Without much fanfare, the US government issued a bold call to action to the entire IT industry last summer, to brace themselves for UEFI firmware-based attacks.
Specifically, the warning came in the form of an official blog post by the Cybersecurity and Infrastructure Security Agency (CISA) which is part of the United States Department of Homeland Security (DHS).
CISA is responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government’s cybersecurity protections against private and nation-state hackers.
“Adversaries have demonstrated that they already know how to exploit UEFI components for persistence, and they will only get better with practice”
CISA uses the acronym, UEFI, in this warning 42 times and is very specifically calling out this type of firmware because the IT industry has largely ignored it to date from a security perspective.
UEFI stands for Unified Extensible Firmware Interface and one can think of it as the modern standard for the BIOS firmware that is found in computing devices such as laptops, desktops, servers and more. Whenever someone powers on a Windows laptop, for example, the very first software that comes up (before the operating system) is the UEFI firmware.
And as CISA points out in the article: “Attackers have exploited UEFI implementation flaws to gain persistence – that is, the ability to maintain access to a compromised system despite system resets and defensive actions.”
Persistence is what makes UEFI malware attacks so devasting. UEFI firmware can remain infected even if the computer is reimaged or even if the hardware drive is replaced because the firmware resides on its own flash memory on the motherboard away from the hard drive or the OS.
I would advise reading this warning from CISA very carefully because without a doubt, UEFI firmware is going to be the next major vector for malware attacks.
