The NSA announced guide Amid concerns that system administrators may not be adequately protected from threats, we discuss how to mitigate attacks involving BlackLotus bootkit malware.
The BlackLotus UEFI Bootkit made a name for itself in October 2022. saw It sells for $5,000 on cyber crime underground forums.
This news sent shivers down the spines of many in the cybersecurity community, as BlackLotus was the first existing UEFI bootkit capable of bypassing UEFI Secure Boot on a fully updated UEFI system.
BlackLotus infects a computer’s low-level firmware, bypassing the Secure Boot defenses built into Windows 10 and Windows 11 and allowing malicious code to execute before the PC’s operating system and security defenses are loaded. It is advanced malware that
In this way, an attacker could disable security measures such as BitLocker and Windows Defender without triggering an alarm, and deploy BlackLotus’ built-in protection against removal of the bootkit itself.
Microsoft issued the following patch, defect Secure Boot January 2022 is still open for exploitation as the affected validly signed binaries have not been added to the UEFI revocation list.
Earlier this year, security researchers said explained Here’s how BlackLotus took advantage of this by “bringing its own copy of a legitimate (but vulnerable) binary onto the system to exploit the vulnerability.”
According to the NSA, there is “significant confusion” about the threat posed by BlackLotus.
“Some organizations use terms like ‘unstoppable’, ‘unkillable’ and ‘unpatched’ to describe this threat. We believe there is no threat from the patches we released in January 2022 and early 2023 against the current versions of Windows.The risks lie somewhere between the two extremes.โ
Patching Windows 10 and Windows 11 against vulnerabilities is just a “good first step,” according to the NSA’s advisory.
among them Mitigation guideofficials detail additional steps to harden the system.
However, these changes involve changing how UEFI Secure Boot is configured and should be done with caution. Once activated, it cannot be undone and a mistake can render your current Windows boot media unusable.
“Protecting systems from BlackLotus is not an easy fix,” said Zachary Blum, NSA Platform Security Analyst.
Editor’s Note: The opinions expressed in this guest author article are those of the contributor only and do not necessarily reflect those of Tripwire.