I Don’t Mean To Alarm Anybody, But I Think We’re Being Followed
Recent security research has revealed that someone is teaching Trickbot new tricks, and this one is right nasty. Trickbot started out as a minor villain, a trojan that enabled nefarious types to commit bank fraud but over the years it has become more of a criminal mastermind, able to infect a wide variety of systems in different ways. Black hats now rent their stables of machines infected with Trickbot to scumbags to steal from infected machines or to use the combined processing power to attack a different target. It is now seemingly scanning machines to see which ones allow the UEFI on the board to accept unauthorized modifications.
Until now UEFI infections have required physical access to the target computer, which gave us at least a modicum of reassurance but that respite is over. Currently some Trickbot networks are scanning machines to see if a hidden driver for RWEverything can be dumped on a machine and run, though thankfully they still have a -whatif switch applied. Read & Write Everything, if you haven’t run into it is software which is used to update firmware, or to get hardware information from a machine and is a rather handy tool; so it is sad to see it being used in this way.
This is bad news, as not only is this new attack vector incredibly difficult to detect it will be even harder to remove. It could be used as a perpetual source of infection with just a wee bit of code added to your UEFI; remove it from your OS as often as you wish but it will reappear after every reboot until your UEFI is replaced. It could even just wipe it or modify it to an unusable state, which would make your next reboot your last one.
Here’s hoping hardened UEFI’s become commonplace before this new attack does!