Firmware is the bedrock of every device we rely on, managing critical hardware-software interactions and enabling systems to boot up. But here’s the thing: for all its importance, firmware security—especially UEFI BIOS—is often neglected. And hackers know this. Firmware is a prime target because it’s difficult to update, hard to detect when compromised, and has the potential to offer attackers deep, persistent control over systems.
The Importance of UEFI BIOS Firmware Security
When thinking about security, most teams focus on application-level vulnerabilities, firewalls, and antivirus tools. But securing UEFI BIOS firmware is just as critical—if not more so. Firmware operates at a foundational level, beneath the operating system (OS), which means that traditional security solutions can’t always detect breaches or malicious activity occurring there.
If your firmware is compromised, attackers can:
- Gain persistent control over your devices, even surviving OS reinstalls
- Bypass traditional security measures such as antivirus and endpoint detection & response (EDR)
- Disrupt system functions, creating hard-to-diagnose issues that can cripple devices and networks
This is why UEFI BIOS security must be a priority. Failing to secure these layers can have devastating consequences.
Let’s dive into 6 of the most significant firmware attacks to date, uncovering not just what happened, but what lessons IT and security leaders can take from them to ensure their own systems remain secure.
6 Notable UEFI BIOS Firmware Attacks
1. VectorEDK (2015)
What happened: In 2015, security researchers discovered a flaw in the UEFI firmware development kit (EDK) that could be exploited by attackers. This vulnerability allowed malware to persist even after the operating system was reinstalled, making it incredibly difficult to remove.
Who was targeted: This attack affected enterprises and organizations using compromised UEFI firmware, especially in server environments.
Impact: The vulnerability in VectorEDK highlighted how difficult it can be to detect and remove firmware-based malware. Once an attacker gains access to the firmware, they have control at a level that’s invisible to most traditional security solutions.
Learning: Firmware integrity must be verified regularly, and any vulnerabilities in UEFI need to be patched immediately. Organizations should implement Secure Boot processes and use firmware verification tools to detect unauthorized changes.
2. LoJax (2018)
What happened: LoJax became the first UEFI rootkit discovered in the wild, used by the Russian APT group Fancy Bear (APT28). It was able to infect the UEFI firmware of systems, allowing attackers to maintain control even after the operating system was wiped and reinstalled.
Who was targeted: LoJax primarily targeted government institutions and high-value enterprises across Eastern Europe.
Impact: LoJax was a game-changer. The rootkit allowed attackers to install persistent malware at the firmware level, making it nearly impossible to detect and remove. Traditional defenses, like reformatting the hard drive or reinstalling the OS, were ineffective.
Learning: LoJax underscored the need for advanced firmware security measures. Secure boot technology, which ensures that only trusted firmware and software run during the boot process, is critical. Organizations should also employ endpoint detection solutions, such as FirmGuard, capable of monitoring for firmware-based attacks.
3. TrickBoot (2020)
What happened: TrickBoot was an extension of the infamous TrickBot malware, adding the capability to manipulate UEFI firmware settings. This development allowed attackers to write malicious code directly to the firmware, enabling them to brick devices or maintain long-term access for future exploitation. Bricking a device essentially rendered it completely unusable by corrupting the firmware, so it cannot function or be repaired through normal methods.
Who was targeted: TrickBoot focused on critical infrastructure, financial institutions, and enterprises.
Impact: TrickBoot’s ability to alter firmware settings opened the door for devastating consequences, such as disabling security features or even making entire systems useless. It was a stark reminder of how dangerous firmware-based malware can be.
Learning: Firmware protection should be a critical part of any organization’s cybersecurity strategy. By implementing automated tools to monitor for unauthorized changes in UEFI BIOS firmware, companies can detect and stop attacks before they take hold.
4. MoonBounce (2022)
What happened: MoonBounce was an advanced UEFI firmware rootkit discovered in early 2022. It was capable of hiding in SPI flash memory, making it extremely difficult to detect. Once embedded, MoonBounce could control the boot process and load malicious payloads before the OS even started.
Who was targeted: This attack was likely executed by a nation-state actor, and it targeted high-profile individuals and organizations in the technology and defense sectors.
Impact: MoonBounce was unique in its ability to survive firmware updates, remaining persistent even when systems were supposedly “fixed.” Its complexity made it a significant threat to any organization it targeted.
Learning: To defend against sophisticated threats like MoonBounce, organizations must use hardware-based security mechanisms, such as hardware attestation, to verify the integrity of firmware and prevent malicious modifications.
5. CosmicStrand (2022)
What happened: CosmicStrand was another UEFI rootkit, this time targeting consumer-grade motherboards. It could intercept the operating system’s boot process and load malware before the OS was fully functional, making it particularly dangerous.
Who was targeted: While it primarily impacted devices in China, CosmicStrand demonstrated that even consumer devices are not immune from sophisticated firmware attacks.
Impact: CosmicStrand allowed attackers to take full control of infected systems, stealing data, spying on users, and planting additional malware. Because of its persistence in firmware, traditional security solutions could not remove it.
Learning: Supply chain security must include firmware. Whether you’re sourcing consumer or enterprise-grade hardware, ensuring that your devices haven’t been compromised at the firmware level is essential. Security checks should happen throughout the device’s lifecycle.
6. Black Lotus (2022)
What happened: Black Lotus was the first UEFI bootkit capable of bypassing Secure Boot, an essential security feature designed to protect the boot process. By exploiting vulnerabilities, Black Lotus could execute malicious code before the OS booted up, effectively bypassing security layers.
Who was targeted: This attack impacted organizations that relied heavily on Secure Boot, including government entities and enterprises in highly regulated industries.
Impact: The ability to bypass Secure Boot sent shockwaves through the security community. It highlighted how even advanced firmware defenses could be circumvented if attackers had the right tools and knowledge.
Learning: Secure Boot alone is not enough. Organizations need to layer their defenses by implementing additional protections, such as signed firmware updates, real-time firmware monitoring, and hardware-based security mechanisms.
How to Prevent UEFI BIOS Firmware Attacks
The 6 attacks we’ve explored highlight a clear and growing trend: attackers are increasingly targeting firmware because it’s an under protected, high-reward avenue. The good news is that by adopting the following UEFI BIOS firmware best practices, organizations can drastically reduce their risk of falling victim to such attacks.
- Regularly Update BIOS Firmware: One of the most effective ways to protect your firmware is to keep it updated. Check for updates from your hardware manufacturer frequently and apply the latest versions as they often contain critical patches for vulnerabilities. Tools like FirmGuard SecureUpdate help manage and automate firmware updates across diverse environments, reducing the risks of human error and out-of-date firmware
- Secure BIOS Configuration: Correctly configuring your BIOS settings strengthens security. Enabling features like Secure Boot helps prevent unauthorized operating systems or bootkits from loading. Limiting boot options to only authorized devices further locks down the boot process, reducing the attack surface for malicious code to exploit.
- Monitor and Verify BIOS Firmware Integrity: Regularly monitor and verify the integrity of BIOS firmware to detect any unauthorized modifications. Use cryptographic signatures and hashes to confirm that firmware remains unaltered and authentic.
- Transition from Legacy BIOS to UEFI mode: Systems running in Legacy BIOS mode lack modern security features, making them highly vulnerable to attacks. Identifying and upgrading these systems to UEFI mode, which supports features like Secure Boot and advanced security protocols, is essential. In addition, systems running in Legacy BIOS mode tend to be old and thus it may be time to replace them anyway.
Protect Your Organization with FirmGuard
Firmware attacks are growing – in both frequency and destructiveness. FirmGuard provides comprehensive solutions to help secure your UEFI BIOS firmware. Our proactive security platform provides real-time monitoring, advanced detection, and tools to ensure your firmware remains secure against the most sophisticated attacks.
Don’t wait until it’s too late—Book a Demo today and let us show you how to secure your systems against the next wave of BIOS firmware attacks.
Note: When we use the term UEFI, we mean modern platform firmware that has replaced BIOS on most computer systems.
