The recent data breach suffered by the surveillance firm Hacking Team is shocking the IT security industry, the hackers leaked company emails, source codes and contracts revealing uncomfortable truths.
Security experts mainly focused their analysis on the hacking tools and exploits codes included in the 400GB package leaked online. The archive included a number of zero-day exploits for Adobe Flash Player and Microsoft IE, these codes are just part of the hacking arsenal of the surveillance firm, which developed the popular Remote Control System (RCS) spyware, also known as Galileo. RCS has a modular structure that allows it to compromise several targets by loading the necessary zero-day exploits.
Last revelation made by the experts at Trend Micro in order of time, is the availability of a UEFI BIOS rootkit in the arsenal of the Hacking Team that allows the company to ensure the persistence for its malware even if the victims will format their hard disk to reinstall the Operating System.
“Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.” states Trend Micro.
The UEFI BIOS rootkit used by the Hacking Team was specifically designed to compromise UEFI BIOS systems developed by two of the most popular vendors, Insyde and AMI vendors.
The experts at the Hacking Team explained that attackers need physical access to the target machine to serve the UEFI BIOS rootkit by flashing the BIOS.
“A Hacking Team slideshow presentation claims that successful infection requires physical access to the target system; however, we can’t rule out the possibility of remote installation. An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system.” continues the post.
To prevent this kind of attack Trend Micro recommends:
(Security Affairs – UEFI BIOS, rootkit)