Bootkitty, The First UEFI Bootkit Targeting Linux Servers


Researchers have uncovered the first UEFI bootkit designed specifically for Linux systems, named Bootkitty.

This discovery marks a pivotal moment in the evolution of UEFI threats, which have traditionally targeted Windows systems exclusively.

The UEFI threat landscape has seen considerable advancement over the past decade.

Starting with Andrea Allievi’s proof of concept in 2012, the field has progressed to real-world threats like ESPecter and FinSpy in 2021, culminating in the notorious BlackLotus bootkit in 2023.

However, Bootkitty represents a new frontier by specifically targeting Linux systems.

Besides this, cybersecurity analysts at ESET observed that Bootkitty appears to be a proof of concept rather than an actively deployed threat.

Its primary objectives include:-

  1. Disabling the kernel’s signature verification feature
  2. Preloading two unknown ELF binaries via the Linux init process

The bootkit contains several artifacts suggesting its experimental nature, including unused functions that display ASCII art and a list of potential authors.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Technical Analysis

Bootkitty’s execution can be broken down into three main phases:

  1. Initialization and GRUB Hooking: The bootkit checks for UEFI Secure Boot, hooks authentication protocols, and patches the legitimate GRUB bootloader.
  2. Linux Kernel Image Decompression Hook: This phase involves patching the decompressed Linux kernel image, including modifying the kernel version and Linux banner strings.
  3. Kernel and Init Process Manipulation: Bootkitty patches the module_sig_check function to bypass module signature verification and modifies the init process to preload potentially malicious shared objects.

While Bootkitty’s current version may not pose an immediate threat to most Linux systems, its existence highlights the need for enhanced security measures.

Bootkitty, The First UEFI Bootkit Targeting Linux Servers
Bootkitty execution overview (Source – Welivesecurity)

Some indicators of Bootkitty’s presence include:-

  • Modified kernel version string (visible via uname -v)
  • Altered Linux banner in dmesg output
  • Presence of LD_PRELOAD environment variable in /proc/1/environ
  • Kernel marked as tainted
  • Ability to load unsigned kernel modules on systems with UEFI Secure Boot enabled

Researchers also discovered a potentially related unsigned kernel module named BCDropper, which deploys an ELF binary (BCObserver) responsible for loading another unknown kernel module.

While the connection to Bootkitty is not confirmed, these components share similar characteristics and naming conventions.

Bootkitty’s emergence underscores the expanding scope of UEFI threats beyond Windows systems. Although it appears to be in an early stage of development, its existence serves as a wake-up call for the cybersecurity community. To protect against such threats, it is crucial to:-

  • Enable UEFI Secure Boot
  • Keep system firmware and OS up-to-date
  • Maintain an updated UEFI revocations list

Security analysts urged for active vigilance and along with that proactive security measures will be essential in safeguarding Linux systems against sophisticated UEFI-based attacks.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar



Source link