ESET 彙整 - Version 2

Preparing for UEFI bootkits. ESET discovery shows the importance of cyber intelligence

Roman Cuprik08 May 2024

Some threats bypass standard security tools. In such cases, security operators capable of deep analysis are needed.

Last year, ESET Research confirmed rumors concerning BlackLotus, the first publicly known UEFI bootkit capable of bypassing a UEFI Secure Boot, being sold on underground forums. This means that malware preying upon fundamental weaknesses in the UEFI security model is in-the-wild and experts are expecting more bootkits like BlackLotus in the near future.

“Bootkits are no longer just a threat to legacy systems, but a real threat to the majority of modern UEFI firmware systems,” said ESET Researcher Martin Smolár, who discovered this previously undocumented real-world UEFI bootkit and presented his finding at the 2024 RSA conference.

This threat creates a challenge for businesses: How to take a prevention-first approach and secure their devices against attacks that cannot be fully prevented simply by following the standard recommendations and using default system settings because there are known vulnerabilities that still haven’t been fixed and might never be fixed?

Despite businesses holding the short end of the stick right now, they are not without hope. In fact, these are the situations where cyber intelligence platforms such as ESET Threat Intelligence shine.

Confirmed myth

In a nutshell, UEFI bootkits are serious threats targeting Windows that gain full control over the operating system (OS) boot process. With this level of capability, they can disable various OS security mechanisms and are able to operate very stealthily and with high privileges.

The initial attack vector is unknown, but UEFI bootkit starts with the execution of an installer deploying the bootkit’s files to the EFI System Partition. This abbreviation stands for Extensible Firmware Interface System Partition, which stores files needed for booting operating systems.

Using this installer, attackers can disable the first two layers of defense: Hypervisor-protected Code Integrity (HVCI) and BitLocker encryption. Then they reboot the host.

After the first reboot, the malware abuses the known vulnerability CVE-2022-21894, allowing attackers to enroll their own Machine Owner Key (MOK). An MOK allows owners of devices running non-Windows OSes to generate keys that sign non-Microsoft components during the boot process, thus allowing only approved OS components and drivers to run. By abusing this boot security feature, attackers achieve persistence.

The computer now thinks that the system is booted using trusted software, which means that attackers have bypassed another layer of protection, UEFI Secure Boot, and the machine is then again rebooted.

In the next stages, the self-signed UEFI bootkit is executed and deploys the kernel driver, having access to the Kernel, a computer program at the core of a computer’s operating system, which generally has complete control over everything in the system. It also deploys a user-mode HTTP downloader responsible for communication with the C&C. The abused device can now receive and execute commands from C&C and download additional user-mode or kernel-mode payloads.

Businesses are not powerless

Looking at this cascade for the hijacking of a compromised computer, and knowing that there is no effective fix for older devices due to their outdated security mechanisms, one may feel as if their hands are tied.

But businesses can protect themselves and apply a prevention-first approach even in these cases.

First of all, businesses need to keep their system and security products up to date, decreasing options for attackers.
IT staff should learn possible risks and procedures concerning how to decrease them. Microsoft released a threat description and a guidance for investigating UEFI attacks.
If needed, set up a custom secure boot policy. This, however, requires an experienced admin and is manageable only with a handful of devices due to its complexity.
Deploy reliable monitoring solutions and configure their integrity-scanning tools to monitor the composition of the EFI boot partition.
Block any attempts of modifying all or specific files on EFI System partition by untrusted processes to prevent bootkits installation.
Track developments with UEFI malware across Threat Intelligence platforms and resources.

ESET solutions such as ESET Enterprise Inspector and ESET UEFI Scanner, which is part of the ESET Host-based Intrusion Prevention System (HIPS), can detect signs that something suspicious is happening with a device and alert IT admins. While ESET UEFI Scanner checks and enforces the security of the pre-boot environment, HIPS combines advanced behavioral analysis with the detection capabilities of network filtering to monitor running processes, files, and registry keys.

For more information, check the RSA presentation by ESET Researcher Martin Smolár, via the ESET research podcast, and the NSA BlackLotus Mitigation Guide.

Be one step ahead of threat actors

Since the discovery of the in-the-wild UEFI bootkit, Microsoft has released several patches, and experts across the world provided some guidance. But how to protect a business from the start, before all of this can happen?

To identify such new threats and customize their solutions to deal with them, global leaders in cybersecurity such as ESET invest a lot in research. ESET Threat Intelligence turns this effort into a service, providing businesses with curated global knowledge about threat actors’ activities, gathered by ESET analysts and experts.

Thanks to ESET Threat Intelligence, security engineers, analysts, or incident responders can learn about new threats ASAP, anticipating them and making better, faster decisions. This allows them to deploy a proactive defense, customize their security, and fight increasingly sophisticated cyberattacks.

Moreover, ESET APT Reports give businesses access to private, in-depth technical analysis together with threat mitigation tips. Every user with the APT Reports PREMIUM package will also have access to an ESET analyst for up to four hours each month. This provides the opportunity to discuss topics in greater detail and help resolve any outstanding issues.

Facing a challenge

UEFI Bootkits represent a challenge that is hard to tackle, however that is why it is so important for businesses and enterprises to have reliable cyber intelligence.

With a globally distributed network of security centers, ESET research labs never sleep and have immediate access to threat intelligence like no one else, thanks to the number and distribution of devices protected around the world. Combined with more than three decades of experience in cybersecurity research and product development, ESET can provide businesses with vital intel and use this knowledge to continuously innovate threat-defense techniques.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

2024 ESET

Locked Shields 2024: ESET bolsters Slovak cyber defense during live-fire NATO exercise

BRATISLAVA — May 3, 2024 — Experts from ESET joined with the combined team of the Slovak Republic and Hungary militaries to participate in Locked Shields 2024 – the biggest and most complex cyber defense exercise in the world. The live-fire exercise, involving 40 countries, saw ESET contribute security solutions and more than 50 experts to a number of tactical teams, ensuring a top-flight position for the central European country which participates in the annual exercise run by NATO’s Cooperative Cyber Defense Centre of Excellence (NATO CCD COE).

With collaboration being the focus of the 14th annual exercise (the slogan being “Cooperation Is Our Protection”), ESET supplied the Slovak-Hungarian team with defensive capabilities which particularly contributed to the team’s top three placings in cyber threat intelligence, client-side protection, forensics and strategic communications, taking home an overall 4th place position among the 18 participating teams made up of similar cross-country units.

The Slovak-Hungarian team successfully followed its strategic objectives and was built not only on expertise and state-of-the-art security technologies, but most importantly on communication and intensive cooperation between the participants, who worked together to defend the vital infrastructure of fictitious country Berylia in the face of massive cyber attacks designed to cripple the country and create public unrest.

“Locked Shields promotes the concept that collaboration is one of NATO’s greatest strengths – increasing the level of protection for all member states, their people, businesses and critical infrastructure,” said Juraj Malcho, CTO of ESET. “ESET is proud to support the Slovak Ministry of Defense in this live fire exercise, by providing experts in cyber security, forensics, threat intelligence, legal and strategic communications, as well as our XDR cybersecurity platform ESET PROTECT. Together, we are stronger against any powerful adversary wishing to cause disruption.”

The Slovak team was led by the Cyber Defense Center of Slovak Military Intelligence. During the exercise, the Slovak government sector was represented by experts from the ministries of defense, finance, interior, transport, and foreign affairs. ESET’s experts and technologies contributed to the rapid detection and response to cyberattacks. Experts from the Slovak branch of Palo Alto Networks and Orange Slovensko a.s. also helped with both securing and management of the infrastructure. The team dealing with cyberspace legal challenges was led by an expert from SIGNUM legal s.r.o. talented students and their professors from the Slovak University of Technology in Bratislava, Comenius University in Bratislava, the Armed Forces Academy of general Milan Rastislav Štefánik, and young Slovak talents studying at foreign universities also came to support the national team.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

2024 ESET

ESET Threat Intelligence increases cybersecurity visibility through Elastic integration

ESET announces strategic integration with Elastic Security, enhancing cybersecurity analytics and visibility through advanced threat intelligence feeds.
The integration offers deduplicated, highly curated feeds based on proprietary ESET research and telemetry.
Elastic users will benefit from enhanced geographical visibility, reduced false positives, prevention of IoCs, and contextual investigations.

BRATISLAVA – May 3, 2024 — ESET, a global digital security company, has announced another strategic partnership and integration, thanks to its unified API gateway. This development facilitates seamless connections with various cybersecurity vendors, such as the recent integration with Elastic, a leading search AI company. This move is part of ESET’s broader strategy to support multi-vendor integrations aimed at strengthening overall cybersecurity defenses. By working with Elastic, ESET aims to provide organizations with enhanced analytics tools and greater visibility to enable more effective preventive measures against cyber threats.

Through this strategic partnership, Elastic’s users gain access to ESET’s advanced threat intelligence feeds, offering real-time data on indicators of compromise (IoCs), such as botnets, malicious domains, files, URLs, and IPs. These feeds also provide deep insights into the operations of notorious APT groups, sourced from ESET’s extensive malware and threat research. This integration enriches Elastic’s SIEM product, enabling security operators to leverage globally sourced threat data for unprecedented geographical visibility, dramatically reduced false positives – allowing for more accurate threat detection and analysis – and contextualized threat investigation.

The collaboration brings to the table ESET’s deduplicated and highly curated feeds, ensuring maximum effectiveness. Unique insights are drawn from proprietary ESET research and telemetry, not reliant on third-party sources. For optimal integration and interoperability, these feeds are delivered in the widely recognized TAXII/STIX 2.1 format.

ESET’s technological framework continuously scans for threats across various layers, from pre-boot to the resting state, providing global telemetry on emerging threats. This automation, supported by ESET’s leading cybersecurity team and 13 R&D centers worldwide, accelerates threat investigation and response. While machine learning aids in automating decisions, it’s ESET’s human expertise that underpins the evaluation and interpretation of threats, ensuring unparalleled accuracy and reliability.

“Our collaboration with Elastic not only marks a milestone in threat intelligence integration, but also represents a shared commitment to securing the digital landscape,” remarked Trent Matchett, ESET Director of Global Strategic Accounts. “By combining our unique insights and unparalleled expertise with Elastic’s analytical prowess, we’re setting a new standard in cybersecurity, empowering organizations to improve their security posture and make crucial decisions faster.”

For more information on how the ESET and Elastic integration is redefining cybersecurity threat intelligence, and to learn more about the benefits it brings to organizations, please read here.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET 2024

[重要通知] 伺服器將於 2024-05-08 (2:30 pm) 至 2024-05-08 (6:30 am) 進行定期維護

重要通知！

ESET 計劃進行維護工作，將於香港時間 2024 年 5 月 08 日（星期二）下午 2 時 30分至下午 6 時 30分之間進行，維護時間大約為 4 小時。

在此段期間，客戶可能無法進行續期購買、啟動及生產授權。

不便之處，敬請原諒。

技術支援熱線: (852) 2893 8186 或電郵至: support@version-2.com.hk

IMPORTANT !

ESET planned to maintain which will take place on
Tuesday, May 8th, 2024, from 2:30 PM to 6:30 PM, Hong Kong Time lasting 4 hours.

It means in certain time within the maintenance window, customers might not renewal purchase, activate license or generate license, etc.

Sorry for any inconveniences caused.

Support Hotline: (852) 2893 8186
Or email to support@version-2.com.hk

關於Version 2
Version 2 是亞洲最有活力的IT公司之一，公司發展及代理各種不同的互聯網、資訊科技、多媒體產品，其中包括通訊系統、安全、網絡、多媒體及消費市場產品。透過公司龐大的網絡、銷售點、分銷商及合作夥伴，Version 2 提供廣被市場讚賞的產品及服務。Version 2 的銷售網絡包括中國大陸、香港、澳門、臺灣、新加坡等地區，客戶來自各行各業，包括全球1000大跨國企業、上市公司、公用機構、政府部門、無數成功的中小企及來自亞洲各城市的消費市場客戶。

產品註冊定期維護 2024 Version 2 Limited

Leveling the playing field for all with MDR

One thing that every company, from the smallest business to the largest enterprise, has in common is that all of them face a world of evolving threats that periodically come knocking on their doorsteps.

To counter these threats early on, small and medium-sized businesses (SMBs) are looking to spice up their security postures, while enterprises find that they need to cover operations beyond what their security operations centers (SOCs) are able to address themselves. All of this can be alleviated via detection and response, which can work wonders to heighten the security status of any organization willing to utilize it comprehensively.

However, certain skills are required to realize the benefits while also keeping challenges in check. Putting budget aside for the moment, the skilled professionals needed to operate detection and response platforms successfully are hard to come by these days.

So why not employ professionals who know how to manage detection and response without having to allocate extensive resources for further hiring?

What we are talking about is Managed Detection and Response (MDR), which can address threats proactively, deliberately, and indeed, very quickly. Furthermore, management of these capabilities helps immediately address the most demanding aspects of both, deploying and deriving benefits from what can be a complex set of tools and processes.

Detection

One of the most important parts of proactive threat hunting is to have the ability to manage the attack surface just like a general would manage a battlefield — to know all the hazards, strategic points, numbers, and logistics.

While the scope and power of standard Endpoint Detection and Response (EDR) can serve the needs of businesses of a certain size and maturity, EDR’s complexity may hamper a timely response. In some cases, even with both the AI-powered automation and human skill attributed to in-house SOCs, businesses might still lack the necessary in-depth understanding of a product or the threat landscape.

Approaching the many challenges around detection and response, even with the support of AI for capacity-intense processes like assessing entities and correlation to incident assessment, SOC teams have additional burdens. These include:

Achieving compliance with industry regulations
Meeting security needs with minimum impact on business processes while still minimizing incident response times

Due to the numerosity and complexity of some of these burdens, opening a conversation about offloading portions of these responsibilities via MDR can bring into sharper focus which of these operations are mission-critical for your business.

And response

Shrinking the attack surface, covering all endpoints, cloud-first AI-powered operation — while these phrases might sound like a bunch of technobabble from a futuristic movie, they all represent actual possibilities within cybersecurity that can be handled, in most cases, through detection and response solutions such as Extended Detection and Response (XDR).

While detection can work based on automatically created incidents and the many rules in ESET Inspect, leveraging its power for a more intense and rewarding security experience can only be done by working with people who have a close connection with the creators and developers of such detection and response solutions — connecting the telemetry and product into a single experience for the business that is wary of the threats it might face. With the identified set of detection responsibilities offloaded to managing detection processes, the SOC can focus its capacity on response.

Alternatively, response processes can benefit equally from external management, especially when the provider is intimately familiar with the product. The benefits are clear for SMBs that cannot or do not want to manage their own containment and remediation. Larger businesses may want their IT staff to maintain its focus on daily functioning in the knowledge that there is a safety net capable of protecting their business 24/7/365. This is the promise of MDR, and it can supply this in spades.

Managing likely threats at every step and every level

The difficulty of covering all attack surfaces via D&R depends on a number of factors, including the security expertise a company possesses; its security environment; its budgetary constraints; and external factors such as a lack of potential security recruits, deliberate threat targeting, or even threats vectoring via a company’s supply chain.

These days, it is not only organizations that see a rising need for better protection but also government regulators and cyber insurance companies, who devise requirements to make businesses less complacent and more likely to invest in better security — since oftentimes, an attack on one business or its tool can have a cumulative effect, impacting its partners and customers. This is especially true with supply-chain attacks like SolarWinds or MOVEit. A single weak point or an underestimation of security, and poof; you have not only a single incident but a whole slew of them impacting several different companies that use the same piece of software.

Protection needs to work on every level, for any business, be it small, midsize, or enterprise. But to do so, pre-emptive proactive threat hunting has to be employed first, which MDR can offer, serving as the first step of a multilayered security posture focused on taking care of threats before they transform into incidents.

Which MDR?

To ward off any threat, security vendors have to be able to protect against threats at every level, for any business or its verticals.

ESET PROTECT MDR

ESET PROTECT MDR provides a service that can help businesses of all sizes and maturity levels achieve a better security posture 24/7/365, powered by AI and human experts, ensuring enterprise-level protection, gaining security maturity that matches the size, scale, and scope of a business. With custom support aimed at providing comprehensive protection and a rapid response time of 20 minutes, closing cybersecurity gaps, including those created by external forces such as a lack of skilled hires, has never been easier.

As a bonus, ESET PROTECT MDR includes everything in ESET PROTECT Elite, the ESET MDR service, and ESET Premium Support Essential, creating a package that offers an elite security solution coupled with human support and expertise to complete one’s security posture.

A great addition here is also the inclusion of scheduled reports, including advanced behavioral reports provided by ESET LiveGuard Advanced (ELGA), our proactive cloud-based threat defense against targeted attacks and new, never-before-seen threat types, especially ransomware. With these reports, security admins will have a better visibility into what’s happening within their systems, providing a complete overview of how ELGA analyzed a malicious sample.

ESET PROTECT MDR Ultimate

And for the enterprises that don’t want to leave any room for error, an MDR service can augment their existing security by giving additional breathing room to their SOCs, as policing a global operation takes tremendous resources that could be spent elsewhere.

And that’s why adding MDR to the mix makes sense, as it both adds more expertise and enables an enterprise to enjoy superior cyber risk protection, with access to world-leading threat hunters whose job is to do exactly that — to know how to find and act against threats with a service tailor fit for the enterprise’s whole operation.

All of this is present within ESET PROTECT MDR Ultimate, a service that provides top-notch proactive prevention with superior cybersecurity protection, enabling granular visibility into a company’s whole environment through a tailored security service, to stay one step ahead of all emerging threats. The Ultimate tier also includes remote digital forensic incident response assistance, which helps businesses by overseeing the collection and analysis of incident logs for a better understanding of how an incident happened and how future occurrences can be prevented.

Cybersecurity – a top priority

In today’s world, data breaches and security interruptions are not just possibilities, they are inevitable. Customers want partners that can assure them of sound security, and that is where our MDR services come in. We guarantee unparalleled security that can make all the difference between being a successful and an unsuccessful business.
To conclude, cybersecurity should never be taken for granted, it must be given the utmost importance to protect your business and customers from harm. So, focus on cybersecurity, and do it proactively so that threats never breach your doorstep.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

2024 ESET

Hello!