BlackLotus: UEFI malware that can bypass Secure Boot defenses
BlackLotus is a recently discovered Unified Extensible Firmware Interface (UEFI) bootkit malware recently discovered by the cybersecurity company ESET. Compared with traditional malware, BlackLotus is harder to detect and remove because it can bypass many existing security protection measures, including antivirus software, kernel protection, Secure Boot, and system integrity checks.
The developers of BlackLotus sell it commercially for activities such as cyber espionage and cybercrime. However, the method through which this malware spreads remains unclear due to its stealthiness. ESET discovered this malware using Fuzzing, which can simulate thousands of scenarios that may be used by attackers to detect vulnerabilities and risks.
As a UEFI bootkit malware, BlackLotus installs a malicious code segment in the UEFI firmware to replace the original bootloader. Since UEFI is the low-level software that connects the firmware with the operating system, including the boot process, PCs infected with BlackLotus can have their operating system fully controlled by the malware. BlackLotus can exist for a long period of time without being detected by the operating system and traditional antivirus software.
Sangfor FarSight Labs continuously tracks new attack techniques and toolkits used by threat actors in the latest attacks worldwide. FarSight Labs has published many technical articles related to rootkits and analyzed this new type of UEFI bootkit malware.
PyTorch suffers from a supply chain attack, highlighting the supply chain threats faced by cloud computing platforms
Supply chain attacks are one of the primary attack methods used by Advanced Persistent Threat (APT) groups. This method of attack mainly targets specific enterprises and users, and the most common type is software supply chain attacks.
Software supply chain attacks can be further classified into those based on software source code, open-source software packages, and software development tools. Among the three types, attacks based on software source code are the hardest to detect, have the greatest level of technical difficulty, and cause the most damage. Attacks based on open-source software packages and software development tools are relatively easy to implement.
In January 2021, Sangfor FarSight Labs revealed that the Lazarus APT group carried out supply chain attacks based on software development tools by setting pre-build event commands in Visual Studio (VS) projects. When project files ran the infected VS software development tool, the malicious code called rundll32 to execute the malicious 64-bit DLL file attached to the VS project. The Lazarus APT group leveraged this method to target security researchers and steal their research data on zero-day vulnerabilities.
Recently, the proof of concept (POC) of the attack has been disclosed, and Sangfor FarSight Labs promptly tracked and analyzed the POC. Sangfor FarSight Labs is committed to studying the attack techniques of various APT groups, including in-depth analysis of software supply chain attacks, especially those based on open-source software packages and software development tools.
3CX, a global provider of software-based communication solutions for businesses, fell victim to a serious supply chain attack, affecting more than 10 million users
On March 30, 3CX released a security alert that disclosed a vulnerability (CVE-2023-29059) in its DesktopApp. It was revealed that when 3CX built its voice over Internet Protocol (VoIP) desktop client on Git, the client was injected with malicious code that was signed with a legitimate 3CX Ltd certificate issued by Sectigo and timestamped by DigiCert.
3CX’s products and services serve more than 160 countries and over 600,000 enterprises worldwide, with over 12 million daily active users. The impact of this supply chain attack, therefore, was enormous.
The supply chain attack was highly stealthy and the earliest intrusion took place as early as the end of last year. Attackers tampered with the latest software installation programs for Windows and Mac to deliver additional malware to users' computers to steal information. Analysis by Sangfor FarSight Labs showed that the characteristics of the trojan samples used in the attacks are consistent with those of the Lazarus group.
Suspected attacks by the Kasablanka group targeting Azerbaijan and Uzbekistan
During 2022 and thus far in 2023, Sangfor FarSight Labs detected multiple phishing attacks suspected of being carried out by the Kasablanka group. These attacks were concentrated in the Middle East, Central Asia, and Eastern Europe, mainly targeting the foreign affairs departments of Azerbaijan and Uzbekistan as well as other departments.
These phishing attacks were slightly different from typical phishing attacks. Targets were sent a malicious macro document, which ran a command to open the phishing webpage in the browser to trick the target into entering their credentials. In addition to stealing email credentials through phishing, the group also delivered a variety of trojans to attack their targets.
Analysis of attack motives showed that this group is driven by information collection and cyber espionage and is suspected of being a state-backed hacker group. Analysis of the group’s tools showed that the attacks leveraged a large number of trojans that were written in Python and communicated using Telegram. Trojans that communicate using Telegram have been ever-present on cybercrime forums, and their developers are likely to be participants in the underground economy.
BYOVD: exploiting vulnerable drivers to weaken defenses with the highest privileges
Bring Your Own Vulnerable Driver (BYOVD) attacks abuse drivers with vulnerabilities to obtain kernel-level access privileges and execute malicious code. This technique has recently gained popularity among prominent threat actors. Due to the continuous public disclosure of intelligence and standardization of open-source projects, this technique has evolved from being used exclusively by advanced APTs, like the Equation Group, to a common and universal method of attack.
The notorious North Korean Lazarus Group has repeatedly exploited vulnerable drivers to carry out targeted attacks. These include exploiting the vulnerable Dell DBUtil driver in attacks against KLM Royal Dutch Airlines as well as Belgian journalists. In attacks targeting South Korean financial institutions, Lazarus leveraged the BYOVD technique to disable the AhnLab V3 anti-malware engine.
The Scattered Spider group also leveraged the BYOVD technique to embed two pieces of malware called TinyPosh and TinyNode in attacks to steal confidential information and mine cryptocurrency. By exploiting Windows driver vulnerabilities, TinyPosh and TinyNode maintained persistence in the system and bypassed traditional security monitoring methods.
AhnLab Security Emergency Response Center (ASEC) discovered attacks that leveraged a vulnerability in the Sunlogin remote control software to distribute the Sliver toolkit. Employing the BYOVD technique, attackers exploited the trusted yet vulnerable game driver mhyprot2.sys to successfully disable security software.
Microsoft announced in October 2022 that it would fix the synchronization issue with the Windows vulnerable driver blocklist. In Windows 11 and above, users can now view the blocklist of Microsoft vulnerable drivers enabled by going to Windows Security > Device security and clicking the Core isolation details option under the Core isolation section. In Windows 10, users can manually download and install the tool and apply the vulnerable driver blocklist by referring to the section "Steps to download and apply the vulnerable driver blocklist binary" on the following page.
Sangfor FarSight Labs continuously tracks and carries out in-depth analysis of BYOVD techniques used in real-world attacks to keep up to date with the evolving techniques used by various APT groups in order to keep our users safe.
