- LogoFAIL, image parsing vulnerabilities on Linux and Windows, are being actively abused
- Researchers are saying crooks are installing Bootkitty, the first-ever Linux UEFI bootkit
- Bootkitty works on both Linux and Windows devices
LogoFAIL, a string of vulnerabilities that allow threat actors to install malware at boot level, is now actively being abused in the wild. This is according to a new report from cybersecurity researchers Binarly.
Discovered roughly a year ago, LogoFAIL is a group of vulnerabilities that allow malicious actors to replace the logo image displayed on Windows and Linux devices during the boot process.
The replaced images can contain malicious code that the device will run, and since the code is installed on boot, before the OS or any antivirus programs, most cybersecurity programs cannot detect or remove it.
Purely theoretical
In fact, even reinstalling the operating system, or replacing the hard drive, will not help. The malware installed this way is generally called UEFI bootkits, since they target the Unified Extensible Firmware Interface (UEFI), responsible for initializing hardware and launching the operating system.
When it was first discovered, LogoFAIL was deemed purely theoretical, as no active exploits, or code, were seen in the wild. However, Binarly now says that things have changed, and that it observed LogoFAIL being used to deploy Bootkitty.
Bootkitty was first observed, and reported, late last week. It is the first malware of its kind, since it targets Linux devices. Spotted by researchers from ESET, the malware was described as an early development stage version.
Bootkitty relies on a self-signed certificate, which means it won’t run on systems with Secure Boot – therefore, it can only target some Ubuntu distributions.
Furthermore, the use of hardcoded byte patterns and the fact that the best patterns for covering multiple kernel or GRUB versions were not used, means that the bootkit cannot be widely distributed. Finally, Bootkitty comes with many unused functions, and does not have kernel-version checks, which often results in system crashes.
In any case, the finding marks an important moment in the development and destructive potential of UEFI bootkits.
Via Ars Technica