Imagine wiping your computer clean, thinking you’ve washed away every digital threat. But what if the infection persisted, hidden deep within the very core of your system? That’s the chilling reality of bootkits, a class of malware that burrows into the foundational firmware, surviving even after a factory reset.

In 2018, LoJax, one of the first publicly discovered UEFI rootkits was attributed by Trend Micro to threat actor APT28 (aka Fancy Bear).  LoJax demonstrated an alarming level of sophistication. This malware, capable of embedding itself deep within the UEFI firmware, challenged the very notion of a ‘clean system’. LoJax’s ability to persist even after hard drive replacements and OS reinstallation underlined a new era in persistent threats.

LoJax’s modus operandi involved rewriting the UEFI’s flash memory, which typically requires administrative privileges. Presumably it would be combined with zero day vulns that would escalate privilege to local administrator. Once installed, it granted attackers persistent access to the infected system, enabling them to execute malicious code at a deeply embedded level, outside the reach of traditional antivirus solutions and even OS-level security measures.

In March 2023, BlackLotus, another formidable player in the bootkit arena, was found being sold on hacking forums for $5,000, dating back to October 2022. It exploits CVE-2022-21894 to bypass UEFI Secure Boot and establish persistence. Although Microsoft patched the vulnerability in their January 2022 update, exploitation remained feasible as the affected, validly signed binaries had not been added to the UEFI revocation list. Once installed, BlackLotus deploys a kernel driver to shield the bootkit from removal and an HTTP downloader for communication with its command and control (C&C) servers, capable of loading additional payloads.

So, how do we outsmart these stealthy intruders? Here are your weapons of choice:

Understanding the Battlefield:

1. UEFI Secure Boot: This is still your first line of defense. This technology verifies the legitimacy of code before executing it during startup, preventing unauthorized programs like bootkits from taking root. While not foolproof, it’s a significant wall to scale. You can create an Intune Compliance policy that requires all systems must have Secure Boot enabled. While this would not have prevented Lojax or BlackLotus, it increases the cost and effort for attackers to bypass this safeguard.

2. Regular Firmware Updates: Patching vulnerabilities in your BIOS/UEFI firmware is crucial. Tools like Windows Autopatch (managed by Intune) can automate this process, keeping your system fortified against known exploits.
Browse to Intune.Microsoft.com, Devices > Driver updates for Windows 10 and later.

3. UEFI Scanners: Some antivirus programs, like Microsoft Defender, offer scanners for UEFI threats, searching for hidden malware in the deepest corners of your system. Microsoft introduced their embedded scanner inside Defender back in June 2020, learn more here.

Beyond Fortification: Intelligent Vigilance

1. Behavioral Anomaly Detection: Monitor outbound network traffic for anomalies. Such anomalies could indicate compromised firmware attempting to communicate with its command and control servers.

2. Threat Hunting: Employ dedicated personnel or tools to scan for suspicious processes and network connections. Cobalt Strike, a tool used by both security researchers and cybercriminals, is difficult to detect but not impossible. Look for suspicious processes (“winlogon.exe”, “rundll32.exe”, etc.) opening network connections to public IP addresses (see additional guidance here and here). Even in a dll side-loading attack, if Microsoft Teams is suddenly communicating with a CDN network out of the usual, that could be an indicator of compromise.

3. Application Allow-listing: This proactive approach restricts application execution to only pre-approved programs, potentially preventing bootkits from infiltrating in the first place. Patriot has a webinar on this topic on January 16th, 2024 here, also available to watch on-demand later.
Agenda:

1) AppLocker – Finally free after 14 years
2) Defender Application Control – It’s complicated…
3) AppLocker vs Defender Application Control – how about both?
4) Smart App Control – Not as smart as you want it to be
5) App Control for Business – Is this the promised land?

Remember:

– These advanced bootkits might exploit zero-day vulnerabilities, bypassing even non-admin users when chained with other exploits that escalate privs.
– Stay informed about emerging threats and keep your security arsenal updated.
– Vigilance is key. Don’t assume a clean system is completely safe.