First-Ever UEFI Rootkit Tied to Sednit APT

From threatpost.com

Researcher at ESET outlines research on the first successful UEFI rootkit used in the wild.

LEIPZIG, GERMANY – Researchers hunting cyber-espionage group Sednit (an APT also known as SofacyFancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.

The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system’s UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.

“UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level,” he said.

Read more…