MoonBounce is the UEFI firmware's dark side.

MoonBounce - Malware that can withstand OS reinstallations


Report Link - Click here

Malware that can withstand OS reinstallations strikes again, most likely for cyberespionage. Kasper Firmware Scanner logs revealed a UEFI firmware-level compromise, which has been integrated into Kaspersky products since the beginning of 2019. Further investigation by Kasper Lab revealed that attackers modified a single component within the inspected firmware's image, allowing them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain.

As per the study, the attackers could be pointing out a target belongs to an organisation which is in charge of various transportation-related businesses.  
A very critical segment as it can bring down the entire transport system and creating chaos across the globe

After obtaining a foothold in the network, Kasper Lab identified some of the attackers' orders, which lateral movement and data exfiltration from certain workstations. The actor's use of the UEFI implant, in particular, implies a desire to establish a long-term presence within the network, as would be expected in an ongoing espionage operation.

To attack can be attributed to high confidence in a group widely known as APT41, or an actor closely associated with it. Kasper findings are consistent with multiple public accounts from the previous year of either APT41 or other threat actors, specifically Earth Baku and SparklingGoblin, which are thought to be alternative names for APT41 or share significant resources and TTPs with it.

Kasper recommends, as a precaution against this and similar attacks, it is recommended that the UEFI firmware be updated on a regular basis and that BootGuard, if applicable, be enabled. Enabling Trust Platform Modules is also recommended if the machine supports corresponding hardware. Above all, a security product with visibility into firmware images should add an extra layer of security, alerting the user if a potential compromise occurs.