The NSA published a guide On how to mitigate attacks involving the BlackLotus bootkit malware, amid concerns that system administrators may not be adequately protected against the threat.
The BlackLotus UEFI boot kit made a name for itself in October 2022, then See Sold on underground cybercrime forums for $5,000.
The news sent shivers down the spines of many in the cybersecurity community, as BlackLotus was the first UEFI boot kit in the wild capable of bypassing UEFI Secure Boot on fully updated UEFI systems.
BlackLotus is sophisticated software that can infect a computer’s low-level firmware, bypassing the Secure Boot protections built into Windows 10 and Windows 11, allowing malicious code to be executed before the computer’s operating system and security protections have loaded.
In this way, the attackers could disable security measures such as BitLocker and Windows Defender, without triggering alarms, and deploy BlackLotus’ built-in protection against bootloader removal.
Although Microsoft has released a patch for defect In January 2022 Secure Boot, its exploit remains possible because the affected, validly signed binaries have not been added to the UEFI revocation list.
Earlier this year, security researchers explained How BlackLotus exploited it, “bringing its own copies of legitimate – but vulnerable – binaries onto the system to exploit the vulnerability”.
According to the NSA, there is “significant confusion” about the threat posed by BlackLotus:
“Some organizations use terms like ‘unstoppable,’ ‘unkillable,’ and ‘unfixable’ to describe the threat. Other organizations believe there is no threat due to fixes that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between the two extremes”.
Patching Windows 10 and Windows 11 against the vulnerabilities is only a “good first step,” according to the NSA’s advisory.
B Reduction guideThe agency lists additional steps to harden systems.
However, because they involve changes to the way UEFI Secure Boot is configured, they should be done with care – as they cannot be undone once enabled, and can leave your current Windows boot media unusable if mistakes are made.
“Protecting systems against BlackLotus is not a simple fix,” said NSA Platform Security Analyst Zachary Bloom.
Editor’s Note: The views expressed in this author’s article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
