Jump to content

Welcome to ExtremeHW

Welcome to ExtremeHW, register to take part in our community, don't worry this is a simple FREE process that requires minimal information for you to signup.

 

Registered users can: 

  • Start new topics and reply to others.
  • Show off your PC using our Rig Creator feature.
  • Subscribe to topics and forums to get updates.
  • Get your own profile page to customize.
  • Send personal messages to other members.
  • Take advantage of site exclusive features.
  • Upgrade to Premium to unlock additional sites features.
IGNORED

UEFI bootkit can defeat Secure Boot protection


Recommended Posts

Quote

 new report by ESET analyst Martin Smolár now confirms one of the most outstanding and dangerous capabilities of the malware: BlackLotus is the first "in-the-wild" UEFI bootkit to compromise a system even when the Secure Boot feature is correctly enabled. Smolár says it's a malicious kit that can run on fully updated UEFI systems.

WWW.TECHSPOT.COM

BlackLotus is a potent threat against modern firmware-based computer security. This UEFI bootkit provides...

 

 

🙁

  • Thanks 1

null

Owned

 Share

CPU: 5800x
MOTHERBOARD: ASUS TUF Gaming B550-Plus
RAM: 32GB 3600mhz CL16
GPU: 7900XT
SOUNDCARD: Sound Blaster Z 5.1 home theater
MONITOR: 4K 65 inch TV
Full Rig Info
Link to comment
Share on other sites

Premium Platinum - Lifetime
1.3k 804

Great. Jesus. They just keep finding more and more exploits since around 2017. I used to run a rootkit scanner, I think it might have been from Trend Micro. Perhaps I need to run it and check for any crap like this.

{"USD":"5179"}

Owned

 Share

CPU: Ryzen 9 9950X
MOTHERBOARD: Asus ROG Strix X670E-E Gaming Wifi
RAM: G.skill TridentZ5 7600MHz 36-45-45-45
GPU: MSI Gaming X Trio RTX 4090
MONITOR: Acer Ultrawide 3440x1440 144Hz HDR400 FreeSync Premium
SSD/NVME: Crucial T700 1TB PCIE 5 M.2
PSU: Superflower Leadex VII XG 1300w Gold
CPU COOLER: EK Nucleus AIO black edition 360mm
Full Rig Info

null

Owned

 Share

CPU: i5-7600k 4.5GHz
MOTHERBOARD: ASUS ROG Strix Z270H Gaming
RAM: G.skill Flare X DDR4 3333MHz 14-14-14
CASE: Silverstone Grandia series GD09
SSD/NVME: Samsung 850 Evo
GPU: GT 710
CPU COOLER: Thermalright AXP120-X67 Low Profile CPU Air Cooler
MONITOR: Asus V239H 1080p 60Hz IPS
Full Rig Info
Link to comment
Share on other sites

4 hours ago, neurotix said:

Great. Jesus. They just keep finding more and more exploits since around 2017. I used to run a rootkit scanner, I think it might have been from Trend Micro. Perhaps I need to run it and check for any crap like this.

If on Windows, for a starter,

SUPPORT.MICROSOFT.COM

Learn how to use Microsoft Defender Offline to help remove malicious software and other potential threats.

or Malwarebytes Free version has a Rootkit option box in the manual scan

Screenshot_816.jpg

  • Thanks 3
Link to comment
Share on other sites

Good.  I know I'm in the minority here, but TPM is not good for the industry.

 

I can understanding encrypting a drive and saving the key to a bios.  I can understand using manufacture keys to prevent unsigned bios updates.  What I can't fathom is why Microsoft has final say on what's "trusted" and should be able to run on a computer.  If they are worried about booting outside OS systems that can compromise a system, they should lock down the boot loader and bios under a user password.

 

Windows 10 passwords can be bypassed with a simple windows 10 bootable USB, the same USB you may NEED to restore a corrupt system or reinstall the OS.  A rubber ducky can grab a lot of information without even logging into a system.  If microsoft was worried about security, they could do a lot more to fix their systems than try to control the industry.  TPM was always a power grab by microsoft, once people realize it doesn't actually provide security, they might move on to something else. 

Link to comment
Share on other sites

9 hours ago, Kaz said:

Good.  I know I'm in the minority here, but TPM is not good for the industry.

 

I can understanding encrypting a drive and saving the key to a bios.  I can understand using manufacture keys to prevent unsigned bios updates.  What I can't fathom is why Microsoft has final say on what's "trusted" and should be able to run on a computer.  If they are worried about booting outside OS systems that can compromise a system, they should lock down the boot loader and bios under a user password.

 

Windows 10 passwords can be bypassed with a simple windows 10 bootable USB, the same USB you may NEED to restore a corrupt system or reinstall the OS.  A rubber ducky can grab a lot of information without even logging into a system.  If microsoft was worried about security, they could do a lot more to fix their systems than try to control the industry.  TPM was always a power grab by microsoft, once people realize it doesn't actually provide security, they might move on to something else. 

Agree,but for a different reason, if there's an issue with a bios update or other bios/Hardware issue that causes you to have to clear the CMOS you loose the tpm key and when trying to turn tpm back on you loose any info that was previously encrypted. The Encrypted data IS available with tpm turned off, so what's the point? If someone can access "secure" data simply by turning off tpm in the bios, how secure is it really?

  • Thanks 1
Link to comment
Share on other sites

On 05/03/2023 at 01:41, Kaz said:

Good.  I know I'm in the minority here, but TPM is not good for the industry.

 

I can understanding encrypting a drive and saving the key to a bios.  I can understand using manufacture keys to prevent unsigned bios updates.  What I can't fathom is why Microsoft has final say on what's "trusted" and should be able to run on a computer.  If they are worried about booting outside OS systems that can compromise a system, they should lock down the boot loader and bios under a user password.

 

Windows 10 passwords can be bypassed with a simple windows 10 bootable USB, the same USB you may NEED to restore a corrupt system or reinstall the OS.  A rubber ducky can grab a lot of information without even logging into a system.  If microsoft was worried about security, they could do a lot more to fix their systems than try to control the industry.  TPM was always a power grab by microsoft, once people realize it doesn't actually provide security, they might move on to something else. 

 

Agree, except both of those items are generally outside the control of an operating system, in the sense of getting them configured so that the user can actually enter their own password. They're up to the user to configure. If there was an implementation of something akin to bitlocker, where admins can enable a password required to boot and the user can make their own, except apply it to the bios & bootloader, that'd be sweet.

 

Can W10 passwords still be removed that way? I thought that wasn't a thing anymore.

 

23 hours ago, schuck6566 said:

Agree,but for a different reason, if there's an issue with a bios update or other bios/Hardware issue that causes you to have to clear the CMOS you loose the tpm key and when trying to turn tpm back on you loose any info that was previously encrypted. The Encrypted data IS available with tpm turned off, so what's the point? If someone can access "secure" data simply by turning off tpm in the bios, how secure is it really?

 

Is this where hardware security keys (the removeable ones) enter the chat? Or do those just apply to logging into the computer?

If one could configure a hardware key to be required for POST or bootloader access...

Owned

 Share

CPU: AMD Ryzen 9 7950x
MOTHERBOARD: MSI MEG X670E GODLIKE
RAM: 32GB G.Skill Trident Z5 Neo RGB - DDR5 6000 CL30
GPU: PowerColor RX7900 GRE Red Devil
CASE: Lian Li o11 Dynamic Evo - temp until Caselabs opens back up
SSD/NVME: Samsung 980 500GB - Linux boot
SSD/NVME 2: Samsung 980 500GB - Windows 10/11 boot
SSD/NVME 3: SK Hynic P41 2TB
Full Rig Info
Link to comment
Share on other sites

12 hours ago, maddangerous said:

Can W10 passwords still be removed that way? I thought that wasn't a thing anymore.

It's more of a workaround....  Insert bootable windows USB, press shift + F10 at Windows Setup to open cmd prompt.  Then create a backup of windows accessibility, copy cmd exe and rename it to windows accessibility.  Boot into windows normally, click accessibility which now opens cmd prompt, then enable admin account.  Note, enabling admin does not work from the bootable cmd prompt, only from the native windows cmd prompt.  After removing a user's password the admin account should be disabled and accessibility restored.  Unless they remove the ability to reach command prompt with shift +F10 I don't see that going away anytime soon. 

 

I haven't tried it on windows 11, but I suspect it would work.  Bitlocker or other drive encryption may complicate the task.  I'm not sure how bitlocker works in regards to windows restoration attempts, since the media would have to be decrypted for windows to fix corrupted files.  I've been avoiding bitlocker so I don't have experience with it.

Link to comment
Share on other sites

Premium Platinum - Lifetime
1.3k 804
5 hours ago, maddangerous said:

 

Agree, except both of those items are generally outside the control of an operating system, in the sense of getting them configured so that the user can actually enter their own password. They're up to the user to configure. If there was an implementation of something akin to bitlocker, where admins can enable a password required to boot and the user can make their own, except apply it to the bios & bootloader, that'd be sweet.

 

Can W10 passwords still be removed that way? I thought that wasn't a thing anymore.

 

 

Is this where hardware security keys (the removeable ones) enter the chat? Or do those just apply to logging into the computer?

If one could configure a hardware key to be required for POST or bootloader access...

 

Linux can do what you're talking about. I have my system set up so it requires a password to start an OS fron GRUB2. The password is additionally encrypted using AES-256 encryption, so the password to boot cannot be viewed in RAM by anyone trying to boot an OS on my system.

 

I love Linux.

{"USD":"5179"}

Owned

 Share

CPU: Ryzen 9 9950X
MOTHERBOARD: Asus ROG Strix X670E-E Gaming Wifi
RAM: G.skill TridentZ5 7600MHz 36-45-45-45
GPU: MSI Gaming X Trio RTX 4090
MONITOR: Acer Ultrawide 3440x1440 144Hz HDR400 FreeSync Premium
SSD/NVME: Crucial T700 1TB PCIE 5 M.2
PSU: Superflower Leadex VII XG 1300w Gold
CPU COOLER: EK Nucleus AIO black edition 360mm
Full Rig Info

null

Owned

 Share

CPU: i5-7600k 4.5GHz
MOTHERBOARD: ASUS ROG Strix Z270H Gaming
RAM: G.skill Flare X DDR4 3333MHz 14-14-14
CASE: Silverstone Grandia series GD09
SSD/NVME: Samsung 850 Evo
GPU: GT 710
CPU COOLER: Thermalright AXP120-X67 Low Profile CPU Air Cooler
MONITOR: Asus V239H 1080p 60Hz IPS
Full Rig Info
Link to comment
Share on other sites

15 minutes ago, Kaz said:

It's more of a workaround....  Insert bootable windows USB, press shift + F10 at Windows Setup to open cmd prompt.  Then create a backup of windows accessibility, copy cmd exe and rename it to windows accessibility.  Boot into windows normally, click accessibility which now opens cmd prompt, then enable admin account.  Note, enabling admin does not work from the bootable cmd prompt, only from the native windows cmd prompt.  After removing a user's password the admin account should be disabled and accessibility restored.  Unless they remove the ability to reach command prompt with shift +F10 I don't see that going away anytime soon. 

 

I haven't tried it on windows 11, but I suspect it would work.  Bitlocker or other drive encryption may complicate the task.  I'm not sure how bitlocker works in regards to windows restoration attempts, since the media would have to be decrypted for windows to fix corrupted files.  I've been avoiding bitlocker so I don't have experience with it.

 

I wasn't aware, thanks for sharing.

Why avoid bitlocker? I don't think it requires tpm at this time. unsure though. I'm more familiar with it on the business side of things.

 

5 minutes ago, neurotix said:

 

Linux can do what you're talking about. I have my system set up so it requires a password to start an OS fron GRUB2. The password is additionally encrypted using AES-256 encryption, so the password to boot cannot be viewed in RAM by anyone trying to boot an OS on my system.

 

I love Linux.

 

Yeah, I have seen that from GRUB2. I haven't moved to that (I daily *nix on my laptop. When I have one).

 

Linux FTW!

Owned

 Share

CPU: AMD Ryzen 9 7950x
MOTHERBOARD: MSI MEG X670E GODLIKE
RAM: 32GB G.Skill Trident Z5 Neo RGB - DDR5 6000 CL30
GPU: PowerColor RX7900 GRE Red Devil
CASE: Lian Li o11 Dynamic Evo - temp until Caselabs opens back up
SSD/NVME: Samsung 980 500GB - Linux boot
SSD/NVME 2: Samsung 980 500GB - Windows 10/11 boot
SSD/NVME 3: SK Hynic P41 2TB
Full Rig Info
Link to comment
Share on other sites

Premium Platinum - Lifetime
1.3k 804

https://help.ubuntu.com/community/Grub2/Passwords

 

That page had been around forever, but will tell you everything about configuring and encrypting GRUB2 passwords on boot. I don't on my rig (I just set an encrypted admin password that works with both Win10 and Linux to boot them) but if you want you can even have separate passwords per boot entry, so Windows requires one and Linux requires a different one.

  • Thanks 1

{"USD":"5179"}

Owned

 Share

CPU: Ryzen 9 9950X
MOTHERBOARD: Asus ROG Strix X670E-E Gaming Wifi
RAM: G.skill TridentZ5 7600MHz 36-45-45-45
GPU: MSI Gaming X Trio RTX 4090
MONITOR: Acer Ultrawide 3440x1440 144Hz HDR400 FreeSync Premium
SSD/NVME: Crucial T700 1TB PCIE 5 M.2
PSU: Superflower Leadex VII XG 1300w Gold
CPU COOLER: EK Nucleus AIO black edition 360mm
Full Rig Info

null

Owned

 Share

CPU: i5-7600k 4.5GHz
MOTHERBOARD: ASUS ROG Strix Z270H Gaming
RAM: G.skill Flare X DDR4 3333MHz 14-14-14
CASE: Silverstone Grandia series GD09
SSD/NVME: Samsung 850 Evo
GPU: GT 710
CPU COOLER: Thermalright AXP120-X67 Low Profile CPU Air Cooler
MONITOR: Asus V239H 1080p 60Hz IPS
Full Rig Info
Link to comment
Share on other sites

2 hours ago, maddangerous said:

Why avoid bitlocker? I don't think it requires tpm at this time. unsure though. I'm more familiar with it on the business side of things.

For the same reason I don't password my bios.  Physical access > all.  I used to reset bios passwords for my school when people messed with them.  They never bothered with bios passwords because they just cloned hard drives for all computer setups.  Teachers generally only have hardware issues.

 

Bitlocker makes sense if you want to use a USB key.  It also makes sense if you're worried about employees stealing hard drive data, though in reality that data shouldn't be stored on their hard drives, but on a server they don't have physical access to.

 

Personally, I'm weary of calling anything encrypted when I just handed the keys to someone else.  Bitlocker isn't going to help against online threats, because the machine is already running.  TPM unlock is an invitation to steal the entire computer instead of just the drive.  I've had candy vending machines stolen from me.  The audacity of people and the ability for stuff to walk away is not lost on me.

 

Probably the best use case for bitlocker is on a laptop with a USB key.  I'd rather trade that USB key for a password.  I know passwords are weaker against brute force, but the dictionary size for brute force attacks  > 8 characters is exponentially large.  The likely hood of me running into someone with the knowledge, skill, and resources (server) to break a good long password is fairly low.  They still need physical access to the device.   I'm just not that important.  If I did have sensitive information that I really cared about, I wouldn't want it decrypted upon boot.

 

I don't use LastPass either.  I know security guys everywhere have been touting it's great use, but ever since it's inception, I've felt it's just a single point of weakness that presents a target.  LastPass got hacked.  It's a tribute to their security team that it has taken this long for it to happen. 

  • Thanks 1
Link to comment
Share on other sites

11 hours ago, maddangerous said:

 

Agree, except both of those items are generally outside the control of an operating system, in the sense of getting them configured so that the user can actually enter their own password. They're up to the user to configure. If there was an implementation of something akin to bitlocker, where admins can enable a password required to boot and the user can make their own, except apply it to the bios & bootloader, that'd be sweet.

 

Can W10 passwords still be removed that way? I thought that wasn't a thing anymore.

 

 

Is this where hardware security keys (the removeable ones) enter the chat? Or do those just apply to logging into the computer?

If one could configure a hardware key to be required for POST or bootloader access...

I can only speak as to what actually happened to me. I was using TPM via the encryption abilities of my Ryzen 2700x (so as to make my comp Win 11 compatible even though I hadn't switched yet) Had a bios issue and while tracking it down I did the old school clearing of the CMOS as 1 of my ways to find the problem. When I finally got back up and a semi current bios installed,when I tried switching TPM back on it told me it was unable to because the key didn't match the 1 on the drive. Doing it anyway caused my boot drive to disappear. Turn TPM back off and Boot drive was back.  I wonder if I would have had to do a clean install of windows if I'd upgraded the cpu?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

This Website may place and access certain Cookies on your computer. ExtremeHW uses Cookies to improve your experience of using the Website and to improve our range of products and services. ExtremeHW has carefully chosen these Cookies and has taken steps to ensure that your privacy is protected and respected at all times. All Cookies used by this Website are used in accordance with current UK and EU Cookie Law. For more information please see our Privacy Policy