{"id":3542,"date":"2022-01-22T18:21:06","date_gmt":"2022-01-22T17:21:06","guid":{"rendered":"https:\/\/sajberinfo.com\/2022\/11\/21\/text-83\/"},"modified":"2022-12-04T13:24:16","modified_gmt":"2022-12-04T12:24:16","slug":"otkriven-novi-firmware-bootkit","status":"publish","type":"post","link":"https:\/\/sajberinfo.com\/en\/2022\/01\/22\/otkriven-novi-firmware-bootkit\/","title":{"rendered":"Otkriven novi firmware bootkit"},"content":{"rendered":"<p class=\"MsoNormal\" style=\"text-align: left;\"><span style=\"font-size: 14pt;\">Sigurnosni istra\u017eiva\u010di kompanije <a href=\"https:\/\/securelist.com\/moonbounce-the-dark-side-of-uefi-firmware\/105468\/\" target=\"_blank\" rel=\"noopener\"><em>Kaspersky<\/em> su otkrili novi <em>firmware bootkit <\/em><\/a>u kiberneti\u010dkom prostoru kori\u0161tenjem <em>Kaspersky<\/em> <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/wiki-section\/products\/anti-rootkit-and-remediation-technology\" target=\"_blank\" rel=\"noopener\"><i>Firmware Scanner<\/i> alata<\/a>. Ovaj zlonamjerni k\u00f4d je prvi put uo\u010den na prolje\u0107e 2021. godine kada je dobio naziv <em>MoonBounce<\/em> i kada je utvr\u0111eno da ga najvjerovatnije koristi grupa iz kategorije <a href=\"https:\/\/sajberinfo.blogspot.com\/2020\/12\/apt-sponzorisani-napadi.html\" target=\"_blank\" rel=\"noopener\">trajnih naprednih prijetnji (<em>Advanced persistent threat \u2013 APT<\/em>)<\/a> sa kineskog govornog podru\u010dja ozna\u010den kao <em>APT41<\/em>.<\/span><\/p>\n<div id=\"attachment_3603\" style=\"width: 1034px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-3603\" class=\"size-full wp-image-3603\" src=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2022\/01\/MoonBounce-copy.jpg\" alt=\"MoonBounce firmware bootkit\" width=\"1024\" height=\"835\" srcset=\"https:\/\/sajberinfo.com\/wp-content\/uploads\/2022\/01\/MoonBounce-copy.jpg 1024w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2022\/01\/MoonBounce-copy-300x245.jpg 300w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2022\/01\/MoonBounce-copy-768x626.jpg 768w, https:\/\/sajberinfo.com\/wp-content\/uploads\/2022\/01\/MoonBounce-copy-15x12.jpg 15w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><p id=\"caption-attachment-3603\" class=\"wp-caption-text\"><em>MoonBounce firmware bootkit<\/em>; Design by Sa\u0161a \u0110uri\u0107<\/p><\/div>\n<p class=\"MsoNormal\" style=\"text-align: left;\"><span style=\"font-size: 14pt;\"><em>MoonBounce<\/em> je dosta tehni\u010dki napredniji od svojih prethodnika <em><a href=\"https:\/\/attack.mitre.org\/software\/S0397\/\" target=\"_blank\" rel=\"noopener\">LoJax<\/a><\/em> i <em><a href=\"https:\/\/securelist.com\/mosaicregressor\/98849\/\" target=\"_blank\" rel=\"noopener\">MosaicRegressor<\/a><\/em>. Za sakrivanje koristi <em>UEFI<\/em>-a (<em>Unified Extensible Firmware Interface<\/em>) \u010diji je k\u00f4d klju\u010dna komponenta u procesu startovanju ure\u0111aja i podizanja operativnog sistema. Za skladi\u0161tenje koristi nepromjenjivu memoriju <em>SPI flash<\/em> komponente koja se nalazi na mati\u010dnoj plo\u010di. Jednom kada do\u0111e do operativnog sistema, uspostavlja se kontrola sa komandnim serverom, nakon \u010dega dolazi do preuzimanja novog zlonamjernog k\u00f4da.<\/span><\/p>\n<p class=\"MsoNormal\" style=\"text-align: left;\"><span style=\"font-size: 14pt;\"><span style=\"font-family: inherit;\"><em>MoonBounce<\/em> je veoma te\u0161ko otkriti, jer se k\u00f4d nalazi van <em>HDD\/SDD<\/em> medija u podru\u010dju koje mnoga antivirusna rje\u0161enja ne skeniranju. Tako\u0111er ga je te\u0161ko obrisati. Nije ga mogu\u0107e ukloniti formatiranjem\u00a0 <em>HDD\/SDD <\/em>medija ili reinstalacijom operativnog sistema, jer se\u00a0 k\u00f4d izvr\u0161ava prije pokretanja operativnog sistema. Te\u0161ko je prona\u0107i i uo\u010diti\u00a0 tragove prisustva, jer se <em>MoonBounce<\/em> izvr\u0161ava u memoriji i na taj na\u010din ostavlja minimalan trag.<\/span><\/span><\/p>\n<p class=\"MsoNormal\" style=\"text-align: left;\"><span style=\"font-size: 14pt;\"><span style=\"font-family: inherit;\">Dobijanje pristupa zloupotrebom <em>UEFI<\/em><i>&#8211;<\/i>a zna\u010di da napada\u010di \u017eele da uspostave du\u017ee prisustvo u okru\u017eenju napadnute organizacije, \u0161to podrazumijeva da je rije\u010d o \u0161pijuna\u017ei. Cilj napada\u010da je da dobiju upori\u0161te u ra\u010dunarskoj mre\u017ee \u017ertve, \u0161to vodi do mogu\u0107nosti kretanja po ra\u010dunarskoj mre\u017ei i izvla\u010denju podataka. Analiza pona\u0161anja napada\u010da pokazuje da uspje\u0161ne upade koriste za manipulaciju lanca snabdijevanja napadnute organizacije ili za kra\u0111u povjerljivog intelektualnog vlasni\u0161tva i korisni\u010dkih informacija. Pored toga, analizom vi\u0161e javno dostupnih korisni\u010dkih naloga tokom prethodnih godina\u00a0 mo\u017ee se re\u0107i da ovo odgovara na\u010dinu rada <em>APT41<\/em> grupe ili nekoga bliskog toj grupi pod nazivom <em>Earth Baku<\/em> i <em>SparklingGoblin <\/em>za koje se vjeruje da su alternativna imena za <em>APT41<\/em>.<\/span><\/span><\/p>","protected":false},"excerpt":{"rendered":"<p>Sigurnosni istra\u017eiva\u010di kompanije Kaspersky su otkrili novi firmware bootkit u kiberneti\u010dkom prostoru kori\u0161tenjem Kaspersky Firmware Scanner alata. Ovaj zlonamjerni k\u00f4d je prvi put uo\u010den na prolje\u0107e 2021. godine kada je dobio naziv MoonBounce i&#46;&#46;&#46;<\/p>","protected":false},"author":1,"featured_media":3603,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[138,62,139,140,93],"class_list":["post-3542","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hronike","tag-advanced-persistent-threat","tag-apt","tag-bootkit","tag-firmware","tag-malware"],"_links":{"self":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/3542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/comments?post=3542"}],"version-history":[{"count":0,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/posts\/3542\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media\/3603"}],"wp:attachment":[{"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/media?parent=3542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/categories?post=3542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sajberinfo.com\/en\/wp-json\/wp\/v2\/tags?post=3542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}