Linux devices are being hit by LogoFAIL vulnerability, Bootkitty installed

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.

(Image credit: Shutterstock / JLStock)

LogoFAIL, image parsing vulnerabilities on Linux and Windows, are being actively abused
Researchers are saying crooks are installing Bootkitty, the first-ever Linux UEFI bootkit
Bootkitty works on both Linux and Windows devices

LogoFAIL, a string of vulnerabilities that allow threat actors to install malware at boot level, is now actively being abused in the wild, experts have warned.

A new report from cybersecurity researchers Binarly noted how LogoFAIL, a group of vulnerabilities that allow malicious actors to replace the logo image displayed on Windows and Linux devices during the boot process.

The replaced images can contain malicious code that the device will run, and since the code is installed on boot, before the OS or any antivirus programs, most cybersecurity programs cannot detect or remove it.

Purely theoretical

In fact, even reinstalling the operating system, or replacing the hard drive, will not help. The malware installed this way is generally called UEFI bootkits, since they target the Unified Extensible Firmware Interface (UEFI), responsible for initializing hardware and launching the operating system.

When it was first discovered, LogoFAIL was deemed purely theoretical, as no active exploits, or code, were seen in the wild. However, Binarly now says that things have changed, and that it observed LogoFAIL being used to deploy Bootkitty.

Bootkitty was first observed, and reported, late last week. It is the first malware of its kind, since it targets Linux devices. Spotted by researchers from ESET, the malware was described as an early development stage version.

Bootkitty relies on a self-signed certificate, which means it won’t run on systems with Secure Boot - therefore, it can only target some Ubuntu distributions.

Furthermore, the use of hardcoded byte patterns and the fact that the best patterns for covering multiple kernel or GRUB versions were not used, means that the bootkit cannot be widely distributed. Finally, Bootkitty comes with many unused functions, and does not have kernel-version checks, which often results in system crashes.

In any case, the finding marks an important moment in the development and destructive potential of UEFI bootkits.

Via Ars Technica

The first UEFI bootkit malware for Linux has been detected, so users beware
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.