Connect with us

Hi, what are you looking for?


Malware & Threats

NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections

The National Security Agency (NSA) has released mitigation guidance to help organizations stave off BlackLotus UEFI bootkit infections.

The National Security Agency (NSA) has published technical mitigation guidance to help organizations harden systems against BlackLotus UEFI bootkit infections.

The NSA’s recommendations provide a blueprint for defenders to protect systems from BlackLotus, a stealthy malware that emerged on underground forums in late 2022 with capabilities that include user access control (UAC) and secure boot bypass, unsigned driver loading, and prolonged persistence.

To disable secure boot, the bootkit exploits a year-old vulnerability in Windows (CVE-2022-21894) and deploys an older, vulnerable Windows boot loader to exploit the bug.

In April, Microsoft shared information on how threat hunters can identify BlackLotus infections in their environments, underlining that the bootkit can only be deployed on already compromised systems. In May, the company released optional mitigations to prevent the roll-back to vulnerable boot loaders.

The NSA mitigation document notes that BlackLotus can be executed on fully-patched systems, because the vulnerable boot loaders it targets have not been added to the Secure Boot DBX revocation list.

According to the NSA, although bootkit targets the earliest software stage of boot, “defensive software solutions can be configured to detect and prevent the installation of the BlackLotus payload or the reboot event that starts its execution and implantation.”

The agency urges system administrators within the Department of Defense and other networks to take action, as the available security patches may provide a false sense of security.

Advertisement. Scroll to continue reading.

“Because BlackLotus integrates Shim and GRUB into its implantation routine, Linux administrators should also be vigilant for variants affecting popular Linux distributions,” the NSA added.

Organizations are advised to keep their Windows systems always updated, to configure security software to monitor for EFI boot partition changes and, if such changes are identified, to prevent devices from rebooting, and to update Secure Boot with DBX deny list hashes preventing the execution of older and vulnerable boot loaders.

“Adding boot loader hashes to the DBX may render many Windows install and recovery images, discs, and removable media drives unbootable. Microsoft provides updated install and recovery images for Windows 11 and 10. Only update the DBX after acquiring install and recovery media with the January 2022 or later patch assortment applied,” according to the NSA.

Linux system administrators, the agency’s guidance explains, can remove the Microsoft Windows Production CA 2011 certificate from the Secure Boot database, thus eliminating the need to add DBX hashes.

Related: Microsoft Makes Second Attempt to Patch Outlook Zero-Day

Related: Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware Implant

Related: Firmware Flaws Allow Disabling Secure Boot on Lenovo Laptops

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.