The NSA has published a guide about how to mitigate against attacks involving the BlackLotus bootkit malware, amid fears that system administrators may not be adequately protected against the threat.
The BlackLotus UEFI bootkit made a name for itself in October 2022, when it was seen being sold on cybercrime underground forums for $5,000.
The news sent a shiver down the spines of many in the cybersecurity community, as BlackLotus was the first in-the-wild UEFI bootkit capable of bypassing UEFI Secure Boot on fully updated UEFI systems.
BlackLotus is a sophisticated piece of malware that can infect a computer's low-level firmware, bypassing the Secure Boot defences built into Windows 10 and Windows 11, and allowing the execution of malicious code before a PC's operating system and security defences have loaded.
In this way, attackers could disable security measures such as BitLocker and Windows Defender, without triggering alarms, and deploy BlackLotus's built-in protection against the bootkit's own removal.
Although Microsoft issued a patch for the flaw in Secure Boot back in January 2022, its exploitation remains possible as the affected, validly-signed binaries have not been added to the UEFI revocation list.
Earlier this year, security researchers explained how BlackLotus was taking advantage of this, "bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability."
According to the NSA, there is "significant confusion" about the threat posed by BlackLotus:
“Some organizations use terms like 'unstoppable,' 'unkillable,' and 'unpatchable' to describe the threat. Other organizations believe there is no threat due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes."
According to the NSA's advisory, patching Windows 10 and Windows 11 against the vulnerabilities is only "a good first step."
In its mitigation guide, the agency details additional steps for hardening systems.
However, as they involve changes to how UEFI Secure Boot is configured they should be undertaken with caution - as they cannot be reversed once activated, and could leave current Windows boot media unusable if mistakes are made.
"Protecting systems against BlackLotus is not a simple fix," said NSA platform security analyst Zachary Blum.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.