Sunday, December 29, 2024
HomeCyber Security News"Bootkitty" - A First Ever UEFI Bootkit Attack Linux Systems

“Bootkitty” – A First Ever UEFI Bootkit Attack Linux Systems

Published on

SIEM as a Service

Cybersecurity researchers have uncovered the first-ever UEFI bootkit designed to target Linux systems.

This discovery, named ‘Bootkitty’, marks a new chapter in UEFI threats, which have predominantly targeted Windows systems until now.

The UEFI (Unified Extensible Firmware Interface) threat landscape has seen considerable evolution over the past decade.

- Advertisement - SIEM as a Service

Evolution of UEFI Threats

Initially, in 2012, the first proof-of-concept UEFI bootkit was presented by Andrea Allievi. Since then, several proof-of-concept bootkits such as EfiGuard, Boot Backdoor, and UEFI-bootkit have emerged.

However, it wasn’t until 2021 that the first real-world UEFI bootkits, ESPecter and FinSpy, were discovered. In 2023, the BlackLotus bootkit further raised the stakes by bypassing UEFI Secure Boot on up-to-date systems.

Bootkitty represents a new class of UEFI threats by specifically targeting Linux systems, starting with certain versions of Ubuntu.

UEFI Bootkit
Bootkitty execution overview

Unlike its predecessors, which exclusively targeted Windows, Bootkitty disables the Linux kernel’s signature verification feature.

The bootkit employs a self-signed certificate, making it incapable of running on systems with UEFI Secure Boot enabled unless attacker certificates are installed.

Technical Insights

Bootkitty’s primary objective is to patch the Linux kernel in memory, circumventing integrity verifications before the GRUB bootloader is executed.

This method limits its functionality to specific configurations due to its use of hardcoded byte patterns for patching.

ESET Detailed analysis reveals that Bootkitty attempts to preload ELF binaries via the Linux init process.

Additionally, a possibly related unsigned kernel module, BCDropper, was discovered.

This module is suspected to have been developed by the same authors and is responsible for loading another unknown kernel module.

While Bootkitty currently appears to be more of a proof-of-concept rather than a fully operational threat, its existence underscores the potential expansion of UEFI bootkits to Linux systems.

Bootkitty modifies kernel version and Linux banner strings, which can be detected using the uname -v and dmesg commands.

System administrators are advised to ensure that UEFI Secure Boot is enabled and that system firmware and operating systems are up-to-date.

A simple corrective action involves restoring the legitimate GRUB bootloader file to its original location to mitigate Bootkitty’s effects.

The emergence of Bootkitty signals a significant shift in UEFI bootkit threats, highlighting the need for vigilance in securing Linux systems against potential future threats.

This development serves as a critical reminder of the evolving nature of cybersecurity threats and the importance of robust security measures.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

SHA-1FilenameDetectionDescription
35ADF3AED60440DA7B80F3C452047079E54364C1bootkit.efiEFI/Agent.ABootkitty UEFI bootkit.
BDDF2A7B3152942D3A829E63C03C7427F038B86Ddropper.koLinux/Rootkit.Agent.FMBCDropper.
E8AF4ED17F293665136E17612D856FA62F96702DobserverLinux/Rootkit.Agent.FMBCObserver.
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo...