Kaspersky’s team discovered the firmware was developed by an advanced persistent threat (APT) actor. The rootkit was used to target private individuals and has so far been used in Vietnam, Iran, and Russia. CosmicStrand seems to have been in use in the wild since the end of 2016, long before firmware attacks became public.
(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
“This indicates that some threat actors have had very advanced capabilities that they’ve managed to keep under the radar since 2017. We are left to wonder what new tools they have created in the meantime that we have yet to discover,” said Ivan Kwiatkowski, senior security researcher at Global Research and Analysis Team (GReAT) at Kaspersky
CosmicStrand is attributed to previously unknown Chinese-speaking actor. And though the end goal being pursued by the attackers remains unknown, researchers observed that victims were individual users as opposed to corporate computers.
The UEFI firmware, the successor of BIOS, is a critical component to boot up computers. Its code launches software component that loads the operating system. Modifications to the UEFI software, in this case, to contain malicious code, makes its activity potentially invisible to security solutions and to the operating system’s defences.
According to the researchers, this and the fact that the firmware resides on the chip separate from the hard drive, makes the attacks against UEFI firmware exceptionally evasive and persistent.
So far, all affected machines have been found to be running Windows operating system. Every time a computer was rebooted, a bit of the malicious code would be executed after Windows started. The purpose of the malicious code was to connect to a C2 (command-and-control) server and download additional malicious executable.
Researchers have been unable to determine how the rootkit ended up on the infected machines. However, unconfirmed accounts discovered online indicate that some users have received compromised devices while ordering hardware online.
According to Kaspersky, systems can be protected from this threat by providing your SOC team with access to the latest threat intelligence, implementing EDR solutions for endpoint level detection.
Other steps that can be taken include ensuring basic cybersecurity hygiene and appropriate training for staff in corporate organisations, regularly updating your UEFI firmware and only using firmware from trusted vendors.