Cyber Security
ESET Research Discovers Vulnerabilities in Lenovo Laptops Exposing Users to Risk of UEFI Malware Installation

ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo laptop models. The exploitation of these vulnerabilities would allow attackers to deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like our latest discovery ESPecter. ESET reported all discovered vulnerabilities to Lenovo in October 2021. Altogether, the list of affected devices contains more than one hundred different laptop models with millions of users worldwide.
“UEFI threats can be extremely stealthy and dangerous. They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their operating system payloads from being executed,” says ESET researcher Martin Smolár, who discovered the vulnerabilities. “Our discovery of these UEFI so-called “secure” backdoors demonstrates that in some cases, deployment of the UEFI threats might not be as difficult as expected, and the larger amount of real-world UEFI threats discovered in the last years suggests that adversaries are aware of this,” he adds.
The first two of these vulnerabilities – CVE-2021-3970, CVE-2021-3971 – are perhaps more accurately called “secure” backdoors built into the UEFI firmware as that is literally the name given to the Lenovo UEFI drivers implementing one of them (CVE-2021-3971): SecureBackDoor and SecureBackDoorPeim. These built-in backdoors can be activated to disable SPI flash protections (BIOS Control Register bits and Protection Range registers) or the UEFI Secure Boot feature from a privileged user-mode process during operating system runtime.
In addition, while investigating the “secure” backdoors’ binaries, we discovered a third vulnerability: SMM memory corruption inside the SW SMI handler function (CVE-2021-3972). This vulnerability allows arbitrary read/write from/into SMRAM, which can lead to the execution of malicious code with SMM privileges and potentially lead to the deployment of an SPI flash implant.
The UEFI boot and runtime services provide the basic functions and data structures necessary for the drivers and applications to do their job, such as installing protocols, locating existing protocols, memory allocation, UEFI variable manipulation, etc. UEFI boot drivers and applications use protocols extensively. UEFI variables are a special firmware storage mechanism used by UEFI modules to store various configuration data, including boot configuration.
SMM, on the other hand, is a highly privileged execution mode of x86 processors. Its code is written within the context of the system firmware and is usually used for various tasks including advanced power management, execution of OEM proprietary code, and secure firmware updates.
“All of the real-world UEFI threats discovered in the last years – LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy – needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” explains Smolár. ESET Research strongly advises all owners of Lenovo laptops to go through the list of affected devices and update their firmware by following the manufacturer’s instructions.
For those using End Of Development Support devices affected by the UEFI SecureBootBackdoor (CVE-2021-3970), without any fixes available: one way to help you protect against unwanted modification of the UEFI Secure Boot state is to use a TPM-aware full-disk encryption solution capable of making disk data inaccessible if the UEFI Secure Boot configuration change.
Cyber Security
ESET Research Uncovers Iran-Aligned BladedFeline Spying on Iraqi, Kurdish Officials

The Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign, according to ESET researchers. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.
Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.
Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.
BladedFeline has consistently worked to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.
ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.
In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.
ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.
Cloud
SentinelOne Simplifies Secure Cloud Migrations on AWS

SentinelOne today announced its participation in the Amazon Web Services (AWS) Independent Software Vendor (ISV) Workload Migration Program. This initiative supports AWS Partner Network (APN) members with SaaS offerings on AWS to accelerate and streamline workload migrations.
Through the program, SentinelOne will provide AWS customers with accelerated, secure cloud migration support, leveraging modern AI-powered CNAPP capabilities to ensure rapid and protected transitions. With access to AWS funding, technical resources, and go-to-market support, SentinelOne will help organizations reduce migration timelines and costs while maintaining robust security.
SentinelOne’s Singularity Cloud Security delivers real-time visibility and protection throughout the migration journey—whether from on-premises or another cloud—enabling a secure, seamless transition to AWS.
“Through our participation in the AWS ISV Workload Migration Program, SentinelOne is helping customers accelerate secure cloud migrations with end-to-end protection and visibility,” said Ric Smith, President of Product, Technology, and Operations at SentinelOne. “Whether moving from on-prem or another cloud to AWS, organizations can count on us to deliver the security they need throughout their journey—realizing the performance, speed, agility, and cost benefits of the cloud.”
Singularity Cloud Security combines agentless and agent-based protection for deep visibility, continuous posture management, and real-time threat detection across hybrid and multi-cloud environments. By collaborating with AWS and ecosystem partners, SentinelOne ensures seamless integration into migration projects, helping customers move faster, reduce risk, and scale confidently in the cloud.
Availability: SentinelOne’s solutions are available globally.
Cyber Security
Beyond Blocklists: How Behavioural Intent Analysis Can Safeguard Middle East Businesses from Rising AI-Driven Bot Threats

The Middle East is facing an unprecedented surge in AI-driven bot attacks, with malicious automation now outpacing traditional defenses. Mohammad Ismail, Vice President for EMEA at Cequence Security, warns that legacy tools like IP blocklists and rate limiting are no match for today’s sophisticated threats (more…)
-
Cyber Security7 days ago
Beyond Blocklists: How Behavioural Intent Analysis Can Safeguard Middle East Businesses from Rising AI-Driven Bot Threats
-
Cyber Security7 days ago
Honeywell Report Reveals 46% Quarterly Spike in Industrial Ransomware
-
Cyber Security1 week ago
Labubu Doll Craze: How Cybercriminals Are Exploiting the Hype
-
Cyber Security7 days ago
Sophos Boosts Firewall with New Protection and Incident Response Features
-
Cloud4 days ago
SentinelOne Simplifies Secure Cloud Migrations on AWS
-
News4 days ago
Versa and OPSWAT Partner to Strengthen SASE Security with Real-Time Device Defense
-
Cyber Security14 hours ago
ESET Research Uncovers Iran-Aligned BladedFeline Spying on Iraqi, Kurdish Officials
-
News14 hours ago
Axis Intros Next-Gen AI-Powered Dome Cameras