Headline
NSA: BlackLotus BootKit Patching Won't Prevent Compromise
It’s unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.
The US National Security Agency (NSA) is urging systems administrators to go beyond patching in order to protect Windows 10 and 11 machines from the BlackLotus bootkit malware.
BlackLotus burst on the scene last fall when it was spotted for sale on the Dark Web for $5,000. It has the dubious distinction of being the first in-the-wild malware to successfully bypass to Microsoft’s Unified Extensible Firmware Interface (UEFI) Secure Boot protections.
UEFI is the firmware that’s responsible for the booting-up routine, so it loads before the operating system kernel and any other software. BlackLotus — a software, not a firmware threat, it should be noted — takes advantage of two vulnerabilities in the UEFI Secure Boot function to insert itself into the earliest phase of the software boot process initiated by UEFI: CVE-2022-21894, aka Baton Drop, CVSS score 4.4; and CVE-2023-24932, CVSS score 6.7. These were patched by Microsoft in January 2022 and May 2023 respectively.
But the country’s top technology intelligence division warned that applying the available Windows 10 and Windows 11 patches is only a “a good first step.”
“Patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX),” according to a BlackLotus mitigation guide (PDF) released by the NSA this week. “Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot.”
That means that bad actors can simply replace fully patched boot loaders with legitimate but vulnerable versions in order to execute BlackLotus on compromised endpoints. It’s an issue that Microsoft is addressing with a more comprehensive fix planned for release in early 2024, but until then, the NSA recommends that infrastructure owners take additional steps to harden their systems, such as tightening up user executable policies, and monitoring the integrity of the boot partition. An optional advanced mitigation is to customize the Secure Boot policy by adding DBX records to all Windows endpoints.
“Protecting systems against BlackLotus is not a simple fix,” said NSA platform security analyst Zachary Blum, in the advisory.
And indeed, the advisory offers extensive hardening advice, but fully implementing the NSA’s guidance is a process unto itself, notes John Gallagher, vice president of Viakoo Labs.
“Given the manual nature of NSA’s guidance, many organizations will find that they don’t have the resources needed to fully remediate this vulnerability. Additional measures like use of network access control and traffic analysis should also be used until Microsoft can provide a more complete fix,” he says.
BlackLotus, A First-of-its-Kind Bootkit
Executing malware like BlackLotus does offer cyberattackers several significant advantages, including ensuring persistence even after OS reinstalls and hard drive replacements. And, because the bad code executes in kernel mode ahead of security software, it’s undetectable by standard defenses like BitLocker and Windows Defender (and can indeed turn them off entirely). It also can control and subvert every other program on the machine and can load additional stealthy malware that will execute with root privileges.
“UEFI vulnerabilities, as the guidance from NSA shows, are particularly difficult to mitigate and remediate because they are in the earliest stage of software and hardware interactions,” says Gallagher. “The guidance NSA is providing is critically important as a reminder to pay attention to boot-level vulnerabilities and have a method to address them.”
It all sounds pretty dire — an assessment of which many systems administrators agree. But as the NSA noted, most security teams are confused about how to combat the danger that the bootkit poses.
“Some organizations use terms like ‘unstoppable,’ ‘unkillable,’ and ‘unpatchable’ to describe the threat,” according to the NSA guidance. “Other organizations believe there is no threat, due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes.”
The NSA didn’t provide an explanation for why it’s issuing the guidance now — i.e., it didn’t issue information about recent mass exploitation efforts or in-the-wild incidents. But John Bambenek, principal threat hunter at Netenrich, notes that the NSA piping up at all should indicate that BlackLotus is a threat that requires attention.
“Whenever the NSA releases a tool or guidance, the most important information is what they aren’t saying,” he says. “They took the time and effort to develop this tool, declassify it, and release it. They will never say why, but the reason was worth a significant diversion from how they usually operate by saying nothing.”
Related news
Though it's still just a proof of concept, the malware is functional and can evade the Secure Boot process on devices from multiple vendors.
Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical."
Improper Access Control in SMI handler vulnerability in Phoenix SecureCore™ Technology™ 4 allows SPI flash modification. This issue affects SecureCore™ Technology™ 4: * from 4.3.0.0 before 4.3.0.203 * from 4.3.1.0 before 4.3.1.163 * from 4.4.0.0 before 4.4.0.217 * from 4.5.0.0 before 4.5.0.138
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced
Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2023, including vulnerabilities that were added between April and May Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. It’s been a […]
A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: CVE-2023-29336 Tags: CVE-2023-24932 Tags: bootkit Tags: CVE-2023-29325 Tags: Outlook Tags: preview Tags: CVE-2023-24941 Tags: Apple Tags: Cisco Tags: Google Tags: Android Tags: VMWare Tags: SAP Tags: Mozilla Microsoft's Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability (Read more...) The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.
BlackLotus is the first in-the-wild malware to exploit a vulnerability in the Secure Boot process on Windows, and experts expect copycats and imminent increased activity.
By Deeba Ahmed Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in… This is a post from HackRead.com Read the original post: BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows
A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot, making it a potent threat in the cyber landscape. "This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News. UEFI