fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

FinFisher Malware Hijacks Windows Boot Manager With UEFI Bootkit

FinFisher Malware Hijacks Windows Boot Manager With UEFI Bootkit

Commercially developed FinFisher malware now can infect Windows devices using a UEFI bootkit that it injects in the Windows Boot Manager.

FinFisher (also known as FinSpy and Wingbird) is a surveillance solution developed by Gamma Group that also comes with malware-like capabilities often found in spyware strains.

Its developer says it’s sold exclusively to government agencies and law enforcement worldwide, but cybersecurity firms have also detected it while being delivered via spearphishing campaigns and the infrastructure of Internet Service Providers (ISPs).

Also Read: The 12 Important Details for Employment Contract Template

Evasiveness and persistence powerhouse 

“During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one,” Kasperksy researchers revealed today.

“This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence.”

UEFI (Unified Extensible Firmware Interface) firmware allows for highly persistent bootkit malware as it’s installed within SPI flash storage soldered to computers’ motherboard making it impossible to get rid of via hard drive replacement or even OS re-installation.

Bootkits are malicious code planted in the firmware invisible to security solutions within the operating system since it’s designed to load before everything else, in the initial stage of a device’s booting sequence.

They provide attackers with control over an operating systems’ boot process and make it possible to sabotage OS defenses bypassing the Secure Boot mechanism depending on the system’s boot security mode (enabling “full boot” or “thorough boot” mod would block the malware as the NSA explains).

Publicly documented attacks and malware using bootkits in the wild are extremely rare — Lojax used by the Russian-backed APT28 hacker group, MosaicRegressor was deployed by Chinese-speaking hackers, TrickBot’s TrickBoot module, and Moriya which Chinese-speaking threat actors likely used for espionage since 2018.

“While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine,” the researchers added.

Older computers that don’t come with UEFI support were infected using a similar tactic, through the MBR (Master Boot Record) with a bootkit first detected in 2014.

Advanced obfuscation and anti-analysis measures

For other malware samples used in the attacks analyzed by Kaspersky, the spyware’s developers also used four layers of obfuscation and anti-analysis measures designed to make FinFisher one of the “hardest-to-detect spywares to date.”

Their efforts were highly effective since the malware samples could evade almost any detection attempt and were virtually impossible to analyze (every sample spotted by Kaspersky required “overwhelming” amounts of work to unscramble).

“The amount of work put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive,” added Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).

“It seems like the developers put at least as much work into obfuscation and anti-analysis measures as in the Trojan itself. As a result, its capabilities to evade any detection and analysis make this spyware particularly hard to track and detect.”

Also Read: Top 11 Ultimate Cold Calling Guidelines To Boost Your Sales

You can find further details and indicators of compromise (IOCs) related to FinFisher’s Windows, Linux, and macOS infection vectors at the end of Kaspersky’s report.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us