This week, Kaspersky Labs published MosaicRegressor: Lurking in the Shadows of UEFI. The MosaicRegressor Malware Framework uses the Unified Extensible Firmware Interface — the software interface between an operating system and a platform’s firmware. It enables malware to be permanently installed on a device’s motherboard, such that neither rebooting, reinstallation of the operating system or replacement of the hard drive is effective. Experts with Gurucul and Point3 Security offer perspective.
There’s been some speculation on who’s behind this particular malware but unless and until it’s confirmed by a US governmental agency, we cannot say that this malware constitutes a foreign government’s attack. There are four types of cyber attackers: individual attackers; groups and syndicates who together work towards profit, disinformation, or to obtain information but are not hired by a state agency; and groups that are either part of or hired by state agencies – usually either for spying or for cyber-attacks. The fourth group are competitors seeking their intended victim’s intellectual property or to cause it some other harm in an acutely targeted havoc. The Kaspersky report cites evidence of a Chinese speaker in the code of this malware, but offered no proof of specific affiliations or intent.
We still don’t know until a US government agency confirms whether this is a single person, a group, or a state-sponsored entity. Especially given all of the current political dialog around COVID-19, it’s important to stand back and proactively avoid speculation and potential misinformation about the attacker’s nationality and objectives.
This malware operates by getting into the system’s motherboard and it is reinstated every time the system is rebooted. For some malware, a hard reset works but other more pernicious malware requires the user to move to an entirely new device. This isn’t unusual, this new phase of ultra-persistent cyber-attack started some time ago. The scary thing is that this type of malware is assumed to be new – it’s not.
This software was attacking NGOs, organizations that work so hard to improve our world. When they’re attacked, the information taken can be personal and private, because it deals with the identities of front-line workers and can put their wellbeing and even their lives at risk. And because NGOs are limited on funding usually, they typically can’t afford the greatest security. They’re not just desirable targets – they’re also easy targets.
The ability to embed malware in the UEFI (Unified Extensible Firmware Interface) has existed for several years. While the technique is not used often, it gives malicious actors a powerful tool to maintain persistence on an infected host.
The infection reported by Kaspersky Labs has all the earmarks of a state-sponsored actor, but that is not to say that criminal organizations won\’t leverage the same techniques. Though it is difficult to detect these infections, they do exhibit some telltale behaviors that advanced behavioral analytics tools can identify. With the right tools in place, the Security Operations team should be able to identify and remediate even this sophisticated threat.