Hackers are increasingly focusing on targeting pre-operating system environments, such as UEFI and bootloaders, researchers at Eclypsium warn. Recent vulnerabilities allow attackers to bypass any kernel or OS-level protections and remain undetected.
Cybercriminals are expanding their attack surface with boot process and firmware threats that are often overlooked by security solutions.
They are armed with known threats like BlackLotus, BootHole, and EFILock, and know how to bypass Secure Boot.
“Attackers are increasingly targeting the boot process and firmware to gain persistence, evade detection, and undermine platform security,” Eclypsium warns.
Hackers like to leave bootkits as a persistence mechanism that survives OS reinstalls and even hardware replacements after the initial cyberattacks. These threats load on the system before any OS or any security software and have complete control of the system.
Firmware, UEFI (aka BIOS), initializes the hardware, and the bootloader loads the operating system. An attacker controlling the boot process can “subvert all higher-layer security controls, maintain deep persistence, and potentially evade detection by traditional security tools,” researchers write in the report.
Removing attackers from the firmware is also very difficult.
“Remediation requires a combination of firmware restoration, Secure Boot enforcement, and ongoing monitoring – empowering defenders to reclaim the ‘home-field advantage’ and prevent attackers from creating their playing field at the firmware level,” the researchers said.
Bootloaders have grown in complexity, and so have the threats targeting them. Bootloaders now support many features, including handling multiple storage types, file systems, network booting, and user interfaces. This introduces more opportunities for vulnerabilities, particularly memory safety issues.
How do attackers get in?
Hackers abuse storage, network, and console input as the primary vectors for attacking bootloaders. Eclypsium detailed some of the recently identified threats:
- BlackLotus bootkit exploited a vulnerability in the Windows bootloader (CVE-2022-21894). It was the first in-the-wild bootkit that could bypass Secure Boot.
- BootHole vulnerability in GRUB2, a bootloader used in many Linux distributions, allowed arbitrary code execution even with Secure Boot enabled, enabling attackers to install persistent bootkits.
- EFILock ransomware replaced legitimate bootloaders with malicious ones, preventing systems from booting and demanding a ransom for recovery.
- Other implanted malware, such as LoJax, MosaicRegressor, and TrickBoot, survive OS reinstalls and hardware replacements.
- Microsoft’s Threat Intelligence team disclosed dozens of vulnerabilities in multiple open-source bootloaders, “Impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot as well as IoT devices.”
“Attackers may leave behind rogue bootloaders as a persistence mechanism, even after OS reinstallation,” Eclypsium warns.
“Mismatched bootloaders can be exploited to bypass Secure Boot or load unsigned, malicious payloads. UEFI Shell in boot order may allow attackers to gain interactive access before the OS loads.”
Secure Boot relies on signature databases, which are also affected by “one of the most critical issues.” An out-of-date forbidden signature database (DBX) allows known vulnerable bootloaders to remain trusted and executable. A malicious bootloader can also slip through outdated or misconfigured SBAT (Shim Boot Advanced Targeting) policies.
“Secure Boot only delivers on its security promise when DBX and SBAT policies are current and the platform is configured to enforce signature checks on all boot components.”
The security firm has detected hackers attempting to load unsigned or revoked binaries, potentially as part of a bootkit or other firmware-level attack.
“Attackers may downgrade components to exploit older, vulnerable versions or remove DBX entries to re-enable revoked binaries.”
Eclypsium said it has enhanced its platform to detect suspicious bootloader behaviors and related threats.
Your email address will not be published. Required fields are markedmarked