Starting June 24, three certificates that cryptographically verify that each piece of firmware and software loads during system boot will expire. Microsoft-signed certificates are the linchpin of Secure Boot, a Microsoft-designed chain of trust. Secure Boot checks the digital signatures of all firmware that is loaded during system startup to ensure that it originates from a trusted provider, such as the manufacturer of the motherboard the system runs on.
Secure Boot is designed to thwart UEFI bootkits, a form of malware that alters the Unified Extensible Firmware Interface, the successor to BIOS, both of which initiate the initial boot sequence. Because these bootkits are loaded before the OS and most other code, they can be difficult to detect. Once installed, they typically load malware onto the OS that steals credentials, backdoors the system, or performs other malicious actions. Even when the OS is disinfected, the bootkit can still re-infect the system. Bootkits also survive OS reinstallations.
A Brief History of Bootkits
Bootkits originated in the early 1980s with the creation of several pieces of malware that targeted Apple II machines during the boot process. They spread into the wild via floppy disks that apparently contained pirated games.
Windows Bootkit received notice in the early 2000s as a proof of concept developed by researchers of offensive security. Bootroot, a bootkit demonstrated at the 2005 Black Hat security conference, is probably the first example of its kind. The malware infected the Network Driver Interface, which orchestrates communication between network protocol drivers that enable a service, such as the TCP/IP network adapter driver. In the years that followed, similar POCs included vbootkit, stoned bootkit, and maybrute. There were many more.
In 2012, a new form of Bootkit was released. Rather than targeting machines through the BIOS or master boot record, one such bootkit attacked Mac OS X systems by infecting EFI, the firmware package that initiates the boot process. A second very primitive bootkit targeted Windows 8 machines by infecting UEFI’s predecessor, the UEFI Bootkit. Around 2013, a researcher demonstrated a more advanced UEFI bootkit for Windows called Dreambot.
The first known case of a real-world attack targeting UEFI came in 2018 with the discovery of malware called Lojax. A repurposed version of legitimate anti-theft software known as LoJack was created by a Kremlin-backed hacking group that was tracked under names including Sednit, Fancy Bear, and APT28. The malware was installed remotely using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.
In 2020, researchers discovered the second known example of real-world malware attacking UEFI. Every time an infected device reboots, its UEFI checks whether a malicious file is present in the Windows Startup folder and, if not, installs it. Researchers at security provider Kaspersky, who discovered the malware, named it “MosaicRegressor.” Researchers have not yet determined how the compromised UEFIs became infected. Since then, a handful of new UEFI bootkits have emerged. They are tracked with names like eSpectre, FinSpy and Moonbounce.
Necessity is the mother of invention
In response to the more insidious threat of UEFI bootkits, Microsoft worked with device manufacturers to develop Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of firmware loaded during startup is trusted by the computer’s manufacturer. Secure Boot is designed to create a chain of trust that prevents attackers from replacing the intended bootup firmware with malicious firmware. If even a single link in the startup chain is not recognized, Secure Boot will prevent the device from starting.
Then in 2023, researchers discovered Logofail, a series of critical vulnerabilities found in UEFI booting of almost every Windows and Linux system in the world. An image-parsing bug in software that rendered hardware manufacturers’ logos during bootup allowed attackers to bypass secure boot and infect UEFI with malicious firmware.
<a href