CosmicStrand; UEFI Stands For Undetectable, Effective … Infections
In The Wild For Six Years Before It Was Noticed
It was assumed that UEFI infections, which are able to infect a system over and over again, even if you physically replace all of your storage media and reinstall your OS from scratch, were incredibly rare because security researchers could hardly find any trace of them in the wild.
Researchers from Kaspersky have released their findings on a UEFI bootkit they have dubbed CosmicStrand, which seems to have been actively infecting UEFIs for around six years. The rarity of UEFI infections discovered by Kaspersky, ESET and Qihoo360 lead to the assumption that they were uncommon and hard to develop. It seems that a more realistic belief is that they are incredibly hard to find and that we have no idea how widespread these infections are.
CosmicStrand was found by Kaspersky’s free antivirus program on computers in China, Vietnam, Iran, and Russia. This implies that they are home users as not many corporations use free versions of antivirus software. If a UEFI bootkit sat on random personal computers for at least six years without being detected one can only wonder how advanced targeted bootkits have become since then.
As of now, none of the three security companies that have managed to detect bootkits like CosmicStrand have no insight into how they spread. Indeed, they haven’t been able to intercept the communication between an infected machine and it’s C&C servers to be able to determine what is in the payloads sent to infected machines.
What they do know is that bootkits are able to modify the Windows kernel during boot, which suggests that attackers can do whatever they feel like to an infected machine and there is little you can do to determine if you are infected, let alone do anything about it.
Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.