The U.S. National Security Agency (NSA) has issued guidance to assist organizations in detecting and preventing infections caused by the BlackLotus Unified Extensible Firmware Interface (UEFI) bootkit. The agency recommends that infrastructure owners strengthen user executable policies and monitor the integrity of the boot partition as part of their defense strategy.
BlackLotus, an advanced crimeware solution, came into the spotlight in October 2022 when it was first identified by Kaspersky. It is a UEFI bootkit that can bypass Windows Secure Boot protections. Since its discovery, samples of the malware have been detected in the wild.
The bootkit exploits a known Windows vulnerability called Baton Drop (CVE-2022-21894, CVSS score: 4.4), which affects boot loaders not included in the Secure Boot DBX revocation list. Microsoft addressed this vulnerability in January 2022. Threat actors can leverage this loophole to replace fully patched boot loaders with vulnerable versions and execute BlackLotus on compromised endpoints.
UEFI bootkits like BlackLotus provide threat actors with complete control over the operating system booting process, enabling them to interfere with security mechanisms and deploy additional payloads with elevated privileges.
It's important to note that BlackLotus is not a firmware threat but rather focuses on the early software stage of the boot process to achieve persistence and evasion. There is no evidence to suggest that the malware targets Linux systems.
ESET researcher Martin Smolár explained that while UEFI bootkits may lack the stealthiness of firmware implants, they possess similar capabilities without needing to overcome multiple SPI flash defenses or hardware protections.
In addition to applying the latest Patch Tuesday updates from Microsoft, which address another Secure Boot bypass flaw exploited by BlackLotus (CVE-2023-24932, CVSS score: 6.7), organizations are advised to take several mitigation steps. These include updating recovery media, configuring defensive software to monitor changes to the EFI boot partition, monitoring device integrity measurements and boot configuration for anomalous changes, customizing UEFI Secure Boot to block older Windows boot loaders, and removing the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux.
Microsoft is gradually closing this attack vector and expects fixes to be available by the first quarter of 2024. Callie Guenther, Cyber Threat Research Senior Manager, Critical Start shared her perspective on the incident and what organizations can learn from it: "The incident highlights the potential vulnerabilities associated with firmware, particularly UEFI Secure Boot implementations. Organizations need to recognize the importance of validating the integrity of their servers, laptops, and workstations, including regularly updating firmware and monitoring for any indications of compromise.
Organizations are advised to apply the necessary patches, such as the ones released by Microsoft, to address known vulnerabilities that can be exploited by bootkits like BlackLotus. Additionally, they should configure defensive software to scrutinize changes to the EFI boot partition, monitor device integrity measurements, and customize UEFI Secure Boot to block older, signed Windows boot loaders.
Given the evolving threat landscape, organizations can benefit from collaborating and sharing threat intelligence to stay updated on emerging threats, tactics, and techniques used by threat actors. Sharing information and insights within the cybersecurity community can help organizations collectively strengthen their defenses against such threats."
###