Headline
BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows
By Deeba Ahmed Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in… This is a post from HackRead.com Read the original post: BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows
Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in the wild, which can bypass Secure Boot on fully-updated UEFI systems. It can even bypass it on fully-updated Windows 10 and 11 versions.
ESET’s Deep-Dive Analysis of UEFI Bootkit
According to researchers, there is no indication of who created this bootkit or its name, so they concluded that it corresponds to the BlackLotus bootkit. This bootkit has been promoted in underground cybercrime forums since 2022 for $5,000, with an additional $200 for updates.
Understanding BlackLotus Capabilities
BlackLotus is written in assembly and C programming languages, so developers can insert a suite of powerful features into an 80kb file. It not only disables Secure Boot but many other OS security mechanisms, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender.
This bootkit can run on fully-updated systems running Windows 11 with UEFI Secure Boot enabled. It targets the firmware’s low-level chain called the Unified Extensible Firmware Interface (UEFI). This complex chain is responsible for booting modern computers. The UEFI bridges the computer’s firmware with the OS while serving as an OS itself.
Since the UEFI is located in the SPI-connected flash storage chip present on the computer’s motherboard, it is extremely hard to inspect or patch it. The difference between the way BlackLotus targets UEFI and other bootkits like MoonBounce, CosmicStrand, and MosaicRegressor is that these target the UEFI firmware stored in the flash storage chip whereas BlackLotus targets the software in the EFI system partition.
How Does BlackLotus Defeats Secure Boot?
It is achieved by exploiting a vulnerability found in all supported versions of Microsoft Windows and patched in January 2022. It is tracked as CVE-2022-21894. This is a logic flaw, dubbed “Baton Drop” by the researcher who discovered it, which can be exploited for removing Secure Boot functions entirely from the boot sequence when the PC starts.
Threat actors can easily exploit this flaw to obtain keys for BitLocker, which encrypts hard drives. For BlackLotus creators, this flaw has proven immensely useful because, despite being patched, the vulnerable signed binaries haven’t yet been added to the UEFI revocation list, which alerts about untrusted boot files.
According to researchers, hundreds of vulnerable bootloaders are currently in use, and if these signed binaries are revoked, it would render millions of devices useless. That’s why fully updated devices are still vulnerable because threat actors can replace patched software with vulnerable, old software.
Why UEFI Bootkits are a Threat?
UEFI bootkits are powerful threats because the UEFI has complete control over the operating system’s boot process. That is how it can disable various OS security mechanisms and deploy its own kernel-mode and user-mode payloads in early OS startup stages. This lets the attackers stealthily operate and gain high privileges.
How the Bootkit is Deployed?
The way this bootkit is deployed is unclear, but the attack chain involves an installer component that writes files to the EFI system partition and disables HVCI and BitLocker, after which it reboots the host.
BlackLotus disables protection solutions to deploy a kernel driver, which protects against the bootkit file deletion, and an HTTP loader. Conversely, the bootloader establishes communication with the control server and executes the payload.
- New Python Malware Hits Windows Devices
- ElectroRat hits MacOS, Windows, Linux devices
- 96% of New Malware in 2022 Targeted Windows
- Chinese Hackers Hide Malware in Windows Logo
- LodaRAT Windows malware hits Android Phones
- OpenAI’s ChatGPT Creates Polymorphic Malware
Related news
Improper Access Control in SMI handler vulnerability in Phoenix SecureCore™ Technology™ 4 allows SPI flash modification. This issue affects SecureCore™ Technology™ 4: * from 4.3.0.0 before 4.3.0.203 * from 4.3.1.0 before 4.3.1.163 * from 4.4.0.0 before 4.4.0.217 * from 4.5.0.0 before 4.5.0.138
It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
BlackLotus is the first in-the-wild malware to exploit a vulnerability in the Secure Boot process on Windows, and experts expect copycats and imminent increased activity.
A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot, making it a potent threat in the cyber landscape. "This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News. UEFI