Hackers can infect more than 100 Lenovo models with unremovable malware

More than 100 models of Lenovo laptops have critical vulnerabilities that allow hackers to install malware that is almost impossible to remove or, in some cases, detect. The list of models can be viewed at the link. Lenovo has already released security updates for them.

Three vulnerabilities that threaten nearly a million laptops allow hackers to modify UEFI, the interface that connects the operating system to firmware. Because it is the first program to run when any modern device is turned on, it is the first link in the security chain. UEFI is stored on the motherboard’s flash chip, so malware is difficult to detect and remove.

Two vulnerabilities tracked by both CVE-2021-3971 and CVE-2021-3972 are in the UEFI firmware drivers. These drivers should only be used in the production of laptops, but Lenovo engineers inadvertently left them active. So hackers can use them to disable protection.

After studying two vulnerabilities, ESET researchers found a third, CVE-2021-3970. It allows hackers to run malicious software when the computer is put into system control mode. This is the most privileged mode commonly used by manufacturers for low-level system management.

There are only two documented cases of malicious UEFI firmware. The first of these is LoJax , written by a Russian state group of hackers known by various names – Sednit, Fancy Bear, APT 28, etc. Another case is a malware for UEFI that was found on the computers of diplomats in Asia.