Ethical Hacking News
Cybersecurity researchers have discovered the first UEFI bootkit specifically designed for Linux systems, which can bypass UEFI Secure Boot and load the Linux kernel. This malware, named Bootkitty by its creators, has significant implications for the security of Linux systems.
Cybersecurity researchers from ESET identified the first UEFI bootkit specifically designed for Linux systems. The malware, named Bootkitty, disables kernel's signature verification feature and preloads two unknown ELF binaries via the Linux init process. Bootkitty bypasses UEFI Secure Boot by patching integrity verification functions in memory, allowing seamless Linux kernel booting. The malware has hardcoded byte patterns for function modification, limiting its support to specific systems. A related unsigned kernel module called BCDropper was discovered, featuring BlackCat references and unused file-hiding functionality. Users are advised to ensure UEFI Secure Boot is enabled, system firmware and OS are up-to-date, and their UEFI revocations list is current to protect against UEFI bootkit threats.
In a recent discovery, cybersecurity researchers from ESET have identified the first UEFI bootkit specifically designed for Linux systems. Named Bootkitty by its creators, this malware is capable of disabling the kernel's signature verification feature and preloading two unknown ELF binaries via the Linux init process.
The bootkit was discovered in November 2024, when a previously unknown UEFI application named bootkit.efi was uploaded to VirusTotal. ESET researchers analyzed the bootkit and confirmed that it is indeed a UEFI bootkit, designed specifically for Linux systems. The malware is signed with a self-signed certificate, which means it cannot run on systems with UEFI Secure Boot enabled unless the attackers' certificates have been installed.
Bootkitty bypasses UEFI Secure Boot by patching integrity verification functions in memory, allowing seamless Linux kernel booting. This means that even if UEFI Secure Boot is enabled, Bootkitty can still execute and load the Linux kernel, potentially leading to a compromised system.
The researchers noticed that Bootkitty has hardcoded byte patterns for function modification and fixed offsets for patching decompressed Linux kernels. This limits the number of systems that Bootkitty supports, as it relies on specific byte patterns and offsets to work effectively.
Alongside Bootkitty, researchers also discovered an unsigned kernel module called BCDropper, which features BlackCat references and unused file-hiding functionality. This suggests that the same author may have developed both malware tools.
The discovery of Bootkitty highlights the need for Linux systems to be protected against UEFI bootkit threats. To keep their systems safe, users should ensure that UEFI Secure Boot is enabled, their system firmware and OS are up-to-date, and so is their UEFI revocations list.
In conclusion, the discovery of Bootkitty marks an interesting move forward in the UEFI threat landscape. As the first UEFI bootkit designed for Linux systems, this malware demonstrates the evolving nature of cyber threats and the importance of staying vigilant against new and emerging risks.
Related Information:
https://securityaffairs.com/171479/malware/bootkitty-uefi-bootkit-linux.html
Published: Wed Nov 27 17:07:31 2024 by llama3.2 3B Q4_K_M
