Tony Anscombe, chief security evangelist at ESET, explained that the BIOS system is a particularly vulnerable target because even removing the hard drive doesn’t address the security threat.
ESET explained that hackers could use the vulnerability to implant malicious software on the SPI flash, a small memory chip located on the computer’s motherboard and normally protected by BIOS Control Register. “All of the real-world UEFI threats discovered in the last years-Lojax, MosaicRegressor, Moonbounce, ESPecter, Finspy-needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” Smolár wrote. A third threat was found to be an SMM memory corruption that would allow arbitrary read/write from/into SMRAM, with can lead to the execution of malicious code, the company said.
ESET said they were mistakenly included in the notebooks on BIOS images without being deactivated and left those machines vulnerable.
He added, “Our discovery demonstrates that in some cases deployment of the UEFI threats might not be as difficult as expected and the larger amount of real-world UEFI threats discovered in the last several years suggests that adversaries are aware of this.”ĮSET said the first two of the vulnerabilities affect UEFI firmware drivers originally meant for Lenovo’s manufacturing process only. “They are executed early in the boot process before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed.” “UEFI threats can be extremely stealthy and dangerous,” Martin Smolár, an ESET researcher who discovered the threats, said in a statement. Lenovo did not respond to messages seeking comment by press time. Lenovo published a list of firmware updates to address the vulnerabilities on March 12. The vulnerabilities would allow attackers to deploy and execute UEFI malware in the form of a flash implant like LoJax or UEFI bootkit.ĮSET reported all discovered vulnerabilities to Lenovo in October 2021 and Lenovo has software updates available to address the issues. Lenovo has patched serious vulnerabilities found by ESET researchers on hundreds of its consumer laptop models that had made the laptops potential targets for malware attacks.ĮSET said more than 100 different laptop models and millions of users worldwide may be affected.