The US National Security Agency (NSA) has released a comprehensive mitigation guide for dealing with BlackLotus malware.
According to this document, BlackLotus exploited a boot loader flaw known as “Baton Drop” (CVE-2022-21894) to control endpoints during the early stages of software boot. There are similarities to the BootHole malware from 2020.
Microsoft issued a patch to fix the bootloader flaw, but the NSA said the tech giant did not revoke trust in the unpatched bootloader through its Secure Boot Deny List Database (DBX). This means that boot loaders that are vulnerable to baton drop are still trusted by Secure Boot and remain a threat even after patching.
To avoid these problems, government agencies have recommended some mitigation measures for infrastructure owners.
This includes hardening user-executable policies, boot partition integrity monitoring, recovery media updates, and enabling optional software mitigations.
You also need to customize UEFI Secure Boot by adding DBX records on Windows endpoints or removing Windows Production CA certificates from Linux endpoints.
For more information on attacks targeting UEFI firmware, see New Lenovo Notebook Models Affected by UEFI Firmware Vulnerability.
The NSA guidelines also state that BlackLotus is not a firmware threat, but targets the early stages of the boot process, so it is essential for system administrators to be vigilant.
The agency also said that publicly available patches may provide some degree of security, but that system administrators should not fall prey to false security perceptions and advised to implement recommended mitigations.
For more information and step-by-step instructions, administrators can refer to the NSA’s BlackLotus Mitigation Guide, as well as resources provided by Microsoft and security researchers.
The agency concluded that it is critical that organizations take immediate action to protect their infrastructure from BlackLotus malware and ensure endpoint security.
The guidelines came just weeks after the NSA and the Cybersecurity and Infrastructure Security Agency (CISA) released joint guidance on hardening baseboard management controllers (BMCs).
