Hacking Team RCS spyware came pre-loaded with an UEFI (Unified Extensible Firmware Interface) BIOS rootkit to hide itself on infected systems, it has emerged following the recent hacking of the controversial surveillance firm.
The stealth infection tactic, which has been revealed through leaked emails arising from last week's hack, meant that the Remote Control System (RCS) agent stayed on compromised machines even if users formatted their drives - or even swapped disks. Although designed primarily for the Insyde BIOS (a popular laptop BIOS) it might also work on AMI BIOS as well, according to security firm Trend Micro.
A PowerPoint from the leaked Hacking Team emails implies that initial infection seems to require physical access to targeted systems. Other techniques may be possible, according to Trend Micro, based on a preliminary analysis of the leaked presentation as well as an examination of a help tool for the users of Hacking Team's BIOS rootkit and other leaked data.
"A Hacking Team slideshow presentation claims that successful infection requires physical access to the target system; however, we can’t rule out the possibility of remote installation," writes Philippe Lin, a senior engineer at Trend Micro. "An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, re-flashes the BIOS, and then reboots the target system."
Various precautions to guard against this sort of attack are possible including enabling UEFI SecureFlash, updating the BIOS whenever there is a security patch and setting up a BIOS or UEFI password, As Trend Micro explains.
PC and server motherboard firmware is a particularly attractive target for hackers of various stripes because low-level p0wnage gives both persistence and stealth, as evidenced by the particulars of Hacking Team's offensive surveillance software planting tactics.
Security researchers at Trend and elsewhere have taken a particular interest in UEFI attacks over recent months. For example last month Trend spotlighted work by independent researcher Pedro Vilaca on how UEFI attacks against Mac systems might be possible. Windows systems have long been known to be potentially vulnerable to UEFI-based attacks.
Separately, security researchers Xeno Kovah and Corey Kallenberg recently warned that the poor state of low-level software security is among the easiest ways for hackers to deeply infiltrate organisations. ®