Understanding Hidden UEFI Spyware

Some cyber attack methods are well known. Both IT professionals and regular employees know to be alert for phishing scams, suspicious attachments, and compromised USB drives. Cybersecurity teams guard company networks against more sophisticated schemes like supply chain attacks. They monitor systems and machines and deploy antivirus software to sniff out malware. If malware is found or suspected on a device, a hard drive reformat and reinstall can wipe clean any infection… or so we thought.

The efforts listed here are effective against most cyberattacks, but determined criminals have developed advanced methods that evade traditional cybersecurity efforts and even the popular wipe-and-reload: Hiding spyware in the Unified Extensible Firmware Interface (UEFI) on company laptops. This type of spyware is rare, but researchers recently discovered hidden malware in the UEFI on some Windows 10 business machines.

Read on to find out everything you need to know about hidden UEFI spyware.

A Clever Firmware Attack

The UEFI is a pre-boot environment stored on firmware rather than on a hard disk or a solid-state drive. The recently discovered UEFI spyware makes it possible for criminals to directly deliver hacking tools or malware to the infected computer from this pre-boot environment. These tools could allow hackers to steal documents, log keystrokes to steal passwords, and exfiltrate the stolen info via the Internet.

Hiding malware in the UEFI is particularly clever because antivirus and anti-malware software has virtually no ability to scan this memory type. UEFI malware evades both traditional detection methods and standard remediation practices because it is stored on firmware in the pre-boot environment. The malware discovered in a recent attack could reinstall the hacking tools on the operating system of the computer even if it were found and removed. A concerning consequence of this is that the malware would also remain even if cybersecurity teams wiped and reloaded a machine or swapped out the hard drive, as it doesn’t live on the hard drive at all.

The good news is that it’s tough for cybercriminals to load malware into a machine’s UEFI. The malware has to be customized to a specific machine model. For example, malware intended to infect the EUFI of a Dell Latitude E6320 would only work on that model and no other. It’s also difficult to load the malware. To inject an infected version of the firmware into the UEFI memory requires malicious actors to abuse a Firmware Update such as a BIOS Flash. Firmware updates aren’t everyday activities and are generally performed by IT teams rather than users, which is another reason these extremely effective UEFI attacks are rare.


State-Sponsored Groups Behind UEFI Spyware

UEFI spyware attacks require custom written hacking tools and determined effort to infect victims’ machines. So far, all known attacks of this type have come from state-sponsored hacking groups with very specific, high-value targets.

A UEFI attack discovered in 2018 is suspected of having come from Russian state-sponsored hackers. More recently, UEFI spyware victims were people associated with African, Asian, and European diplomatic entities and NGOs. Based on clues in the malware code, experts suspect the attack came from a group sponsored by North Korea.

UEFI Cybersecurity Best Practices

Depending on your industry, it may be unlikely that you’ll be targeted by a state-sponsored UEFI attack. However, it’s always a good idea to follow best practices when working on your own machines or those of your customers. Here are some simple but effective ways to protect against UEFI attacks:

  • Ensure Computer Security By Making Sure Your Machines Are Running Legitimate Firmware Versions

    When you download new firmware or drivers to install on a machine, check to ensure the files are digitally signed to ensure authenticity. If they are not signed, check the hash value of the file against the hash provided by the vendor to make sure they match. Taking these steps significantly reduces the risk that you’re running firmware infected with malware

  • Regularly Re-Flash Pre-Boot Environments Of High-Profile Or Vulnerable Machines

    If you suspect malware on a machine, beyond just wiping-and-reloading the hard drive with a fresh copy of the Operating System, consider adding a flash of the pre-boot environment as part of your wipe-and-reload procedures. Flashing the pre-boot environment with a digitally signed copy of the files from the device manufacturer will clean out any malware living there (essentially doing a wipe-and-reload of the pre-boot environment in addition to the hard drive). You can also perform this step specifically when travelling users return from high-risk countries as part of the cleaning process for that device.

  • Leave Updates To Your IT Services Team

    Employees often decide to “save time” by installing software and updates on their own. Users are much less likely to follow your security and validation procedures, ensuring that the updates they are installing are relevant, meaningful, compatible with current systems, and digitally signed by hardware and software manufacturers. When not following these procedures, there’s a much greater chance that they’re installing illegitimate updates full of spyware, ransomware, or other nasty malware you don’t want on your system. Provide Cybersecurity Awareness Training to reinforce that your team should rely on the IT department or provider for software patches and updates and should NOT install these things independently.

Secure IT Solutions

Maintaining good cybersecurity requires time, people, resources, and constant vigilance. At designDATA, we do the hard work of keeping up with all the latest cyberattack methods and the most effective cybersecurity solutions to protect our customers from cyber-crime. Check out our free cybersecurity resources for some great steps you can take to protect your organization. Ready to take the next step? Book a Security Assessment with one of our cybersecurity experts to see how we can help you.

+ posts

Jonathan Roy is the Director of Security and Compliance and has been providing IT and cybersecurity services with designDATA since 2004. He has extensive experience in information technology best practices, the ITIL framework for running IT operations, and how to secure IT environments. Jonathan now focuses exclusively on cybersecurity, data privacy, and related regulatory compliances for his customers. He regularly works with business leaders on risk mitigation and avoidance, cybersecurity consulting, incident response and recovery, incident preparedness, and compliance audits. At designDATA, Jonathan leads the organization's cybersecurity mission: Protecting small- and medium-sized organizations from cyber-crime.

Talk With Our Productivity Expert

Microsoft Forms Blog Post

  • This field is for validation purposes and should be left unchanged.