Rootkits are malicious tools created by threat actors to elude discovery by burrowing deep inside the operating system and being utilised to completely take over vulnerable systems while avoiding detection. Starting with Windows 8, Microsoft introduced WPBT, a fixed firmware ACPI (Advanced Configuration and Power Interface) table that allows suppliers to run programmes every time a device starts. However, this approach can allow attackers to deploy malicious programmes, as Microsoft cautions in its own literature, in addition to allowing OEMs to force install important software that can’t be supplied with Windows installation media. All machines running Windows 8 or later are affected. “In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).” Eclypsium researchers discovered a flaw in Windows machines that has existed since 2012, when the feature was initially introduced with Windows 8. These attacks can make use of a malicious bootloader or various approaches that allow writing to memory where ACPI tables (including WPBT) are stored. This can be accomplished by exploiting the BootHole vulnerability, which bypasses Secure Boot, or by launching DMA attacks on weak peripherals or components.
“This weakness can be potentially exploited via multiple vectors (e.g. physical access, remote, and supply chain) and by multiple techniques (e.g. malicious bootloader, DMA, etc).” WDAC policies are one type of mitigation measure. Following Eclypsium’s notification of the flaw, Microsoft advised adopting a Windows Defender Application Control policy to control which binaries can execute on a Windows device. According to Microsoft’s support article, “WDAC policy is also enforced for binaries included in the WPBT and should mitigate this issue,” WDAC policies can only be created on Windows 10 1903 and later client editions, as well as Windows 11 and Windows Server 2016 and above. You can use AppLocker policies to control which programmes are allowed to execute on a Windows client on systems running older Windows versions. In the BIOSConnect function of Dell SupportAssist, a software that comes preloaded on most Dell Windows computers, Eclypsium discovered another vector of attack that allows threat actors to take control of a targeted device’s boot process and violate OS-level security protections. “Security professionals need to identify, verify and fortify the firmware used in their Windows systems. Organizations will need to consider these vectors, and employ a layered approach to security to ensure that all available fixes are applied and identify any potential compromises to devices.” The problem “affects 129 Dell types of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs,” according to the researchers, exposing around 30 million devices to attacks.
