Source code for BlackLotus Windows UEFI malware leaked on GitHub

LogoFAIL – Critical UEFI Vulnerabilities Exposes Devices to Stealthy Malware Attack

UEFI vulnerabilities pose significant threats, enabling hackers to execute malicious code during system boot, bypass security measures, and establish persistent control. 

Exploiting these flaws allows attackers to compromise the entire system, leading to:

Unauthorized access

Data theft

The compromise system’s integrity

Cybersecurity researchers at the Binary research team recently discovered critical UEFI vulnerabilities that expose devices to stealthy malware attacks.

The security analysts have named this complete set of security flaws “LogoFAIL.”

Technical Analysis

LogoFAIL is a set of new security flaws found in image parsing libraries in system firmware during device boot. 

The impact of these flaws spans multiple vendors and ecosystems, especially affecting IBVs (Independent BIOS vendor) reference code. LogoFAIL affects both x86 and ARM devices, focusing on UEFI and IBV due to vulnerable image parsers.

Attacking Intel BIOS

LogoFAIL, initially found on Lenovo devices, with reported vulnerabilities under advisory BRLY-2023-006, started as a small research project. 

It became an industry-wide disclosure, discovering attack surfaces in image-parsing firmware components through fuzzing and static analysis with the efiXplorer plugin in IDA.

After the initial fuzzing, many crashes led to automated triaging with Binarly’s internal program analysis framework.

More vulnerabilities in the Insyde code were discovered and reported under advisory BRLY-2022-018.

Vulnerabilities in logo parsing enable attackers to store malicious images in EFI System Partition or unsigned firmware sections. 

Exploiting these during boot allows:-

Arbitrary execution

Bypassing Secure Boot

Hardware-based Verified Boot mechanisms

This vector enables a stealthy, persistent firmware bootkit, bypassing endpoint security solutions.

The LogoFAIL compromises system security, bypassing Secure Boot and Intel Boot Guard, providing deep control to attackers. 

Exploiting ESP partitions presents a new data-only exploitation approach through logo image modification, changing the perspective on ESP attack surfaces.

Unlike BlackLotus or BootHole, LogoFAIL avoids modifying bootloaders or firmware, ensuring runtime integrity. 

Exploiting with a modified boot logo triggers payload delivery after security measurements, allowing compromised signed UEFI components to break the secure boot without detection.

Hundreds of devices from Intel, Acer, Lenovo, and more are potentially vulnerable to LogoFAIL, affecting major IBVs like:-

AMI

Insyde

Phoenix

Regardless of hardware type (x86 or ARM), the impact extends to almost all devices powered by these vendors. The extensive security vulnerabilities reveal challenges in product security maturity and code quality within IBVs’ reference code, calling for a more proactive and comprehensive approach.

The post LogoFAIL – Critical UEFI Vulnerabilities Exposes Devices to Stealthy Malware Attack appeared first on Cyber Security News.

   Read More 

Cyber Security News 

New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services

A novel cloud-native cryptojacking operation has set its eyes on uncommon Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency.
The malicious cyber activity has been codenamed AMBERSQUID by cloud and container security firm Sysdig.
"The AMBERSQUID operation was able to exploit cloud services without triggering the AWS   Read More 

The Hacker News | #1 Trusted Cybersecurity News Site 

A tabletop cyber exercise prepares for the Super Bowl.

CISA and the NFL prepare to manage the Super Bowl’s complex and dynamic attack surface.   Read More 

The CyberWire