MoonBounce: Internals of the 3rd publicly known UEFI firmware implant | Mark Lechtik | hardwear.io

Abstract: ---------------- During spring 2021, Kaspersky researchers were made aware of a novel threat against UEFI in the wild. Through careful inspection of firmware scanning logs, it was evident that attackers have modified and deeply embedded an implant within a benign UEFI firmware image. This was done in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain to run alongside it. We dubbed this discovered implant MoonBounce. In this talk, we will describe in detail how MoonBounce works, as well as outline the story of our investigation, including details that tie it with the activity of the infamous APT41 threat group. Speaker Bio: ---------------------- Mark Lechtik is a Senior Security Researcher at Kaspersky's GReAT (Global Research & Analysis Team), based in Israel. After having worked as a researcher and manager on Check Point’s malware research team, his primary focus is analysing malware of all shapes and forms, digging up their underlying stories and profiling the actors behind them. Today, he is tasked with providing intelligence reports on APT campaigns to Kaspersky customers, often focusing on the utilization of kernel mode rootkits and UEFI bootkits. Mark has previously presented his work at well-known security conferences such as REcon, CCC, CARO Workshop, AVAR and TheSASCon. #UEFI #embedded #firmware #hardwaresecurity #hardwear_io ------------------------------------------------------------------------------------------------ Website: https://hardwear.io Twitter:   / hardwear_io   Facebook:   / hardwear.io   LinkedIn:   / hardwear.io-hardwaresecurityconferenceandt...