{"id":131100,"date":"2024-11-28T17:19:01","date_gmt":"2024-11-28T10:19:01","guid":{"rendered":"https:\/\/hotvideos24.online\/?p=131100"},"modified":"2024-11-28T17:19:01","modified_gmt":"2024-11-28T10:19:01","slug":"researchers-discover-bootkitty-first-uefi-bootkit-targeting-linux-kernels","status":"publish","type":"post","link":"https:\/\/hotvideos24.online\/?p=131100","title":{"rendered":"Researchers Discover &#8220;Bootkitty&#8221; \u2013 First UEFI Bootkit Targeting Linux Kernels"},"content":{"rendered":"<p> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3711241968723425\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-format=\"fluid\"\r\n     data-ad-layout-key=\"-fb+5w+4e-db+86\"\r\n     data-ad-client=\"ca-pub-3711241968723425\"\r\n     data-ad-slot=\"7910942971\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script><br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Nov 27, 2024<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">Linux \/ Malware<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgRd8EW3eHnsJX_aK9I-EQd8dIMobvH58H_5thb3hgzIjfJ-dolAAIbyhgGwUuLiILyES0LJZag8oKn8HK3UVX67O1d2V40U4CnwzPyJgK3dSfA6AqgsybZoCJS1LiAEEDKJeNmcg2xgBRgx_ycjD2PRvA7kMSo-ndVQ31tqA2EhrhCF1vZ6GH-d47mL7G-\/s728-rw-e365\/linux.png\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgRd8EW3eHnsJX_aK9I-EQd8dIMobvH58H_5thb3hgzIjfJ-dolAAIbyhgGwUuLiILyES0LJZag8oKn8HK3UVX67O1d2V40U4CnwzPyJgK3dSfA6AqgsybZoCJS1LiAEEDKJeNmcg2xgBRgx_ycjD2PRvA7kMSo-ndVQ31tqA2EhrhCF1vZ6GH-d47mL7G-\/s728-rw-e365\/linux.png\" alt=\"UEFI Linux Bootkit\" border=\"0\" data-original-height=\"380\" data-original-width=\"728\" title=\"UEFI Linux Bootkit\"\/><\/a><\/div>\n<p>Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) <a href=\"https:\/\/thehackernews.com\/2023\/06\/nsa-releases-guide-to-combat-powerful.html\" rel=\"noopener\" target=\"_blank\">bootkit<\/a> designed for Linux systems.<\/p>\n<p>Dubbed <b>Bootkitty <\/b>by its creators who go by the name BlackCat, the <a href=\"https:\/\/www.sentinelone.com\/cybersecurity-101\/cybersecurity\/bootkit\/\" rel=\"noopener\" target=\"_blank\">bootkit<\/a> is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as <a href=\"https:\/\/humzak711.github.io\/analyzing_IranuKit\" rel=\"noopener\" target=\"_blank\">IranuKit<\/a>, it was <a href=\"https:\/\/www.virustotal.com\/gui\/file\/f1f84819bdf395d42c36adb36ded0e7de338e2036e174716b5de71abc56f5d40\" rel=\"noopener\" target=\"_blank\">uploaded<\/a> to the VirusTotal platform on November 5, 2024.<\/p>\n<p>&#8220;The bootkit&#8217;s main goal is to disable the kernel&#8217;s signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup),&#8221; ESET researchers Martin Smol\u00e1r and Peter Str\u00fd\u010dek <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/bootkitty-analyzing-first-uefi-bootkit-linux\/\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/zerotrust-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhXVjKHNKDH4WdMsPjT21ztu0Bi0rTuZJGnGZU4GDPVBYLsCZA6ZSQPi9N5P31vBC5Rok2-ri9zF3Qf81Yy3Sg4HxyMA8HOhJK4NGGmbOS-rF-nTOlz_EosU1sjbmcHH_4wEgc_1n08nI_cnHBsa9yCyQFnoW3p0N7MKwuUJqaK7miyuLBi9crEBsh4BS1T\/s728-e100\/zz-inside-d.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>The development is significant as it heralds a shift in the cyber threat landscape where UEFI bootkits are no longer confined to <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/windows-itpro-blog\/revoking-vulnerable-windows-boot-managers\/4121735\" rel=\"noopener\" target=\"_blank\">Windows systems alone<\/a>.<\/p>\n<p>It&#8217;s worth noting that Bootkitty is signed by a self-signed certificate, and therefore cannot be executed on systems with UEFI Secure Boot enabled unless an attacker-controlled certificate has been already installed.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgrTnxztqkMC9nZq0FMm1MSuKZCj71aQcdASTgnhUm5j5X64ICdWGoosqQK-dyKaegXBv7Ab1OkEBzK9yHd6KMsyWqNjclAqMDZN2qaJtUHC2mt1OXSDk0G28h05ejZkz0zMmxkZqCJE8UStuIrt79iwrAOZj9XCQrsudMteXP9qVngTsp3Kt6jjdy4B-Kt\/s728-rw-e365\/attack.png\" style=\"display: block; margin-left: 1em; margin-right: 1em;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgrTnxztqkMC9nZq0FMm1MSuKZCj71aQcdASTgnhUm5j5X64ICdWGoosqQK-dyKaegXBv7Ab1OkEBzK9yHd6KMsyWqNjclAqMDZN2qaJtUHC2mt1OXSDk0G28h05ejZkz0zMmxkZqCJE8UStuIrt79iwrAOZj9XCQrsudMteXP9qVngTsp3Kt6jjdy4B-Kt\/s728\/attack.png\" alt=\"UEFI Linux Bootkit\" border=\"0\" data-original-height=\"3000\" data-original-width=\"1751\" title=\"UEFI Linux Bootkit\"\/><\/a><\/div>\n<p>Regardless of the UEFI Secure Boot status, the bootkit is mainly engineered to boot the Linux kernel and patch, in memory, the function&#8217;s response for integrity verification before GNU GRand Unified Bootloader (<a href=\"https:\/\/en.wikipedia.org\/wiki\/GNU_GRUB\" rel=\"noopener\" target=\"_blank\">GRUB<\/a>) is executed.<\/p>\n<p>Specifically, it proceeds to hook two functions from the UEFI authentication protocols if Secure Boot is enabled in such a way that UEFI integrity checks are bypassed. Subsequently, it also patches three different functions in the legitimate GRUB boot loader to sidestep other integrity verifications.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/cis-nov\" rel=\"nofollow noopener sponsored\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiAxSbAOIwY5p0wWv5znF6Nj42k-fIocSD-CC_fgf7B4WQKPZbJCilURnF5BAgXpuwEEjcBU2BeRdKaag8fw81D37T0OJG7Arl683j5xIhSrEv-88wJKyGgPtRSH1A-5Sz6Oa97Zg8gS0UhfS1E-6PfJwRE2o2yqakqaiVyW8RXxs4Pgxi3c7MA2z3jASGT\/s728-e100\/cis-d.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>It&#8217;s also designed to interfere with the normal functioning of the Linux kernel&#8217;s decompression process to allow the malware to load malicious modules. Last but not least, it modifies the <a href=\"https:\/\/thehackernews.com\/2022\/10\/new-cryptojacking-campaign-targeting.html\" target=\"_blank\" rel=\"noopener\">LD_PRELOAD<\/a> environment variable so that two unknown ELF shared objects (&#8220;\/opt\/injector.so&#8221; and &#8220;\/init&#8221;) are loaded when the init process starts.<\/p>\n<p>The Slovakian cybersecurity company said its investigation into the bootkit also led to the discovery of a likely related unsigned kernel module codenamed BCDropper that&#8217;s capable of deploying an ELF binary dubbed BCObserver that loads another as-yet-unknown kernel module after a system start.<\/p>\n<p>The kernel module, also featuring BlackCat as the author&#8217;s name, implements other rootkit-related functionalities like hiding files, processes, and opening ports. There is no evidence to suggest a connection to the ALPHV\/BlackCat ransomware group at this stage.<\/p>\n<p>&#8220;Whether a proof-of-concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,&#8221; the researchers said, adding &#8220;it emphasizes the necessity of being prepared for potential future threats.&#8221;<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Found this article interesting?  Follow us on <a href=\"https:\/\/twitter.com\/thehackersnews\" rel=\"noopener\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a> and <a href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" rel=\"noopener\" target=\"_blank\">LinkedIn<\/a> to read more exclusive content we post.<\/div>\n<\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3711241968723425\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-format=\"fluid\"\r\n     data-ad-layout-key=\"-fb+5w+4e-db+86\"\r\n     data-ad-client=\"ca-pub-3711241968723425\"\r\n     data-ad-slot=\"7910942971\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script><br \/>\n<br \/><div data-type=\"_mgwidget\" data-widget-id=\"1660802\">\r\n<\/div>\r\n<script>(function(w,q){w[q]=w[q]||[];w[q].push([\"_mgc.load\"])})(window,\"_mgq\");\r\n<\/script>\r\n<br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2024\/11\/researchers-discover-bootkitty-first.html\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue802Nov 27, 2024\ue804Ravie LakshmananLinux \/ Malware Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed &hellip; <a href=\"https:\/\/hotvideos24.online\/?p=131100\" class=\"more-link\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8630],"tags":[],"class_list":["post-131100","post","type-post","status-publish","format-standard","hentry","category-technology","entry"],"_links":{"self":[{"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/posts\/131100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=131100"}],"version-history":[{"count":0,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=\/wp\/v2\/posts\/131100\/revisions"}],"wp:attachment":[{"href":"https:\/\/hotvideos24.online\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=131100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=131100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hotvideos24.online\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=131100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}