Security researchers at ESET have reported the discovery of the first Unified Extensible Firmware Interface (UEFI) rootkit in the wild, called LoJax.
According to a report, LoJax installs itself to the flash memory where UEFI is kept and executes malicious software as the computer boots up – before the operating system is loaded.
UEFI is intended to be the successor to BIOS. When combined with Secure Boot, it is meant to protect against rootkit attacks.
ESET’s report states that having Secure Boot disabled is what allowed the LoJax rootkit to be installed.
“[The] UEFI rootkit is not properly signed, so the first security mechanism that could have blocked such an attack is Secure Boot. When Secure Boot is enabled, each and every firmware component that is loaded by the firmware needs to be properly signed, thus ensuring the integrity of the firmware.”
The security researchers strongly recommended that Secure Boot be enabled in the UEFI configuration.
“Some UEFI rootkits have been presented as proofs of concept, some are known to be at the disposal of governmental agencies,” ESET said.
“However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group.”
Sednit is also known as Fancy Bear, and has been associated with espionage around the world – including attacks on the Democratic National Committee in the US.
The group is believed to be state-sponsored, and has been linked to the Russian government.