Hacking Team Spyware Preloaded With UEFI BIOS Rootkit To Hide Itself
Hacking Team Spyware preloaded with UEFI BIOS Rootkit to Hide Itself
Hacking Team, an Italy-based cyber weapons manufacturer, was hacked in 2015 and leaked a huge trove of 400GB internal data, including emails, hacking tools, zero-day exploits, surveillance tools, source code for spyware, and a spreadsheet listing every government client with date of purchase and amount paid.
One of the most striking discoveries from the leaked data was that Hacking Team used a UEFI (Unified Extensible Firmware Interface) BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems. This means that even if the user reinstalls the operating system, formats the hard disk, or even buys a new hard disk, the spyware would remain undetected and active on the system.
Download File: https://vittuv.com/2w3fUD
UEFI is a technical standard that defines how components can participate in the startup of an operating system. It is located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. It is the first thing to run when a computer is turned on, and it influences the operating system, security apps, and all other software that follows.
Hacking Team's rootkit malware was only able to target UEFI BIOS systems developed by Insyde and AMI vendors, used by the majority of computer and laptop manufacturers. The installation of the rootkit required BIOS flashing process that could not be done without rebooting into the machine into UEFI shell. The rootkit was found in firmware images of some Gigabyte or Asus motherboards.
The rootkit was designed to hijack the boot process of infected machines and load a modified version of Hacking Team's RCS spyware, also known as Galileo. The spyware was loaded with lots of zero-day exploits and had the ability to monitor the computers of its targets remotely. The spyware could also evade antivirus detection and encryption software.
The discovery of Hacking Team's UEFI rootkit exposed an ugly truth: The attacks are invisible to us. Researchers from Kaspersky profiled CosmicStrand, the security firm's name for a sophisticated UEFI rootkit that was used in the wild since 2016 by an unknown Chinese-speaking hacking group with possible ties to cryptominer malware. The researchers wondered: If this is what the attackers were using back then, what are they using today?
UEFI attacks are not only exotic but also rare. Only a handful of such UEFI threats have been known to have been used in the wild. However, they pose a serious threat to the security and privacy of users and organizations. To protect themselves from such attacks, users should always keep their BIOS up-to-date and protected by enabling password. They should also enable UEFI SecureFlash and use trusted hardware vendors .