CosmicStrand; UEFI Stands For Undetectable, Effective … Infections

Source: Ars Technica CosmicStrand; UEFI Stands For Undetectable, Effective … Infections

In The Wild For Six Years Before It Was Noticed

It was assumed that UEFI infections, which are able to infect a system over and over again, even if you physically replace all of your storage media and reinstall your OS from scratch, were incredibly rare because security researchers could hardly find any trace of them in the wild.

We were wrong.

Researchers from Kaspersky have released their findings on a UEFI bootkit they have dubbed CosmicStrand, which seems to have been actively infecting UEFIs for around six years.  The rarity of UEFI infections discovered by Kaspersky, ESET and Qihoo360 lead to the assumption that they were uncommon and hard to develop.  It seems that a more realistic belief is that they are incredibly hard to find and that we have no idea how widespread these infections are.

CosmicStrand was found by Kaspersky’s free antivirus program on computers in China, Vietnam, Iran, and Russia.  This implies that they are home users as not many corporations use free versions of antivirus software.  If a UEFI bootkit sat on random personal computers for at least six years without being detected one can only wonder how advanced targeted bootkits have become since then.

As of now, none of the three security companies that have managed to detect bootkits like CosmicStrand have no insight into how they spread. Indeed, they haven’t been able to intercept the communication between an infected machine and it’s C&C servers to be able to determine what is in the payloads sent to infected machines.

What they do know is that bootkits are able to modify the Windows kernel during boot, which suggests that attackers can do whatever they feel like to an infected machine and there is little you can do to determine if you are infected, let alone do anything about it.

Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!