The U.S. National Security Agency (NSA) released guidance on Thursday to help organizations detect and prevent infections with the Unified Extensible Firmware Interface (UEFI) bootkit, known as: Black Lotus.
To this end, the agency recommends that “infrastructure owners take action by enforcing user-executable policies and monitoring the integrity of boot partitions.”
BlackLotus is an advanced crimeware solution first spotted by Kaspersky in October 2022. Samples of this malware, a UEFI bootkit that can bypass Windows Secure Boot protections, have since circulated.
This is achieved by taking advantage of a known Windows flaw called Baton Drop (CVE-2022-21894, CVSS score: 4.4) found in a vulnerable boot loader that was not added to the Secure Boot DBX revocation list. increase. This vulnerability was resolved by Microsoft in January 2022.
This loophole can be exploited by threat actors to replace a fully patched boot loader with a vulnerable version to run BlackLotus on compromised endpoints.
UEFI bootkits like BlackLotus give threat actors complete control over the operating system boot procedure, allowing them to interfere with security mechanisms and deploy additional payloads with elevated privileges.
It is worth noting that BlackLotus does not focus on firmware threats, but on the earliest software stages of the boot process for persistence and evasion. There is no evidence that this malware targets Linux systems.
“UEFI bootkits may be less stealthy than firmware implants” […] This is because the bootkit is placed on an easily accessible FAT32 disk partition,” ESET researcher Martin Smolár said in a March 2023 analysis for BlackLotus.
“However, running as a bootloader gives you much of the same functionality as a firmware implant, but without multi-level SPI flash defenses such as BWE, BLE and PRx protection bits, as well as protection provided by hardware (e.g. Intel boot). No need to overcome. Guard).
In addition to applying Microsoft’s May 2023 Patch Tuesday update that addresses the second Secure Boot Bypass flaw (CVE-2023-24932, CVSS score: 6.7) exploited by BlackLotus, organizations should: We recommend that you take mitigation steps.
- Update recovery media
- Configure defensive software to probe for changes to the EFI boot partition
- Monitor device integrity measurements and boot configurations to detect abnormal changes to EFI boot partitions
- Customize UEFI Secure Boot to block outdated signed Windows boot loaders
- Remove the Microsoft Windows Production CA 2011 certificate on devices that boot Linux exclusively
Microsoft takes a phased approach to completely blocking attack vectors. This fix is expected to be generally available in Q1 2024.
