Skip to content

ESET Research discovers vulnerabilities in Lenovo laptops exposing users to risk of UEFI malware installation

  • Exploitation of these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware such as LoJax and ESPecter.
  • UEFI threats can be extremely stealthy and dangerous.
  • Discovered vulnerabilities are: CVE-2021-3970, CVE-2021-3971, CVE-2021-3972.
  • ESET Research strongly advises all owners of Lenovo laptops to go through the list of affected devices and update their firmware.

BRATISLAVA — April 19, 2022 — ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo laptop models. Exploitation of these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like our latest discovery ESPecter. ESET reported all discovered vulnerabilities to Lenovo in October 2021. Altogether, the list of affected devices contains more than one hundred different laptop models with millions of users worldwide.

“UEFI threats can be extremely stealthy and dangerous. They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed,” says ESET researcher Martin Smolár, who discovered the vulnerabilities. “Our discovery of these UEFI so-called “secure” backdoors demonstrates that in some cases, deployment of the UEFI threats might not be as difficult as expected, and the larger amount of real-world UEFI threats discovered in the last years suggests that adversaries are aware of this,” he adds.

The first two of these vulnerabilities – CVE-2021-3970, CVE-2021-3971 – are perhaps more accurately called “secure” backdoors built into the UEFI firmware as that is literally the name given to the Lenovo UEFI drivers implementing one of them (CVE-2021-3971): SecureBackDoor and SecureBackDoorPeim. These built-in backdoors can be activated to disable SPI flash protections (BIOS Control Register bits and Protection Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during operating system runtime.

In addition, while investigating the “secure” backdoors’ binaries, we discovered a third vulnerability: SMM memory corruption inside the SW SMI handler function (CVE-2021-3972). This vulnerability allows arbitrary read/write from/into SMRAM, which can lead to the execution of malicious code with SMM privileges and potentially lead to the deployment of an SPI flash implant.

The UEFI boot and runtime services provide the basic functions and data structures necessary for the drivers and applications to do their job, such as installing protocols, locating existing protocols, memory allocation, UEFI variable manipulation, etc. UEFI boot drivers and applications use protocols extensively.  UEFI variables are a special firmware storage mechanism used by UEFI modules to store various configuration data, including boot configuration.

SMM, on the other hand, is a highly privileged execution mode of x86 processors. Its code is written within the context of the system firmware and is usually used for various tasks including advanced power management, execution of OEM proprietary code, and secure firmware updates.

“All of the real-world UEFI threats discovered in the last years – LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy – needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” explains Smolár. ESET Research strongly advises all owners of Lenovo laptops to go through the list of affected devices and update their firmware by following the manufacturer’s instruction.

For those using End Of Development Support devices affected by the UEFI SecureBootBackdoor (CVE-2021-3970), without any fixes available: one way to help you protect against unwanted modification of the UEFI Secure Boot state is to use a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration change.

For more technical information, check out the blogpost When “secure” isn’t secure at all: High-impact UEFI vulnerabilities discovered in Lenovo consumer laptops on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

CyberLink Announces the Integration of Its FaceMe® Security Facial Recognition Software with AXIS Camera Station

The end-to-end integration brings FaceMe’s industry-leading facial recognition functionalities to AXIS camera and VMS setups, fusing live stream monitoring and group tagging in a seamless solution

TAIPEI, TAIWAN — April 15, 2022 — CyberLink Corp. (5203.TW), a pioneer of AI and facial recognition technologies, today announced an important update to its facial recognition security software, FaceMe® Security. FaceMe Security now integrates with AXIS Communications’ AXIS Camera Station VMS (video management software), creating a robust, unified platform that brings facial recognition to AXIS’s security and access control applications. With this solution, users can now layer person-of-interest detection, group tagging and management, and visitor summaries on top of existing IP surveillance configurations with AXIS cameras and VMS.

AXIS is a global market leader in intelligent security solutions, integrating network cameras, video recorders, workstations, and video management systems. AXIS Camera Station is an easy-to-use, efficient VMS platform offering video surveillance and access control applications. Its intuitive interface and extensive compatibility make it an excellent fit for FaceMe® Security, a value-added smart surveillance software solution powered by CyberLink’s highly-ranked and precise FaceMe® AI facial recognition engine.

The unified platform, combining FaceMe’s real-time facial recognition to the AXIS Camera Station interface, delivers a unique, efficient and powerful monitoring solution. One operator can visualize up to 36 camera feeds on one screen. They can then rely on the facial recognition console running on a second display to receive real-time alerts. These alerts are triggered when individuals associated to a managed group (e.g., VIP, blocklists, employees) appear in front of a connected camera located in an area or at a time potentially requiring a certain action to be taken.

“Smart video management software is becoming an essential component to security and access control systems,” said Dr. Jau Huang, CEO of CyberLink. “Adding the facial recognition capabilities of FaceMe to the AXIS Camera Station enables a powerful, highly automated security monitoring environment, running on one intuitive platform.”

For an introduction to the FaceMe®-AXIS integration’s new features, visit the FaceMe® Security website or watch the introduction video.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About CyberLink
Founded in 1996, CyberLink Corp. (5203.TW) is the world leader in multimedia software and AI facial recognition technology. CyberLink addresses the demands of consumer, commercial and education markets through a wide range of solutions, covering digital content creation, multimedia playback, video conferencing, live casting, mobile applications and AI facial recognition.  CyberLink has shipped several hundred million copies of its multimedia software and apps, including the award-winning PowerDirector, PhotoDirector, and PowerDVD.  With years of research in the fields of artificial intelligence and facial recognition, CyberLink has developed the FaceMe® Facial Recognition Engine. Powered by deep learning algorithms, FaceMe® delivers the reliable, high-precision, and real-time facial recognition that is critical to AIoT applications such as smart retail, smart security, and surveillance, smart city and smart home. For more information about CyberLink, please visit the official website at www.cyberlink.com

ESG Study Reveals Granular and Air-gapped Backup Are Key in Data Recovery After a Ransomware Attack

Nearly 90 percent of respondents admit that not all mission-critical data is protected from cyberattacks.

Copenhagen, Denmark – April 19, 2022 – Granular and air-gapped backup are critical to data recovery, when, not if, a business falls victim to ransomware. Those are among the key takeaways from a new Enterprise Strategy Group (ESG) study, titled “The Long Road Ahead to Ransomware Preparedness”, which surveyed information technology (IT) and cybersecurity professionals working within organizations across North America and Western Europe.

According to the report’s findings, while ransomware attacks aren’t always made public, they are a common occurrence and represent both a significant and recurring source of business disruption. Among the more than 600 respondents, 79 percent experienced a ransomware attack within the last year, with 17 percent experiencing attacks weekly and 13 percent experiencing attacks daily. 

More than three-quarters (79 percent) of the survey’s respondents said they categorize ransomware preparedness as being within the top five on their list of overall business priorities,

“Organizations are building their own individual strategies and processes in response to a lack of industry reference architecture or a blueprint for ransomware protection,” Christophe Bertrand, Practice Director at ESG. “The results of this report serve as a critical step in understanding the most important components of data recovery after a ransomware attack, and it is our hope that organizations can use this as guidance as they work towards preparedness.”

“The Long Road Ahead to Ransomware Preparedness” includes responses from 620 IT and cybersecurity professionals tasked with protecting against ransomware attacks at midmarket and enterprise organizations in North America (the United States and Canada) and Western Europe (UK, France, and Germany).

The study, sponsored by Keepit, the world’s only vendor-neutral and independent cloud dedicated to Software-as-a-Service (SaaS) data protection based on a blockchain-verified solution, sought to identify proactive and reactive strategies employed by organizations to guard against the ransomware threat, analyze ransomware mitigation best practices and identify how organizations are prioritizing and planning to mitigate the ransomware threat in the coming 12 to 18 months.

Other Key Findings Include: 

  • 56 percent of respondents admitted to having paid a ransom to regain access to their data, applications, or systems but only 14 percent got all their data back following payment. 
  • Only 1 in 7 organizations report protecting more than 90 percent of their mission-critical applications from cyberattacks.  
  • 39 percent of successful ransomware attacks impact cloud data, and 40 percent impact storage systems.   

Additionally, some trends identified in the study include:  

  • Cloud and storage systems are the most common ransomware targets across the board. 
  • Granular data restores are widely preferred as a best practice over full rollback restores. 
  • Granular and air-gapped backup have emerged as best practices among industry leaders, with hybrid methodologies favored. 
  • Backup is the clear leader for cyber recovery strategy and can empower organizations to refuse to negotiate with ransomers. 

“Public cloud infrastructure has become a destination of choice for data backup, which means that cloud data is increasingly becoming a target for cybercriminals who really want to render businesses inoperable. Organizations are concerned that their backup copies could be corrupted by ransomware attacks and protecting backup copies is a key prevention tactic,” said Jakob Østergaard, CTO at Keepit.  “Our strategy is to build in security from the ground up with immutable, blockchain-verified technology, encryption, and air-gapping, and the ESG study clearly documents how.” 

As an alternative to ransom paying, the ESG study revealed that air-gapped backup and the ability to granularly restore data have emerged as best practices among industry leaders, with hybrid methodologies favored. In the context of backing up cloud data, this means allowing the backup or recovery copies to be physically and logically separated from the rest of the network.

Air-gapping is a time-tested solution that allows backup or recovery data copies to be housed separately from the rest of the network. It is becoming a “must-have” technology when it comes to keeping cloud data out of reach of cybercriminals.  The ESG report demonstrates that IT leaders will be looking for these capabilities in their current and future backup solutions, which must be hybrid to support on-premises, cloud-only, or a combination of deployment topologies.

Access the Report

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.