A new type of cyber threat has emerged, as cybersecurity researchers have identified what appears to be the first Unified Extensible Firmware Interface (UEFI) bootkit specifically designed for Linux systems. Dubbed “Bootkitty” by its creators, this proof-of-concept bootkit aims to disable kernel signature verification and preload malicious binaries via the Linux init process.
Developed by the BlackCat group, Bootkitty is a significant finding in the UEFI threat landscape, as it indicates that Linux systems are no longer safe from UEFI-based attacks. The researchers discovered that Bootkitty exploits a vulnerability tied to the LogoFAIL (CVE-2023-40238) exploit, allowing it to bypass Secure Boot protections and inject rogue certificates into the MokList variable.
While Bootkitty itself is not believed to have been used in real-world attacks, its development heralds a new era of UEFI threats. Cybersecurity experts emphasize the need for system administrators to be prepared for potential future threats, as unpatched devices with vulnerable firmware remain at risk.
Further analysis by Binarly revealed that Bootkitty’s exploit targets specific hardware configurations, primarily from Acer, HP, Fujitsu, and Lenovo models. Firmware security companies are urging users to apply available patches to mitigate the vulnerability and prevent further exploitation.
Source: https://thehackernews.com/2024/11/researchers-discover-bootkitty-first.html