/*! elementor-pro - v3.26.0 - 17-12-2024 */ (()=>{"use strict";class Screenshot extends elementorModules.ViewModule{getDefaultSettings(){return{empty_content_headline:"Empty Content.",crop:{width:1200,height:1500},excluded_external_css_urls:["https://kit-pro.fontawesome.com"],external_images_urls:["https://i.ytimg.com"],timeout:15e3,render_timeout:5e3,timerLabel:null,timer_label:`${ElementorScreenshotConfig.post_id} - timer`,image_placeholder:"data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=",isDebug:elementorCommonConfig.isElementorDebug,isDebugSvg:!1,...ElementorScreenshotConfig}}getDefaultElements(){const e=jQuery(ElementorScreenshotConfig.selector),t=e.find(".elementor-section-wrap > .elementor-section, .elementor > .elementor-section");return{$elementor:e,$sections:t,$firstSection:t.first(),$notElementorElements:elementorCommon.elements.$body.find("> *:not(style, link)").not(e),$head:jQuery("head")}}onInit(){return super.onInit(),this.log("Screenshot init","time"),this.timeoutTimer=setTimeout(this.screenshotFailed.bind(this),this.getSettings("timeout")),this.captureScreenshot()}captureScreenshot(){return this.elements.$elementor.length||(elementorCommon.helpers.consoleWarn("Screenshots: The content of this page is empty, the module will create a fake conent just for this screenshot."),this.createFakeContent()),this.removeUnnecessaryElements(),this.handleIFrames(),this.removeFirstSectionMargin(),this.handleLinks(),this.loadExternalCss(),this.loadExternalImages(),Promise.resolve().then(this.createImage.bind(this)).then(this.createImageElement.bind(this)).then(this.cropCanvas.bind(this)).then(this.save.bind(this)).then(this.screenshotSucceed.bind(this)).catch(this.screenshotFailed.bind(this))}createFakeContent(){this.elements.$elementor=jQuery("
").css({height:this.getSettings("crop.height"),width:this.getSettings("crop.width"),display:"flex",alignItems:"center",justifyContent:"center"}),this.elements.$elementor.append(jQuery("

").css({fontSize:"85px"}).html(this.getSettings("empty_content_headline"))),document.body.prepend(this.elements.$elementor)}loadExternalCss(){const e=[this.getSettings("home_url"),...this.getSettings("excluded_external_css_urls")].map((e=>`[href^="${e}"]`)).join(", ");jQuery("link").not(e).each(((e,t)=>{const s=jQuery(t),n=s.clone();n.attr("href",this.getScreenshotProxyUrl(s.attr("href"))),this.elements.$head.append(n),s.remove()}))}loadExternalImages(){const e=this.getSettings("external_images_urls").map((e=>`img[src^="${e}"]`)).join(", ");jQuery(e).each(((e,t)=>{const s=jQuery(t);s.attr("src",this.getScreenshotProxyUrl(s.attr("src")))}))}handleIFrames(){this.elements.$elementor.find("iframe").each(((e,t)=>{const s=jQuery(t),n=jQuery("
",{css:{background:"gray",width:s.width(),height:s.height()}});s.before(n),s.remove()}))}removeUnnecessaryElements(){let e=0;this.elements.$sections.filter(((t,s)=>{let n=!1;return e>=this.getSettings("crop.height")&&(n=!0),e+=jQuery(s).outerHeight(),n})).each(((e,t)=>{t.remove()})),this.elements.$notElementorElements.remove()}handleLinks(){elementorCommon.elements.$body.find("a").attr("href","/")}removeFirstSectionMargin(){this.elements.$firstSection.css({marginTop:0})}createImage(){const e=new Promise((e=>{window.addEventListener("load",(()=>{e()}))})),t=new Promise((e=>{setTimeout((()=>{e()}),this.getSettings("render_timeout"))}));return Promise.race([e,t]).then((()=>{if(this.log("Start creating screenshot."),this.getSettings("isDebugSvg"))return domtoimage.toSvg(document.body,{imagePlaceholder:this.getSettings("image_placeholder")}).then((e=>this.download(e))),Promise.reject("Debug SVG.");return/^((?!chrome|android).)*safari/i.test(window.userAgent)?(this.log('Creating screenshot with "html2canvas"'),html2canvas(document.body).then((e=>e.toDataURL("image/png")))):(this.log('Creating screenshot with "dom-to-image"'),domtoimage.toPng(document.body,{imagePlaceholder:this.getSettings("image_placeholder")}))}))}download(e){const t=jQuery("",{href:e,download:"debugSvg.svg",html:"Download SVG"});elementorCommon.elements.$body.append(t),t.trigger("click")}createImageElement(e){const t=new Image;return t.src=e,new Promise((e=>{t.onload=()=>e(t)}))}cropCanvas(e){const t=this.getSettings("crop.width"),s=this.getSettings("crop.height"),n=document.createElement("canvas"),i=n.getContext("2d"),o=t/e.width;return n.width=t,n.height=s>e.height?e.height:s,i.drawImage(e,0,0,e.width,e.height,0,0,e.width*o,e.height*o),Promise.resolve(n)}save(e){return new Promise(((t,s)=>{elementorCommon.ajax.addRequest("screenshot_save",{data:{post_id:this.getSettings("post_id"),screenshot:e.toDataURL("image/png")},success:e=>{this.log(`Screenshot created: ${encodeURI(e)}`),t(e)},error:()=>{this.log("Failed to create screenshot."),s()}})}))}markAsFailed(){return new Promise(((e,t)=>{elementorCommon.ajax.addRequest("screenshot_failed",{data:{post_id:this.getSettings("post_id")},success:()=>{this.log("Marked as failed."),e()},error:()=>{this.log("Failed to mark this screenshot as failed."),t()}})}))}getScreenshotProxyUrl(e){return`${this.getSettings("home_url")}?screenshot_proxy&nonce=${this.getSettings("nonce")}&href=${e}`}screenshotSucceed(e){this.screenshotDone(!0,e)}screenshotFailed(e){this.log(e,null),this.markAsFailed().then((()=>this.screenshotDone(!1)))}screenshotDone(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:null;clearTimeout(this.timeoutTimer),this.timeoutTimer=null,window.parent.postMessage({name:"capture-screenshot-done",success:e,id:this.getSettings("post_id"),imageUrl:t},"*"),this.log(`Screenshot ${e?"Succeed":"Failed"}.`,"timeEnd")}log(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"timeLog";this.getSettings("isDebug")&&(console.log("string"==typeof e?`${this.getSettings("post_id")} - ${e}`:e),t&&console[t](this.getSettings("timer_label")))}}jQuery((()=>{new Screenshot}))})(); Bootkit Targeting Linux Servers Bootkitty: The First UEFI
Bootkit Targeting Linux Servers

Bootkitty: The First UEFI Bootkit Targeting Linux Servers

by

The cybersecurity landscape has witnessed a groundbreaking revelation with the discovery of Bootkitty, the first UEFI bootkit targeting Linux servers. This marks a significant shift, as such advanced bootkits have primarily been associated with Windows systems. The existence of this threat calls for further protection of Linux servers against new and developing attacks in cyberspace. Security analysts at ESET have given Bootkitty the panda tag of proof-of-concept (PoC) designed for attacking UEFI flaws. Because of its sophisticated design and capability to infiltrate Linux systems while it compromises them, it is an indication that cyber threats are gradually moving up the notches.

Discovery of Bootkitty and Its Development

Bootkitty was initially detected after being uploaded to VirusTotal on November 5, 2024. It is also tracked under IranuKit and credited to developers operating under the alias BlackCat. However, no connection has been established between this alias and the ALPHV/BlackCat ransomware group. The researchers, Martin Smolár and Peter Strýček have revealed that Bootkitty’s primary functionality involves disabling the Linux kernel’s signature verification process

This is achieved through preloading two unidentified ELF binaries during the Linux init process, a critical stage in the Linux boot process where the kernel initializes the system. As a bootkit targeting Linux servers, Bootkitty represents a new phase of sophisticated malware, capable of undermining previously considered secure systems against such attacks.

Exploiting UEFI Secure Boot Vulnerabilities

Bootkitty has been engineered to exploit systems with improperly configured UEFI Secure Boot. This feature, designed to ensure that only trusted software is executed during system startup, is bypassed by Bootkitty through a self-signed certificate. While this self-signed certificate prevents its execution on systems with fully enabled Secure Boot, attackers can exploit the feature by preloading malicious certificates. This allows Bootkitty to infiltrate systems, compromising the security of the Linux boot process.

For systems with Secure Boot enabled, Bootkitty manipulates UEFI authentication protocols to bypass integrity checks. It hooks two essential functions in the authentication protocols, effectively circumventing security measures. The GRUB bootloader, a key component of Linux systems, is further exploited by patching three of its functions. This enables Bootkitty to sidestep verification mechanisms, ensuring the execution of compromised code. This advanced functionality makes Bootkitty a sophisticated bootkit targeting Linux servers, showcasing the capabilities of modern cyber attackers to bypass well-established defenses.

Advanced Rootkit Functionalities

The Bootkitty investigation also uncovered a related unsigned kernel module. This module deploys an ELF binary named BCDropper, which subsequently loads another unknown kernel module after the system starts. The kernel module includes advanced rootkit capabilities, such as: Hiding files and processes to evade detection. Manipulating system ports for unauthorized access. Disabling integrity checks to ensure malicious operations.

Despite its name association, there is no evidence linking this kernel module or Bootkitty to the ALPHV/BlackCat ransomware group. However, its design reflects a growing trend in sophisticated boot kits targeting Linux servers that emphasize stealth and control.

Shifting the Perception of UEFI Bootkits

The discovery of Bootkitty has shattered the long-held perception that UEFI bootkits are exclusive to Windows systems. By targeting Linux servers, cyber attackers are expanding their arsenal to exploit vulnerabilities in environments previously considered secure. This bootkit targeting Linux servers significantly advances the cyber threat landscape.

Linux Kernel Signature Verification

It highlights the need for organizations to reconsider their Linux server security strategies and adopt proactive measures to mitigate these emerging risks. According to ESET researchers, “Whether a proof of concept or not, Bootkitty represents a significant shift in UEFI threats, breaking the assumption of modern UEFI bootkits being confined to Windows-exclusive systems.”

Technical Insights into Bootkitty’s Operations

Bootkitty operates through memory-based patches and manipulations, ensuring it avoids detection while compromising the Linux boot process. Key technical insights into its operation include:

Hooking UEFI Authentication Protocols:
Bootkitty hooks two functions in the UEFI authentication protocols, bypassing integrity verification during Secure Boot. Memory-Based Patching: The bootkit disables the kernel signature verification by altering the kernel’s memory responses. GRUB Bootloader Exploitation: Three functions in the GRUB bootloader are patched to ensure the boot process allows the execution of malicious code. Post-Exploitation Tactics: These tactics enable attackers to preload ELF binaries, manipulate system configurations, and execute arbitrary commands. Such advanced techniques make Bootkitty an unprecedented bootkit targeting Linux servers, requiring robust countermeasures to detect and prevent its exploitation.

Implications for Cybersecurity and Defense

The emergence of Bootkitty has significant implications for organizations relying on Linux systems. As attackers expand their focus to develop boot kits targeting Linux servers, businesses, and individuals must prioritize robust security measures. Recommended steps to mitigate threats include: Securing UEFI Configurations: Ensuring proper configuration of Secure Boot to prevent unauthorized certificates. Regular Firmware Updates: Keeping UEFI firmware updated to address known vulnerabilities. Multi-Layered Defenses: Implementing advanced endpoint detection tools to identify suspicious activities during the Linux boot process. Bootkitty’s presence on platforms like VirusTotal emphasizes the increasing accessibility of sophisticated malware, making preparedness a critical priority for all organizations.

Conclusion 

Bootkitty represents a pivotal development in the cybersecurity landscape, being the first UEFI bootkit targeting Linux servers. Its ability to exploit Secure Boot vulnerabilities and manipulate GRUB functions underscores the growing sophistication of modern cyber threats. This discovery serves as a wake-up call for organizations to reassess Linux server security, adopt layered defenses, and remain vigilant against evolving risks. Robust system protections and proactive measures are essential to safeguard against groundbreaking threats like Bootkitty, signaling a new era in Linux-targeted cyberattacks.

FAQs

What is Bootkitty, and why is it significant?

Bootkitty is the first UEFI bootkit targeting Linux servers, marking a significant cyber threat.

How does Bootkitty bypass UEFI Secure Boot protections?

It manipulates UEFI authentication protocols and patches GRUB bootloader functions.

Is Bootkitty currently being used in real-world attacks?

No, Bootkitty is classified as a proof-of-concept, with no evidence of deployment.

What are Bootkitty’s primary functions and capabilities?

Bootkitty disables kernel signature verification and preloads malicious ELF binaries.

How can organizations defend against Bootkitty?

Organizations must secure UEFI configurations, update firmware, and implement layered defenses.

Leave a Comment