CyberSecurity news
FlagThis
Pierluigi Paganini@securityaffairs.com
//
ESET researchers have announced the discovery of Bootkitty, the first UEFI bootkit designed for Linux systems. While currently appearing as a proof-of-concept, its existence signifies a significant shift in the UEFI threat landscape, expanding the potential targets beyond the traditionally targeted Windows systems. The bootkit, which was uploaded to VirusTotal in November 2024, demonstrates the growing ability of attackers to compromise the fundamental layers of computer systems. Further research is necessary to fully understand its capabilities and the potential for widespread exploitation.
Bootkitty's primary goal is to disable the kernel's signature verification, allowing the loading of unauthorized modules. It achieves this by patching the Linux kernel in memory, circumventing integrity checks before the GRUB bootloader executes. This method, however, limits its functionality due to its reliance on hardcoded byte patterns for patching, restricting its effectiveness to specific Ubuntu versions. The bootkit employs a self-signed certificate, preventing its execution on systems with UEFI Secure Boot enabled unless attacker certificates are pre-installed. A related unsigned kernel module, BCDropper, was also discovered, suggesting a more extensive operation.
Although currently considered a proof-of-concept, Bootkitty’s appearance highlights the expanding reach of UEFI bootkits and the need for increased vigilance. The fact that it bypasses Secure Boot in vulnerable systems emphasizes the importance of keeping system firmware and operating systems updated. Simple mitigation steps like restoring the original GRUB bootloader file can be effective, but the discovery underscores the necessity for developers and system administrators to remain prepared for future, potentially more sophisticated, UEFI bootkit threats targeting Linux systems.
References :
Bootkitty's primary goal is to disable the kernel's signature verification, allowing the loading of unauthorized modules. It achieves this by patching the Linux kernel in memory, circumventing integrity checks before the GRUB bootloader executes. This method, however, limits its functionality due to its reliance on hardcoded byte patterns for patching, restricting its effectiveness to specific Ubuntu versions. The bootkit employs a self-signed certificate, preventing its execution on systems with UEFI Secure Boot enabled unless attacker certificates are pre-installed. A related unsigned kernel module, BCDropper, was also discovered, suggesting a more extensive operation.
Although currently considered a proof-of-concept, Bootkitty’s appearance highlights the expanding reach of UEFI bootkits and the need for increased vigilance. The fact that it bypasses Secure Boot in vulnerable systems emphasizes the importance of keeping system firmware and operating systems updated. Simple mitigation steps like restoring the original GRUB bootloader file can be effective, but the discovery underscores the necessity for developers and system administrators to remain prepared for future, potentially more sophisticated, UEFI bootkit threats targeting Linux systems.
Share:
References :
- cyberinsider.com: CyberInsider's analysis of Bootkitty.
- gbhackers.com: GBHackers's coverage of the Bootkitty UEFI bootkit.
- WeLiveSecurity: ESET's research on Bootkitty.
- infosec.exchange: Infosec.exchange post about Bootkitty.
- arstechnica.com: Ars Technica's report on Bootkitty, the world's first unkillable UEFI bootkit for Linux.
- securityaffairs.com: Security Affairs covered the discovery, detailing the bootkit's capabilities.
- www.helpnetsecurity.com: Help Net Security article detailing the analysis of Bootkitty, the first UEFI bootkit for Linux systems, discovered by ESET researchers.
- mastodon.scot: Found in the wild: The world’s first unkillable UEFI bootkit for Linux "Bootkitty" is likely a proof-of-concept, but may portend working UEFI malware for Linux.
- infosec.exchange: ESET Research : In November 2024, a previously unknown UEFI application, named bootkit.efi , was uploaded to VirusTotal.
- www.techzine.eu: First UEFI bootkit ever built for Linux discovered
- thehackernews.com: Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems.
- flagthis.com: Article about Bootkitty, the first UEFI bootkit for Linux systems.
- infosec.exchange: The first UEFI bootkit specifically targeting Linux systems has been discovered, marking a shift in stealthy and hard-to-remove bootkit threats that previously focused on Windows.
- flagthis.com: Bootkitty: First UEFI Bootkit Targeting Linux Systems
- www.bleepingcomputer.com: News about the discovery of Bootkitty, highlighting the shift in UEFI bootkit threats from Windows to Linux systems.
- flagthis.com: Bootkitty: First UEFI Bootkit for Linux Systems Discovered
- mastodon.scot: Found in the wild: The world’s first unkillable UEFI bootkit for Linux "Bootkitty" is likely a proof-of-concept, but may portend working UEFI malware for Linux.
- mastodon.social: Found in the wild: The world’s first unkillable UEFI bootkit for Linux "Bootkitty" is likely a proof-of-concept, but may portend working UEFI malware for Linux.
- securityonline.info: This article reports on the discovery of Bootkitty, the first UEFI bootkit for Linux, which exploits the LogoFAIL vulnerability (CVE-2023-40238) to bypass Secure Boot protections.
- www.bleepingcomputer.com: The recently uncovered 'Bootkitty' UEFI bootkit, the first malware of its kind targeting Linux systems, exploits CVE-2023-40238, aka 'LogoFAIL,' to infect computers running on a vulnerable UEFI firmware.
- www.csoonline.com: First-ever Linux UEFI bootkit turns out to be student project
Classification:
- HashTags: #Bootkitty #UEFI #Linux
- Target: Linux servers
- Product: UEFI
- Feature: UEFI bootkit
- Malware: Bootkitty
- Type: Malware
- Severity: Medium