CISA warns of an attack that abuses a component that every computer contains: the bootloader. A type of malware is spread that targets the Unified Extensible Firmware Interface (UEFI).
UEFI-based malware has already been used in the BlackLotus campaign. This campaign came on the radar of cybersecurity researchers at Microsoft in April. The attack would merit additional attention due to its malicious nature. This is because UEFI boot kits run during the computer’s boot process, taking action before the operating system loads. As a result, the malware can disable security mechanisms from the operating system.
Therefore, the malware will not automatically trigger a notification from an installed security tool. To self-check whether a device is infected with UEFI malware, Microsoft recommends checking the files in the bootloader for recent activity and checking whether any modifications were recently made to Windows Registry keys.
‘Still in learning mode’
Although Microsoft’s investigation dates back to April, the attack is still relevant today. In a recent blog , the Cybersecurity and Infrastructure Security Agency (CISA) releases a call to action for UEFI cybersecurity to be strengthened immediately. “UEFI is essential for most computers; it replaces the old BIOS format.”
The only problem is that security and researchers have not yet caught on to this type of malware: “The cybersecurity community and UEFI developers still seem to be in learning mode.”
The blog indicates that measures exist to keep malware off a device. The only problem is that these measures are not yet widely adopted. They involve security-by-design principles and the use of modern incident response measures. Microsoft reports that companies can better protect themselves by updating all Windows recovery media and keeping up with the latest OS updates.
Device replacement after infection
While it is possible to check if a device is infected, there is no solution. The malware survives if a device is completely rebooted, as well as if the operating system is reinstalled. Even replacing a hardware component offers no solution.
The good news is that hackers don’t get the malware onto your PC easily. The malware can be installed only on a device that a hacker already had access to or by physical access.
Also read: MSI leak undermines UEFI/BIOS security, what can you do?