Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Thunderstrike 2 rootkit infects Mac firmware

A security researcher developed an improved version of the Thunderstrike rootkit that uses Thunderbolt accessories to infect the Mac firmware. Earlier this year, security expert Trammell Hudson presented a proof-of-concept firmware called Thunderstrike. Thunderstrike is a hacking technique to infect Apple’s Mac PCs with EFI Bootkit through the Thunderbolt port. The expert demonstrated how to compromise […]

Thunderstrike 2 rootkit infects Mac firmware

A security researcher developed an improved version of the Thunderstrike rootkit that uses Thunderbolt accessories to infect the Mac firmware.

Earlier this year, security expert Trammell Hudson presented a proof-of-concept firmware called Thunderstrike. Thunderstrike is a hacking technique to infect Apple’s Mac PCs with EFI Bootkit through the Thunderbolt port.

The expert demonstrated how to compromise accessories connected to the Thunderbolt port to infect Mac PC. The expert demonstrated that the malware inoculated through Thunderbolt port can also infect other Mac by propagating to other accessories.

All Mac computers that come with a Thunderbolt port are theoretically vulnerable to attack.

In January 2015 Apple released the version OS X 10.10.2 to patch the exploit, but a couple of researchers have developed a new malware based on the Thunderstrike code, dubbed “Thunderstrike 2.”

Xeno Kovah, a researcher from the Hudson and LegbaCore, demonstrated that Thunderstrike 2 spreads primarily through infected Thunderbolt accessories.

The Kovah’s hacking technique improved the previous one, it overwhelms the need to have a physical access to the target computer. The attacker can spread the exploit via phishing emails or through a compromised web.

“An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.” states a post published by Wired.

Thunderstrike 2

Thunderstrike 2, such as many other firmware malware, are not easy to detect by common antivirus software. Another aspect to consider is the difficulty to remove Thunderstrike 2 firmware malware, as explained in the FAQ it is not possible to use the Option ROM technique to replace the modified boot ROM with a clean and legitimate copy.

You can’t use Thunderstrike to remove Thunderstrike

Another element of concern is that the security vulnerabilities exploited by Thunderstrike 2 are common to most EFI firmware.

Security experts have already discovered six vulnerabilities that affected PCs from Dell, HP, Lenovo, Samsung, and others.

“Of those, five also applied to the Mac’s firmware, and of those, Apple has fully patched one, partially patched another, and failed to patch three more.” states Arstechnica.

The expert already reported the flaws to Apple that likely will patch them in the next release.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Thunderstrike 2, malware)

[adrotate banner=”12″]