Researchers announced last night the discovery of the first-ever rootkit which successfully compromises UEFI firmware. The malware, which has been dubbed LoJax, has been utilized by fancy Bear in a campaign targeting government organizations in Central and Eastern Europe, as well as the Balkans. For some time now, researchers have theorized and discussed the possibility of UEFI rootkits and many have felt that it was only a matter of time before one was discovered in the wild. The deployment of a UEFI rootkit allows Fancy Bear a level of persistence on a system that is not typically seen in most cyber-attacks. LoJax requires a high level of knowledge prior to the attack because of the intensely targeted nature of such a rootkit, which is not surprising due to the nature of the methods employed by Fancy Bear. Recovery from such an attack would be very labor and time intensive as well since the level of knowledge and work required for recovery from a firmware attack is well beyond the knowledge of most users, causing a significant amount of recovery work for security and incident response personnel.
