Novel CosmicStrand UEFI firmware rootkit detailed

Russian, Chinese, Iranian, and Vietnamese individuals have been targeted by the new CosmicStrand Unified Extensible Firmware Interface firmware rootkit, which has been linked to a yet-to-be-identified Chinese-speaking threat actor, reports The Hacker News. Kaspersky researchers have identified CosmicStrand within Gigabyte or ASUS motherboard firmware images related to designs leveraging the H81 chipset. "This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware's image," said researchers. CosmicStrand was found to introduce modifications to the CSMCORE DXE driver for code execution redirection to an attacker-controlled segment after a compromise, indicating the attackers' goal of kernel-level implant delivery to Windows during booting, with the access leveraged for malicious payload retrieval. "The most striking aspect [...] is that this UEFI implant seems to have been used in the wild since the end of 2016 long before UEFI attacks started being publicly described. This discovery begs a final question: if this is what the attackers were using back then, what are they using today?" added researchers.