November 27, 2024 at 08:03AM
Researchers have identified Bootkitty, the first UEFI bootkit designed for Linux systems, produced by BlackCat. As a proof-of-concept, it aims to disable kernel signature verification and preload unknown binaries. While not yet used in attacks, it signifies a shift in UEFI threats beyond Windows, highlighting future cybersecurity risks.
### Meeting Takeaways – Nov 27, 2024
**Topic: Bootkitty UEFI Bootkit for Linux**
1. **Introduction of Bootkitty**:
– Researchers uncovered Bootkitty, the first UEFI bootkit designed specifically for Linux systems, created by a group named BlackCat.
2. **Current Status**:
– Bootkitty is categorized as a proof-of-concept (PoC) and has not been linked to any real-world attacks as of now.
– It was uploaded to VirusTotal on November 5, 2024, and is also referred to as IranuKit.
3. **Technical Details**:
– The bootkit’s key objective is to disable kernel signature verification and preload two unknown ELF binaries during the Linux init process.
– It is designed to operate regardless of the UEFI Secure Boot status but leverages specific functions to bypass integrity verification.
4. **Potential Threat**:
– The discovery represents a significant shift in the cybersecurity landscape, indicating that UEFI bootkits may affect Linux systems, previously thought to be exclusive to Windows.
– Bootkitty is signed with a self-signed certificate, which restricts its execution on systems with Secure Boot unless an attacker’s certificate is installed.
5. **Associated Findings**:
– The investigation also revealed a likely related unsigned kernel module capable of deploying an ELF binary named BCDropper that can load another unknown kernel module post-system startup.
– This kernel module may include rootkit features such as hiding files and processes, as well as opening ports; however, no link to the ALPHV/BlackCat ransomware group has been established.
6. **Conclusion**:
– The emergence of Bootkitty underscores the importance of preparing for new cyber threats, particularly as they evolve beyond traditional boundaries.
**Call to Action**: For more insights and updates, consider following relevant cybersecurity channels on Twitter and LinkedIn.