A rootkit has been found inside Asus & Gigabyte UEFI firmware. The method of infection is currently unknown
Map of, currently known, infected devices
…Hackers have been using since, at least 2016, malware that lies… undetected in the firmware images for some motherboards… a UEFI rootkit. Researchers at… Kaspersky called it CosmicStrand but an earlier variant of the threat was discovered by… Qihoo360, who named it Spy Shadow Trojan. It is unclear how the threat actor managed to inject the rootkit into the firmware images… but researchers found the malware on machines with ASUS and Gigabyte motherboards.
The… UEFI… is what connects a computer’s operating system with the firmware of the underlying hardware. UEFI code is the first to run during a computer’s booting sequence, ahead of the operating system and the security solutions available. Malware planted in the UEFI firmware image is not only difficult to identify but is also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive. Mark Lechtik, who was involved in the research, explains that the compromised firmware images came with a modified CSMCORE DXE driver. Kaspersky was able to determine that the CosmicStrand UEFI rootkit was lodged in firmware images of Gigabyte or ASUS motherboards that have in common designs using the H81 chipset. It is unclear how the implant was placed on the infected computers. Victims identified by Kaspersky also provide few clues…; the identified infected systems belong to private individuals in China, Iran, Vietnam, and Russia that could not be linked to an organization or industry. The first widespread report about a UEFI rootkit found in the wild, LoJax, came in 2018 from ESET. Almost four years later and accounts of UEFI malware attacks in the wild have grown more frequent, and it wasn’t just advanced hackers exploring this option:
It looks like we’re eventually going to need a UEFI anti-malware with UEFI rootkits are slowly ramping up in usage. Although, knowing manufacturers, they’d probably lock the firmware updates to actual UEFI chips you swap out with a newer version like in the olden days. Regardless, these attacks are continuing, and there’s no easily way to detect them within the OS as is.
Bleeping Computer (quote source)