Successful UEFI secure boot exploitation
Are there any real examples (malware, rootkits, etc.) of exploiting the UEFI secure boot mechanism vulnerabilities such as CVE-2022-21894?
Category Archives: rootkits
IT threat evolution Q3 2022
Recent APT campaigns, a sophisticated UEFI rootkit, new ransomware for Windows, Linux and ESXi, attacks on foreign and crypto-currency exchanges, and malicious packages in online code repositories. Continue reading IT threat evolution Q3 2022
How can kon-boot run code in UEFI?
I’ve now googled a lot, but the only information I can find is ‘kon-boot hides its code in BIOS memory and changes kernel-code on the fly’…
As far as I understand, UEFI initializes devices and tries to load bootloaders into memory from M… Continue reading How can kon-boot run code in UEFI?
windows update or search bar version reverts to older date a few minutes after windows loads [migrated]
Windows 10 starts seemingly normally. While the OS is loading, on occasions where the pc loads slower, I can see what I believe is an update version in the search bar (next to the windows key – see pic)
At first, it is what seems to be a c… Continue reading windows update or search bar version reverts to older date a few minutes after windows loads [migrated]
Is Magisk the only way to root Samsungs smartphones with modern android versions like android 11, android 12 and android 13? [migrated]
From what I can find about rooting on the web, everywhere Magisk is talked about. Is Magisk the only way to root modern android phones with the newest android versions like 11,12 and 13? Are there any other rooting methods other than Magis… Continue reading Is Magisk the only way to root Samsungs smartphones with modern android versions like android 11, android 12 and android 13? [migrated]
Is there any security technology/technique beside tpm/secure boot which can verify the integrity of the bios or bootloader?
For any file on your OS you can get a md5 or sha256 value and if you suspect anything you get it again and compare. I was wondering if there is any way to do the same with the bios and bootloader and check their integrity manually. Can you… Continue reading Is there any security technology/technique beside tpm/secure boot which can verify the integrity of the bios or bootloader?
New UFEI Rootkit
Kaspersky is reporting on a new UFEI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article:
The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. …
CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit
In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor. Continue reading CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit
Hypothesis of state sponsored implant with advanced exfiltrated technology [closed]
I’m looking for state-sponsored spyware that has the following features.
The spyware should be split into three or more parts. There are two parts on the host/phone, and a third part on the home router. The two parts on the host are:
a pi… Continue reading Hypothesis of state sponsored implant with advanced exfiltrated technology [closed]
Need help identifying and erradicating Cobalt Strike beacon and persistence [closed]
Posted this over in the Unix section earlier and was recommended here:
I’m stopping by trying to further narrow down my understanding and ultimately the eradication of one if not multiple Cobalt Strike beacons on multiple machines.
Before … Continue reading Need help identifying and erradicating Cobalt Strike beacon and persistence [closed]