The only way to get rid of this infection is to overwrite the machine’s flash storage
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, issued an alert regarding a new rootkit in the wild called “LoJax.” LoJax, which was discovered by ESET, survives a reformat and operating system reinstall – and even a hard disk swap. A rootkit is software used by a hacker to gain constant administrator-level access to a computer or network, usually without the administrator’s knowledge, making them difficult to detect and mitigate.
This rootkit compromises a computer’s Unified Extensible Firmware Interface (UEFI), a specification for the interface between a computer's firmware and its operating system. UEFI controls booting the operating system and runs pre-boot apps. LoJax can persist inside the computer’s flash memory, which is how it can survive attempts to kill it and even hard disk swaps.
“Although LoJax is advanced malware, it infects just like any other (usually social engineering someone into running a trojan horse program or unpatched software). Most antivirus scanners and other security products also don’t look for UEFI issues, making it even harder to detect whether malicious code is there. And if it is, you’re in trouble because it's a devil to get rid of,” said Stu Sjouwerman, CEO, KnowBe4. “To prevent this kind of cyberattack from infecting an organization’s work stations, IT administrators should review the Secure Boot configuration on all their hardware and make sure they are configured properly. If they are, bad guys are left to spear phish their targets, which is why it’s good idea to step users through new-school security awareness training to avoid a successful phishing excursion.”
This new, complex rootkit is an affirmation of just how advanced cyber criminals have become. Now that this type of infection is out in the wild, more UEFI rootkits can be expected; possibly having advanced features like signature verification bypass. If this infection were propagated with a zero-day worm like WannaCry, it could cause massive destruction by completely shutting down work stations.
For more information on this new rootkit, please visit the KnowBe4 blog.
About KnowBe4
KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform, is used by more than 20,000 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s training based on his well-documented social engineering tactics. Tens of thousands of organizations worldwide trust KnowBe4 to mobilize their employees as their last line of defense.
Number 96 on the 2018 Inc. 500 list, #70 on 2017 Deloitte’s Technology Fast 500 and #2 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is headquartered in Tampa Bay, Florida with European offices in England, the Netherlands, Germany and offices in South Africa and Singapore.