Documents leaked online after the Hacking Team hack revealed that the company used a UEFI BIOS rootkit to gain persistence for its spyware software.
The recent data breach suffered by the surveillance firm Hacking Team is shocking the IT security industry, the hackers leaked company emails, source codes and contracts revealing uncomfortable truths.
Security experts mainly focused their analysis on the hacking tools and exploits codes included in the 400GB package leaked online. The archive included a number of zero-day exploits for Adobe Flash Player and Microsoft IE, these codes are just part of the hacking arsenal of the surveillance firm, which developed the popular Remote Control System (RCS) spyware, also known as Galileo. RCS has a modular structure that allows it to compromise several targets by loading the necessary zero-day exploits.
Last revelation made by the experts at Trend Micro in order of time, is the availability of a UEFI BIOS rootkit in the arsenal of the Hacking Team that allows the company to ensure the persistence for its malware even if the victims will format their hard disk to reinstall the Operating System.
“Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.” states Trend Micro.
The UEFI BIOS rootkit used by the Hacking Team was specifically designed to compromise UEFI BIOS systems developed by two of the most popular vendors, Insyde and AMI vendors.
The experts at the Hacking Team explained that attackers need physical access to the target machine to serve the UEFI BIOS rootkit by flashing the BIOS.
“A Hacking Team slideshow presentation claims that successful infection requires physical access to the target system; however, we can’t rule out the possibility of remote installation. An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system.” continues the post.
To prevent this kind of attack Trend Micro recommends:
Make sure UEFI SecureFlash is enabled
Update the BIOS whenever there is a security patch
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.