Unified Extensible Firmware Interface (UEFI) is a modern replacement for BIOS (Basic Input/Output System), which has been used to boot computers and initialize hardware for decades. UEFI has several advantages over BIOS, including better security, faster boot times and more flexibility.
UEFI is modular and extensible. It has several layers, including the UEFI Shell (a command-line interface), the UEFI Boot Manager, the UEFI Runtime Services, the UEFI Drivers, and the UEFI Applications. These layers work together to provide a standardized and flexible platform for booting and managing computers. UEFI can significantly reduce boot times compared to traditional BIOS by optimizing the initialization process and supporting parallel hardware initialization.
Secure Boot is a feature introduced by UEFI that ensures only digitally signed boot loaders and kernels are executed during bootup. This helps stop malware and unauthorized code from being executed early in the boot process.
Cybercriminals Exploit Unified Extensible Firmware Interface Flaws
Unfortunately, cybercriminals have figured out a way to exploit UEFI implementation flaws to gain access to compromised systems, even after the system resets and takes other defensive actions, warns the Cybersecurity and Infrastructure Security Agency (CISA).
CISA noted that the UEFI vulnerability enables malware, such as BlackLotus, to persist through:
- System reboot:Turning the device off and on doesn’t stop the malware.
- Operating system reinstallation:Malware that persists through reinstallation can evade standard incident response practices, which treat a reinstalled operating system as a clean device.
- Hard drive replacement:A compromised part on the motherboard or corrupted PCI persistent flash storage would persist even after replacing the hard drive.
BlackLotus can roll back a file to a vulnerable version and then exploit it, making UEFI updates on Windows not resilient and secure.
Recommendations
To combat this threat, Microsoft has issued guidance on how to prevent rollback to a vulnerable file version. In early 2024, the company plans to automate revocation to prevent BlackLotus infection.
At the UEFI community level, CISA urges the adoption of secure-by-design principles that build cybersecurity into the design and manufacture of computers and other technology products.
In addition, the agency encourages UEFI supply-chain stakeholders to mature their Product Security Incident Response Teams (PSIRTs) around vulnerability management, disclosure and response. Robust PSIRT operations require integration of PSIRT, the UEFI software development team, quality assurance testing team, and the distribution channel software development team.
“Adversaries have demonstrated that they already know how to exploit UEFI components for persistence, and they will only get better with practice,” CISA cautions.
MBL Technologies provides comprehensive cybersecurity services for long-term, sustainable solutions that address every facet of the evolving threat landscape, including malware threats to UEFI components. We help you boost your cybersecurity posture while minimizing your upfront costs. Contact us today to learn more.
