The US National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent Unified Expandable Firmware Interface infections (UEFI) bootkits are called Black Lotus.
For that, this agency recommend that “the infrastructure owner took action by strengthening user executable policies and monitoring the integrity of the boot partition.”
BlackLotus is an advanced crimeware solution first highlighted in October 2022 by Kaspersky. A UEFI bootkit capable of bypassing Windows Secure Boot protection, a malware sample has emerged in the wild.
It does this by exploiting a known Windows flaw called Baton Drop (CVE-2022-21894CVSS score: 4.4) was found to be vulnerable bootloader not added in Secure Boot DBX revocation list. The vulnerability was addressed by Microsoft in January 2022.
This vulnerability could be exploited by a threat actor to replace a fully patched boot loader with a vulnerable version and run BlackLotus on a compromised endpoint.
UEFI bootkits like BlackLotus giving the actor a threat full control over the operating system boot proceduremaking it possible to compromise security mechanisms and apply additional payloads with higher privileges.
It should be noted that BlackLotus is not a firmware threat, and instead hones in on the earliest software stages of the boot process to achieve persistence and evasion. There is no evidence that the malware targets Linux systems.
“UEFI bootkits may be less stealthy than firmware implants (…) because they are located in easily accessible FAT32 disk partitions,” said ESET researcher Martin Smolár in a BlackLotus analysis in March 2023.
“However, running as a bootloader gives them nearly the same capabilities as firmware implants, but without having to overcome multilevel SPI flash defenses, such as BWE, BLE, and PRx protection bits, or hardware-provided protections (such as Intel Boot Guard).
In addition to implementing Microsoft’s May 2023 Patch Tuesday update, which addresses the second Secure Boot bypass flaw (CVE-2023-24932, CVSS score: 6.7) exploited by BlackLotus, organizations are advised to take the following mitigation steps –
- Update recovery media
- Configure the defensive software to research changes to the EFI boot partition
- Monitor device integrity measurements and boot configurations for anomalous changes to EFI boot partitions
- Customize UEFI Secure Boot to block older, signed Windows boot loaders
- Remove the Microsoft Windows Production CA 2011 certificate on a device that exclusively boots Linux
Microsoft, for its part, is taking a phased approach to completely shutting down attack vectors. The fix is expected to be generally available in the first quarter of 2024.