December 2, 2024 at 11:52AM
A prototype UEFI bootkit, linked to a South Korean university’s BoB program, targets specific Ubuntu setups. Named Bootkitty, it uses the LogoFAIL exploit to bypass Secure Boot protections. Discovered by ESET, this research project showcases potential security risks, with indications it is still under development, not an active threat.
### Meeting Takeaways
1. **Discovery of Bootkitty**:
– A prototype UEFI bootkit named Bootkitty has been discovered, targeting specific Ubuntu Linux setups.
– Its creation is linked to a project from a South Korean university’s cybersecurity training program, BoB (Best of the Best).
2. **Research Background**:
– BoB is affiliated with the South Korea Information Technology Research Institute under the Ministry of Trade, Industry and Energy.
– Bootkitty serves as a demonstration of real-world security risks beneath the operating system.
3. **Security Concerns**:
– Firmware security experts at Binarly found that Bootkitty integrates the LogoFAIL exploit to bypass Secure Boot.
– It exploits the CVE-2023-40238 vulnerability, which relates to image parsing flaws during system boot.
4. **Mechanism of Attack**:
– The bootkit uses a modified BMP file (logofail.bmp) to execute malicious shellcode and inject rogue certificates into UEFI variables, compromising the boot process.
– It manipulates the MokList variable, allowing malicious bootloaders to bypass Secure Boot protections.
5. **Vulnerable Devices**:
– Vulnerable models identified include those from Lenovo, Acer, HP, and Fujitsu.
– Evidence suggests Bootkitty is tailored to specific hardware configurations.
6. **Development Status**:
– Bootkitty was first identified in November 2024 with indications that it is still under development, not yet an active threat.
– Prior UEFI bootkits have predominantly targeted Windows systems, with several documented cases such as ESPecter, FinSpy, and BlackLotus.
7. **Broader Implications**:
– The emergence of Bootkitty indicates the potential for bootkit attacks to extend beyond Windows to Linux environments by disabling kernel signature verification.
8. **Related Threats**:
– The meeting also highlighted concerns over the publicly shared source code of BlackLotus, a notable UEFI bootkit, emphasizing the need for vigilant security measures against advanced persistent threats (APTs).
### Action Items
– Monitor developments related to Bootkitty and its potential threats.
– Assess the impact of the LogoFAIL exploit on current security measures and protocols.
– Review the security posture of impacted devices (Lenovo, Acer, HP, Fujitsu) and implement necessary mitigations.