fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New MoonBounce UEFI Malware Used by APT41 in Targeted Attacks

New MoonBounce UEFI Malware Used by APT41 in Targeted Attacks

Security analysts have discovered and linked MoonBounce, “the most advanced” UEFI firmware implant found in the wild so far, to the Chinese-speaking APT41 hacker group (also known as Winnti).

APT41 is a notorious hacking group that has been active for at least a decade and is primarily known for its stealthy cyber-espionage operations against high-profile organizations from various industry sectors.

The discovery of MoonBounce is the work of researchers at Kaspersky, who have published a detailed technical report on their findings.

Also Read: Got A Notice of Data Breach? Don’t Panic!

A sophisticated UEFI implant

UEFI (Unified Extensible Firmware Interface) is a technical specification that helps interface operating system (OS) and firmware software in computer systems.

Being able to plant malicious code called “UEFI bootkit,” in the firmware is an excellent way to remain hidden from AVs and any security tools running on the OS level.

This has been done multiple times before, with two recent examples being the FinFisher malware and the ESPecter backdoor.

Generally, these tools hijack the booting sequence and initialize before the OS security components. They are very persistent because they nest in areas that can’t be erased, like a reserved space on the disk.

In the case of MoonBounce, the implanting location is on the SPI flash memory of the motherboard, so not even a hard disk replacement can uproot it.

The laced firmware component is CORE_DXE, which is called during the early phase of the UEFI boot sequence.

Overview of MoonBounce functions
Overview of MoonBounce functions
Source: Kaspersky

“The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx, and ExitBootServices,” explains Kaspersky in the report.

Also Read: A Review of PDPC Undertakings July 2021 Cases

“Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader.”

“This multistage chain of hooks facilitates the propagation of malicious code from the CORE_DXE image to other boot components during system startup, allowing the introduction of a malicious driver to the memory address space of the Windows kernel.”

This driver runs during the OS kernel initiation and injects the malware into an svchost.exe process. The malware has fully initialized as soon as the computer is up and running.

Next, it communicates to a hardcoded C2 URL address and attempts to fetch the next stage payload, which will run in memory.

Kaspersky couldn’t retrieve that payload for analysis or figure out how exactly the actors infected the UEFI firmware in the first place.

Campaign targets and goals

The telemetry data reveals that these attacks were highly targeted, and Kaspersky only detected the firmware rootkit in a single case.

Timeline of infection on the compromised firm
Timeline of infection on the compromised firm
Source: Kaspersky

However, Kaspersky found multiple malware samples and loaders in other machines in the same network, but those were non-UEFI implants.

Examples include the Microcin backdoor, the Mimikat credential stealer, the Go implant, the StealthMutant loader, and the ScrambleCross malware.

Infrastructure diagram linking ScrambleCross with MoonBounce
Infrastructure diagram linking ScrambleCross with MoonBounce
Source: Kaspersky

As for who was targeted, the security firm mentions an organization in control of several enterprises dealing with transportation technology.

The adversaries’ main goal was to establish a lengthy foothold within the network and conduct cyber-espionage by exfiltrating valuable data to the C2 server.

In this context, the APT41 operators performed analytical network reconnaissance and moved laterally where possible while at the same time wiping traces of their malicious activity.

APT41 still going strong

Kaspersky found plenty of evidence linking MoonBounce to APT41, ranging from the deployment of the ScrambleCross malware itself to unique certificates retrieved from its C2 servers which match previous FBI reports on APT41 activity.

While the U.S. Department of Justice identified and charged five APT41 members in September 2020, the existence of MoonBounce and the operation around it proves the threat actors weren’t discouraged by the legal pressure.

APT41 remains a sophisticated threat actor who can develop evasive tools that bypass even the most impenetrable corporate networks.

With UEFI threats now getting more traction, Kaspersky advises potential to take the following measures to defend against attackers using MoonBounce or similar malware:

  • Enable Secure Boot by default
  • Update firmware regularly
  • Verify that BootGuard is enabled
  • Enable Trust Platform Modules

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us