Código HTML do Conteúdo

Post: Novo ransomware HybridPetya pode ignorar o UEFI Secure Boot - Against Invaders - Notícias de CyberSecurity para humanos.

<div> <div> <p>Uma variedade de ransomware descoberta recentemente chamada HybridPetya pode ignorar oRecurso de inicializa&ccedil;&atilde;o segura UEFI para instalar um aplicativo malicioso na parti&ccedil;&atilde;o do sistema EFI.</p> <p>O HybridPetya parece inspirado no malware destrutivo Petya/NotPetya que criptografava computadores e impedia a inicializa&ccedil;&atilde;o do Windows em ataques em <a href="https://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-and-encrypts-your-hard-drive-instead/" rel="nofollow noopener" target="_blank">2016</a> e <a href="https://www.bleepingcomputer.com/news/security/more-security-firms-confirm-notpetya-shoddy-code-is-making-recovery-impossible/" rel="nofollow noopener" target="_blank">2017</a> mas n&atilde;o forneceu uma op&ccedil;&atilde;o de recupera&ccedil;&atilde;o.</p> <p>Pesquisadores da empresa de seguran&ccedil;a cibern&eacute;tica ESET encontraram uma amostra deHybridPetya no VirusTotal. Eles observam que isso pode ser um projeto de pesquisa, uma prova de conceito ou uma vers&atilde;o inicial de uma ferramenta de crime cibern&eacute;tico ainda em testes limitados.</p> <p>Ainda assim, a ESET diz que sua presen&ccedil;a &eacute; mais um exemplo (junto com <a href="https://www.bleepingcomputer.com/news/security/blacklotus-bootkit-bypasses-uefi-secure-boot-on-patched-windows-11/" rel="nofollow noopener" target="_blank">L&oacute;tus Negro</a>, <a href="https://www.bleepingcomputer.com/news/security/bootkitty-uefi-malware-exploits-logofail-to-infect-linux-systems/" rel="nofollow noopener" target="_blank">BootKitty</a>e Hyper-V Backdoor) que os bootkits UEFI com funcionalidade Secure Bypass s&atilde;o uma amea&ccedil;a real.</p> <p>O HybridPetya incorpora caracter&iacute;sticas do Petya e do NotPetya, incluindo o estilo visual e a cadeia de ataque dessas cepas de malware mais antigas.</p> <p>No entanto, o desenvolvedor adicionou coisas novas, como a instala&ccedil;&atilde;o na parti&ccedil;&atilde;o do sistema EFI e a capacidade de ignorar a inicializa&ccedil;&atilde;o segura explorando o<a href="https://www.bleepingcomputer.com/news/security/new-uefi-secure-boot-flaw-exposes-systems-to-bootkits-patch-now/" rel="nofollow noopener" target="_blank">CVE-2024-7344</a>vulnerabilidade.</p> <p>A ESET descobriu a falha em janeiro deste ano, O problema consiste emAplicativos assinados pela Microsoft que podem ser explorados para implantar bootkits mesmo com a prote&ccedil;&atilde;o Secure Boot ativa no alvo.</p> <div> <p><img decoding="async" alt="L&oacute;gica de execu&ccedil;&atilde;o" height="536" src="https://datalake.azaeo.com/wp-content/uploads/2025/09/execution-logic.png" width="900 /&gt;&lt;/div&gt; &lt;p&gt;Upon launch, HybridPetya determines if the host uses UEFI with GPT partitioning and drops a malicious bootkit into the EFI System partition consisting of several files.&lt;/p&gt; &lt;p&gt;These include configuration and validation files, a modified bootloader, a fallback UEFI bootloader, an exploit payload container, and a status file that tracks the encryption progress.&lt;/p&gt; &lt;p&gt;ESET lists the following files used across analyzed variants of HybridPetya:&lt;/p&gt; &lt;ol&gt;&lt;li&gt;EFIMicrosoftBootconfig (encryption flag + key + nonce + victim ID)&lt;/li&gt; &lt;li&gt;EFIMicrosoftBootverify (used to validate correct decryption key)&lt;/li&gt; &lt;li&gt;EFIMicrosoftBootcounter (progress tracker for encrypted clusters)&lt;/li&gt; &lt;li&gt;EFIMicrosoftBootbootmgfw.efi.old (backup of original bootloader)&lt;/li&gt; &lt;li&gt;EFIMicrosoftBootcloak.dat (contains XORed bootkit in Secure Boot bypass variant)&lt;/li&gt; &lt;/ol&gt;&lt;p&gt;Also, the malware replaces EFIMicrosoftBootbootmgfw.efi with the vulnerable &lsquo;reloader.efi,&rsquo; and removes EFIBootbootx64.efi.&lt;/p&gt; &lt;p&gt;The original Windows bootloader is also saved to be activated in the case of successful restoration, meaning that the victim paid the ransom.&lt;/p&gt; &lt;p&gt;Once deployed, HybridPetya triggers a BSOD displaying a bogus error, as Petya did, and forces a system reboot, allowing the malicious bootkit to execute upon system boot.&lt;/p&gt; &lt;p&gt;At this step, the ransomware encrypts all MFT clusters using a Salsa20 key and nonce extracted from the config file while displaying a fake CHKDSK message, like NotPetya.&lt;/p&gt; &lt;div style="><br /> <img decoding="async" alt="Mensagem falsa do CHKDSK" height="256" src="https://datalake.azaeo.com/wp-content/uploads/2025/09/chdck.png" width="607 /&gt;&lt;/div&gt; &lt;p&gt;Once the encryption completes, another reboot is triggeredand the victim is served a ransom note during system boot, demanding a Bitcoin payment of $1,000.&lt;/p&gt; &lt;div style="><br /> <img loading="lazy" decoding="async" alt="Nota de resgate do HybridPetya" height="492" src="https://datalake.azaeo.com/wp-content/uploads/2025/09/note.png" width="662">Reposit&oacute;rio GitHub.</p> <p>A Microsoft corrigiu o CVE-2024-7344 com o <a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws/" rel="nofollow noopener" target="_blank">Atualiza&ccedil;&atilde;o de janeiro de 2025</a>, portanto, os sistemas Windows que aplicaram essa ou atualiza&ccedil;&otilde;es de seguran&ccedil;a posteriores est&atilde;o protegidos contra o HybridPetya.</p> <p>Outra pr&aacute;tica s&oacute;lida contra ransomware &eacute; manter backups offline de seus dados mais importantes, permitindo a restaura&ccedil;&atilde;o f&aacute;cil e gratuita do sistema.</p> </div> </div></div>