back

First Sednit UEFI Rootkit Unveiled

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:40:52
Language
English
Abstract
UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level. Our talk will reveal such a campaign successfully executed by the Sednit group. We will detail the full infection chain showing how Sednit was able to install their custom UEFI module on key targets' computers. Additionally, we will provide an in-depth analysis of their UEFI module and the associated trojanized LoJack agent.

UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level. Our talk will reveal such a campaign successfully executed by the Sednit group. This APT group, also known as Fancy Bear, Sofacy and APT28, has been linked to numerous high profile cyberattacks such as the 2016 Democratic National Committee email leak scandal.

Earlier this year, there was a public report stating that the infamous Sednit/Sofacy/APT28 APT group successfully trojanized a userland LoJack agent and used it against their targets. LoJack, an embedded anti-theft application, was scrutinized by security researchers in the past because of its unusual persistence method: a module preinstalled in many computers' UEFI/BIOS software. Over the years, several security risks have been found in this product, but no significant in-the-wild activity was ever reported until the discovery of the Sednit group leveraging some of the vulnerabilities affecting the userland agent. However, through our research, we now know that Sednit did not stop there: they also tried to, and succeeded, in installing a custom UEFI module directly into a system's SPI flash memory.

In this talk, we will detail the full infection chain showing how Sednit was able to install their custom UEFI module on key targets' computers. Additionally, we will provide an in-depth analysis of their UEFI module and the associated trojanized LoJack agent.

Talk ID
9561
Event:
35c3
Day
1
Room
Clarke
Start
1:30 p.m.
Duration
00:40:00
Track
Security
Type of
lecture
Speaker
Frédéric Vachon
Talk Slug & media link
35c3-9561-first_sednit_uefi_rootkit_unveiled

Talk & Speaker speed statistics

Very rough underestimation:
142.1 wpm
784.2 spm
147.8 wpm
815.5 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
142.1 wpm
784.2 spm
uefifirmwarebiosrootkittoolwritedriverspiflashmemorytalkthingfiledxebootsystemwindowssetsoftwareenablesecurityvolumefindoperatingmechanismconfigurationregionprettybitlojackcalledsednitservicescontrolinterestingmachinentfsplatformallowsenabledversionloadedworkmalware1agentproperlyspecificcoreregister
Frédéric Vachon:
147.8 wpm
815.5 spm
uefifirmwarebioswriterootkittooldriverthingmemoryspiflashdxetalkbootfilewindowssetsystemsecurityvolumeenablesoftwarebitfindregionsednitoperatingmechanismservicesprettyinterestingcalledcontrollojackmachineconfigurationversionallowsreadregisterloadedntfsmalwarespecificagentcheckpointproperlydriverscore