Connect with us
New version of FinSpy spyware can replace Windows UEFI bootloader New version of FinSpy spyware can replace Windows UEFI bootloader

Security

New version of FinSpy spyware can replace Windows UEFI bootloader

Published

on

The attackers were able to install the bootkit without having to bypass the firmware’s security checks.

Security researchers from Kaspersky Lab discovered a new version of FinSpy spyware that intercepts control and replaces the Windows UEFI bootloader to infect computer systems. This method allowed attackers to install a bootkit without having to bypass firmware security checks.

According to experts, UEFI infection is rare and difficult to implement. Although in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was especially covert, since the malicious module was installed on a separate partition and could control the boot process of the infected device.

As noted by the researchers, this is one of the most difficult spyware programs to detect today. Spyware comes with four different obfuscation levels in addition to the UEFI bootkit vector.

Unlike previous versions of FinSpy, which contained the Trojan immediately in the infected application, the new samples are now protected by two components: a volatile pre-validator and a post-validator.

“The first component performs several security checks to ensure that the attacked device does not belong to a cybersecurity researcher. Only after passing the check, the server provides a post-validator component. Then the server will be able to deploy a full-fledged Trojan software, ”the experts explained.

Spyware contains four sophisticated custom obfuscators designed to slow down spyware analysis. In addition, the Trojan can use developer mode in browsers to intercept traffic protected by the HTTPS protocol.

On all computer systems infected with the UEFI bootkit, the Windows Boot Manager (bootmgfw.efi) has been replaced with a malicious one. When UEFI hands over execution to a malicious bootloader, it first locates and replaces the original Windows Boot Manager with a patched version that can bypass all security checks. Infection via MBR (Master Boot Record) was recorded on older devices without UEFI support.

Click to comment

Leave a Reply

Your email address will not be published.

Security

NASA intends to “in full force” to investigate UFOs – this will be done by specialists in aerospace security and artificial intelligence

Published

on

NASA intends to in full force to investigate UFOs

NASA is seriously planning to do research on UFOs. The agency announced this in June, and now there are new details. The research will be led by astrophysicist David Spergel, president of the Simons Foundation in New York. The group will also include 15-17 of the world’s leading scientists, including aerospace security experts and artificial intelligence specialists.

NASA intends to

The formation of the group is planned to be completed by October. The project itself is designed for 9 months, and the cost of research will be about $100,000.

According to Daniel Evans, spokesman for the Agency’s Science Mission Directorate (SMD), NASA intends to study the phenomenon “in full force”. At the same time, the agency tries to avoid the term UFO, instead using the concept of “unidentified aerial phenomena” (UAP).

Evans noted that NASA has a unique opportunity for such work. He also stated that other agencies do not enjoy such public confidence. The aim of the project is to classify the available UAP data and find ways to monitor it.

Earlier, NASA launched a service that shows how the human voice sounds on Mars.

Continue Reading

Security

Is Elon Musk’s Satellite Internet Under Threat? Enthusiast Hacked Starlink User Terminal

Published

on

Is Elon Musks Satellite Internet Under Threat Enthusiast Hacked Starlink

At the Black Hat Security Technology Conference recently held in Las Vegas, Lennert Wouters, a cybersecurity specialist from KU Leuven (Belgium), shared his experience of successfully hacking Starlink user equipment. True, this was not a classic software hack, since the researcher had to make a so-called “modchip”.

Is Elon Musk's Satellite Internet Under Threat?  Enthusiast Hacked Starlink User Terminal

The cost of manufacturing a chip connected to a Starlink subscriber terminal was $25. The chip caused a short-term short circuit, which disabled the built-in protection systems, after which the specialist gained access to the terminal. And already from it you can run any commands.

Is Elon Musk's Satellite Internet Under Threat?  Enthusiast Hacked Starlink User Terminal

Our attack could render Starlink user terminals unusable and allow us to execute arbitrary code.”Wouters said.

Is Elon Musk's Satellite Internet Under Threat?  Enthusiast Hacked Starlink User Terminal

This is what the Starlink terminal looks like

According to the researcher, the only reliable way to avoid such an attack is to create a new version of the main “dish” chip. Other ways to fix the problem. However, this hacking option provides direct access to subscriber equipment, and this is not the easiest option, but the Starlink system, apparently, is well protected from remote hacking. So its users hardly need to worry.

Continue Reading

Security

Hackers hacked Europe’s largest missile manufacturer

Published

on

Hackers hacked Europes largest missile manufacturer

Unknown hackers, acting under the nickname Adrastea, hacked into the database of the largest European missile manufacturer – MBDA, formed as a result of the merger of the French Aérospatiale-Matra Missiles, the British Matra BAe Dynamics and the Italian Finmeccanica-Leonardo. This was reported by Security Affairs.

Hackers hacked Europe's largest missile manufacturer

The attackers’ message about gaining access to the company’s network appeared on one of the forums. As evidence, a link to an archive with demo files was attached.

The total amount of stolen data was estimated by hackers at 60 GB. “The uploaded data contains confidential and confidential information about your company’s employees who took part in the development of closed military projects MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT, etc..) and about your company’s commercial activities in the interests of the EU Ministry of Defense (design documentation for air defense systems, missile systems and coastal defense systems, drawings, presentations, video and photo (3D) materials, contract agreements and correspondence with other companies Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics, etc.”, the hackers wrote.

Adrastea is ready to discuss the cost of the stolen data array. MBDA has not yet commented on the incident.

MBDA manufactures a wide variety of missiles and related installations. For example, the company produces air-to-air missiles AIM-132 ASRAAM (short range, with IR guidance), MBDA Meteor (long range), MICA (medium range, with IR and radar guidance). The company’s product range also includes surface-to-air missiles – Mistral (MANPADS), MBDA Aster (medium and long range), Aspide Mk.1 (medium range), Sea Wolf (SAM), anti-ship (Exocet, Otomat, Marte, Sea Skua) and anti-tank (ERYX, Brimstone, HOT) missiles.

Continue Reading

Most Popular