A critical deadline for Windows and Linux security is approaching

The time is Windows and Linux users should update encryption keys that protect their systems from firmware-based UEFI infections, a malicious form of malware that loads before the operating system starts, and malware protection.

Starting June 24, three certificates that cryptographically verify every piece of firmware and software loaded while the system is running will expire. Microsoft-signed certificates are the foundational elements of secure boot, a chain of trust designed by Microsoft. Secure Boot verifies the digital signatures of all firmware loaded during system startup to ensure that it is from a trusted provider, such as the manufacturer of the motherboard on which the system runs.

Secure Boot is designed to thwart UEFI boot kits, a form of malware that alters the Unified Extensible Firmware Interface, successor to BIOS, both of which initiate the initial boot sequence. Because these boot sets are loaded before the operating system and most other code, they can be difficult to detect. Once installed, they typically load malware onto the operating system that steals credentials, opens system backdoors, or performs other malicious actions. Even when the operating system is disinfected, the boot kit can re-infect the system. Bootkits survive OS reinstalls as well.

A brief history of boot sets

The origins of boot kits go back to the early 1980s, when several pieces of malware were created that targeted Apple II devices during the boot process. It spread into the wild through floppy disks ostensibly containing pirated games.

Windows boot kits gained attention in the early 2000s as a proof of concept developed by offensive security researchers. BootRoot, a toolkit demonstrated at the 2005 Black Hat security conference, is likely the first example of its kind. The malware infected the network driver interface, simplifying communications between network protocol drivers, enabling a service such as TCP/IP network adapter drivers. In the following years, similar proofs of concept (PoCs) included Vbootkit, Stoned Bootkit, and Mebroot. There was a lot.

In 2012, a new form of operating tool was introduced. Instead of targeting hardware through the BIOS or master boot record, one of these boot utilities attacked Mac OS A second primitive boot kit targeted Windows 8 machines by infecting the UEFI boot kit, the predecessor to UEFI. Around 2013, a researcher demonstrated a more advanced UEFI boot kit for Windows called Dreamboat.

The first known case of an actual attack targeting UEFI came in 2018 with the discovery of a malware dubbed LoJax. A repurposed version of legitimate anti-theft software known as LoJack, was created by a Kremlin-backed hacking group tracked under names including Sednit, Fancy Bear and APT 28. The malware was installed remotely using malware tools that can read and overwrite portions of UEFI firmware flash memory.

In 2020, researchers discovered the second known example of real-world malware attacking UEFI. Every time an infected device restarts, its UEFI system checks for a malicious file in the Windows startup folder, and if not, installs it. Researchers from Kaspersky, the security provider that discovered the malware, named it “MosaicRegressor.” Researchers have not yet determined how compromised UEFIs are infected. Since then, a host of new UEFI boot kits have come to light. They are tracked under names including ESpecter, FinSpy and MoonBounce.

Necessity is the mother of invention

In response to the more serious threat of UEFI boot kits, Microsoft worked with device makers to develop Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that every piece of firmware that loads during startup is trusted by the computer manufacturer. Secure Boot is designed to create a chain of trust that prevents attackers from replacing intended firmware drivers with malware. If a single link in the startup chain is not recognized, secure boot will prevent the device from starting.

Then in 2023, researchers discovered LogoFail, a series of critical vulnerabilities that found the UEFI interfaces running almost every Windows and Linux system in the world. An image parsing bug in software that presents hardware manufacturer logos during bootup allowed attackers to bypass Secure Boot and infect UEFI with malicious firmware.