as the main virus remains present and it can simply reinstall it, doing so over and over again if the situation warrants. While the aforementioned Lojack was created to help locate stolen devices by telling their current location to the owner (and being difficult to remove), Lojax turns its purposes upside down and does everything it can to prevent the target from using the system as normal.

The threat employs various tools (also developed by the Russian) that start with studying the code running in the device’s UEFI (the uniform extensible firmware interface). It’s done to see if it can be broken into. If the answer to that is “yes”, then the next step is initiated, which consists of malware loader copying that code, adding more viruses into the mix and flashing the computer’s firmware so that the code could be embedded.

ESET’s published report doesn’t specify how Lojax managed to infiltrate the system where it was discovered. The location isn’t mentioned as well – the report only says that it was part of an attack that happened in Eastern Europe and Africa. But the characteristics of the devices that are in danger of being compromised are given, as well as suggestions on how to avoid the threat and what to do if one wasn’t successful in doing so.

The first thing that should be paid attention to is firmware version. Lojax isn’t able to get on devices that have the newer ones, so keeping the firmware updated should be enough to significantly reduce the risks. Considering the fact that many computer and system board manufacturers have released updates to help battle the recent Spectre and Meltdown attacks, the firmware may already be the most recent version. Older chipsets with unpatched vulnerabilities are also required for the threat to work – keeping their firmware updated as well can stop it from entering the system. It should also be mentioned that this malware isn’t signed, which means that Secure Boot can be used to detect it. It looks at firmware and sees whether there are any signs of tampering. If there are, it prevents it from being installed. That’s why ESET suggests to use Secure Boot on all devices.

As far as battling this virus goes, there’re three ways of doing so. The first involves reflashing the firmware, the second is installing a new system board and the third (and most extreme one) is getting a new computer altogether. As has already been mentioned above, reinstalling the OS or the hard drive simply isn’t enough in this situation, because Lojax attacks deep.

Per ESET, “the other part of firmware security is in the hands of UEFI/BIOS vendors. The security mechanisms provided by the platform need to be properly configured by the system firmware to actually protect it.” They also add, “thus, firmware must be built with security in mind from the ground up. Fortunately, more and more security researchers are looking at firmware security thus contributing to improve this field and raise awareness of firmware vendors.” Still, it doesn’t mean that Lojax should be taken lightly – far from it. Its developers are very likely to come up with a solution that will eliminate the threat’s current limitations. If that happens, even the newer devices won’t be safe.

The good news is, one of the methods offered by ESET is less of a hassle than it used to be. Nowadays, the process of reflashing the firmware doesn’t require much from the user’s side and is mostly automated. Visiting the website of the computer or system board manufacturer, downloading the firmware’s latest version and then running the installer is basically everything that needs to be done for that. Most of the firmware comes in a package that self-extracts when downloaded and is then run. After that, the install is set, the current firmware version is checked and the flashing process is then initiated. On the whole, it takes less than 10 minutes and no further participation is needed.

On the other hand, the current LoJax malware is only the beginning. Fancy Bear now knows that it’s capable of infiltrating systems all around the world and it can very well attempt to do more of the same. This means that once they figure out how to infect specific computers as needed, the risks will grow enormously. And right now, finding their latest virus, as well as battling it, is in the infancy stages as well. According to ESET, Lojax is the first time a UEFI-based rootkit has ever been detected attacking a device in the real world. Before this, experts had mainly talked about UEFI rootkits as a theoretical attack, something as distant as cyberwarfare itself once appeared to be.

The situation is definitely far from being over. The more time passes, the more players from countries all over the world will be coming out to get their piece of the pie. Computer networks being used for global attacks, theft and sabotaging government plans is the reality we live in and the situation should be taken seriously, with all the attention it now deserves.


Please enter your comment!
Please enter your name here