pull down to refresh

Interesting, I didn’t know about bootkits, only rootkits. Turns out they are a particular type of rootkit:
One particular type of rootkit is both common and specific enough to warrant its own classification — the bootkit. Bootkits infect the boot sector — the code used to boot the system and load the operating system, such as the master boot record (MBR). Not only does this ensure the malicious code is run prior to the operating system, it also makes the bootkit undetectable by standard operating system processes.
They're popular amongst targeted (state-level?) attack campaigns that have an amount of known victims in the tens or low hundreds. They're pretty advanced, but there isn't much of a benefit to a bootkit beyond absolute persistence compared to a zero-click remote 0day. Malicious UEFI firmware that infects the OS on reboots have been observed in the wild before, and the NSA also had firmware attacks for weaponizing hard drives during the Snowden era too.
CosmicStrand, MoonBounce, MosaicRegressor, BlackLotus come to mind as best examples to demonstrate.
Both of them are undetectable by the operating system since what is executed runs with the highest privilege. Windows Defender can do nothing against unknown malware and Linux is Linux. Forensic analysis of the device can reveal the attacks although this is not an automated process and you'd need experience in DFIR to analyse a device to see if you was infected by this.
Bootkit firmware have to drop malware within the installed OS for command and control and to monitor their victim's activities. Forensic analysis of the disk for potential IoCs, network traffic analysis to find connections to a potential C2 server and memory dumping (for fileless malware) are some ways to find out. You'd also need reverse engineering experience to confirm suspicious activity. This is also why when people talk about "hardware backdoors" in a security researcher they get laughed at. They are only useful by being unknown and to a limited group of people.
Windows tried to add boot security (called System Guard) to prevent firmware based attacks on a line of PCs called "Secured-core" but they are a questionable half solution that avoids the real solution. Dmytro Oleksiuk (cr4sh) is a very good researcher who develops a lot of PoC UEFI bootkits and he has some good material about the subject matter.
Desktop boot security is fucked. "Secure boot" is nothing like the Verified Boot used in Android, iOS, GrapheneOS, ChromeOS and ARM Macs. Desktop OSes need to move towards being adminless and make features like sandboxing for apps mandatory. Android works really well with verified boot because most of the OS is an immutable, adminless workspace that separates all of what the user does in it's own place. The desktop OSes also trust the hardware connected to it and their drivers too much.
reply
5017 sats \ 1 reply \ @ek 28 Nov 2024
whoops, wanted to zap 1111 sats but ended up zapping 9999 lol
reply
(mostly) un-whoopsed. rest went into SN
reply