The National Security Agency (NSA) has published technical mitigation guidance to help organizations harden systems against BlackLotus UEFI bootkit infections.
The NSA’s recommendations provide a blueprint for defenders to protect systems from BlackLotus, a stealthy malware that emerged on underground forums in late 2022 with capabilities that include user access control (UAC) and secure boot bypass, unsigned driver loading, and prolonged persistence.
To disable secure boot, the bootkit exploits a year-old vulnerability in Windows (CVE-2022-21894) and deploys an older, vulnerable Windows boot loader to exploit the bug.
In April, Microsoft shared information on how threat hunters can identify BlackLotus infections in their environments, underlining that the bootkit can only be deployed on already compromised systems. In May, the company released optional mitigations to prevent the roll-back to vulnerable boot loaders.
The NSA mitigation document notes that BlackLotus can be executed on fully-patched systems, because the vulnerable boot loaders it targets have not been added to the Secure Boot DBX revocation list.
According to the NSA, although bootkit targets the earliest software stage of boot, “defensive software solutions can be configured to detect and prevent the installation of the BlackLotus payload or the reboot event that starts its execution and implantation.”
The agency urges system administrators within the Department of Defense and other networks to take action, as the available security patches may provide a false sense of security.
“Because BlackLotus integrates Shim and GRUB into its implantation routine, Linux administrators should also be vigilant for variants affecting popular Linux distributions,” the NSA added.
Organizations are advised to keep their Windows systems always updated, to configure security software to monitor for EFI boot partition changes and, if such changes are identified, to prevent devices from rebooting, and to update Secure Boot with DBX deny list hashes preventing the execution of older and vulnerable boot loaders.
“Adding boot loader hashes to the DBX may render many Windows install and recovery images, discs, and removable media drives unbootable. Microsoft provides updated install and recovery images for Windows 11 and 10. Only update the DBX after acquiring install and recovery media with the January 2022 or later patch assortment applied,” according to the NSA.
Linux system administrators, the agency’s guidance explains, can remove the Microsoft Windows Production CA 2011 certificate from the Secure Boot database, thus eliminating the need to add DBX hashes.
Related: Microsoft Makes Second Attempt to Patch Outlook Zero-Day
Related: Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware Implant
Related: Firmware Flaws Allow Disabling Secure Boot on Lenovo Laptops
More from Ionut Arghire
- UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
- Xenomorph Android Banking Trojan Targeting Users in US, Canada
- $200 Million in Cryptocurrency Stolen in Mixin Network Hack
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
- Air Canada Says Employee Information Accessed in Cyberattack
Latest News
- Microsoft Adding New Security Features to Windows 11
- UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
- Sony Investigating After Hackers Offer to Sell Stolen Data
- The CISO Carousel and its Effect on Enterprise Cybersecurity
- Xenomorph Android Banking Trojan Targeting Users in US, Canada
- $200 Million in Cryptocurrency Stolen in Mixin Network Hack
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
