Headline
NSA Releases Guide to Combat Powerful BlackLotus Bootkit Targeting Windows Systems
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that “infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition.” BlackLotus is an advanced
Threat Intel / Endpoint Security
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.
To that end, the agency is recommending that “infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition.”
BlackLotus is an advanced crimeware solution that was first spotlighted in October 2022 by Kaspersky. A UEFI bootkit capable of bypassing Windows Secure Boot protections, samples of the malware have since emerged in the wild.
This is accomplished by taking advantage of a known Windows flaw called Baton Drop (CVE-2022-21894, CVSS score: 4.4) discovered in vulnerable boot loaders not added into the Secure Boot DBX revocation list. The vulnerability was addressed by Microsoft in January 2022.
This loophole could be exploited by threat actors to replace fully patched boot loaders with vulnerable versions and execute BlackLotus on compromised endpoints.
UEFI bootkits like BlackLotus grant a threat actor complete control over the operating system booting procedure, thereby making it possible to interfere with security mechanisms and deploy additional payloads with elevated privileges.
It’s worth noting that BlackLotus is not a firmware threat, and instead hones in on the earliest software stage of the boot process to achieve persistence and evasion. There is no evidence that the malware targets Linux systems.
“UEFI bootkits may lose on stealthiness when compared to firmware implants […] as bootkits are located on an easily accessible FAT32 disk partition,” ESET researcher Martin Smolár said in an analysis of BlackLotus in March 2023.
"However, running as a bootloader gives them almost the same capabilities as firmware implants, but without having to overcome the multilevel SPI flash defenses, such as the BWE, BLE, and PRx protection bits, or the protections provided by hardware (like Intel Boot Guard).
Besides applying the May 2023 Patch Tuesday updates from Microsoft, which addressed a second Secure Boot bypass flaw (CVE-2023-24932, CVSS score: 6.7) exploited by BlackLotus, organizations are advised to carry out the following mitigation steps -
- Update recovery media
- Configure defensive software to scrutinize changes to the EFI boot partition
- Monitor device integrity measurements and boot configuration for anomalous changes in the EFI boot partition
- Customize UEFI Secure Boot to block older, signed Windows boot loaders
- Remove the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux
Microsoft, for its part, is taking a phased approach to completely close the attack vector. The fixes are expected to be generally available in the first quarter of 2024.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical."
Improper Access Control in SMI handler vulnerability in Phoenix SecureCore™ Technology™ 4 allows SPI flash modification. This issue affects SecureCore™ Technology™ 4: * from 4.3.0.0 before 4.3.0.203 * from 4.3.1.0 before 4.3.1.163 * from 4.4.0.0 before 4.4.0.217 * from 4.5.0.0 before 4.5.0.138
It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.
Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2023, including vulnerabilities that were added between April and May Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. It’s been a […]
A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: CVE-2023-29336 Tags: CVE-2023-24932 Tags: bootkit Tags: CVE-2023-29325 Tags: Outlook Tags: preview Tags: CVE-2023-24941 Tags: Apple Tags: Cisco Tags: Google Tags: Android Tags: VMWare Tags: SAP Tags: Mozilla Microsoft's Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability (Read more...) The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.
Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
BlackLotus is the first in-the-wild malware to exploit a vulnerability in the Secure Boot process on Windows, and experts expect copycats and imminent increased activity.
By Deeba Ahmed Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in… This is a post from HackRead.com Read the original post: BlackLotus UEFI bootkit Can Bypass Secure Boot on Windows
A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot, making it a potent threat in the cyber landscape. "This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News. UEFI