The U.S. National Security Agency (NSA) has recently released crucial guidance to assist organizations in detecting and preventing infections caused by the BlackLotus bootkit, a highly advanced Unified Extensible Firmware Interface (UEFI) bootkit that poses a significant threat to Windows systems. In response to this emerging danger, the NSA is recommending specific actions that infrastructure owners should take to mitigate the risk and protect their systems.
BlackLotus gained notoriety in October 2022 when it was identified by cybersecurity firm Kaspersky. This UEFI bootkit possesses the capability to bypass the protective measures of Windows Secure Boot, and samples of the malware have been observed in the wild.
The bootkit exploits a known vulnerability in Windows called Baton Drop (CVE-2022-21894, CVSS score: 4.4), which affects boot loaders that were not included in the Secure Boot DBX revocation list. While Microsoft addressed this vulnerability in January 2022, threat actors can still exploit it by replacing fully patched boot loaders with vulnerable versions, thus enabling the execution of BlackLotus on compromised endpoints.
UEFI bootkits like BlackLotus provide threat actors with complete control over the booting process of an operating system, granting them the ability to interfere with security mechanisms and introduce additional malicious payloads with elevated privileges.
It is important to note that BlackLotus does not target firmware but focuses on the earliest software stage of the boot process to achieve persistence and evade detection. At present, there is no evidence to suggest that the malware targets Linux systems.
According to ESET researcher Martin Smolár, while UEFI bootkits may lack the stealthiness of firmware implants, they possess similar capabilities without the need to overcome multiple layers of SPI flash defenses. This makes them a formidable threat to system security.
To combat BlackLotus and safeguard Windows systems, organizations are advised to implement the May 2023 Patch Tuesday updates from Microsoft, which address a second Secure Boot bypass flaw exploited by the bootkit (CVE-2023-24932, CVSS score: 6.7). Additionally, the NSA recommends the following mitigation steps:
Update recovery media
Configure defensive software to monitor changes to the EFI boot partition
Monitor device integrity measurements and boot configuration for suspicious changes in the EFI boot partition
Customize UEFI Secure Boot settings to block older, signed Windows boot loaders
Remove the Microsoft Windows Production CA 2011 certificate on devices exclusively booting Linux
While Microsoft plans to close this attack vector in a phased approach, with complete fixes expected to be available in the first quarter of 2024, organizations must take immediate action to protect their systems from this powerful bootkit.
Comments