NSA Releases Guide to Combat Powerful BlackLotus Bootkit Targeting Windows Systems

The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.

To that end, the agency is recommending that “infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition.”

BlackLotus is an advanced crimeware solution that was first spotlighted in October 2022 by Kaspersky. A UEFI bootkit capable of bypassing Windows Secure Boot protections, samples of the malware have since emerged in the wild.

This is achieved by exploiting a realized Windows blemish called Cudgel Drop (CVE-2022-21894, CVSS score: 4.4) found in weak boot loaders not added into the Safe Boot DBX repudiation list. The weakness was tended to by Microsoft in January 2022.

This proviso could be taken advantage of by danger entertainers to supplant completely fixed boot loaders with weak variants and execute BlackLotus on compromised endpoints.

UEFI bootkits like BlackLotus award a danger entertainer full oversight over the working framework booting methodology, consequently making it conceivable to disrupt security components and send extra payloads with raised honors.

It’s quite significant that BlackLotus isn’t a firmware danger, and on second thought focuses on the earliest programming phase of the boot interaction to accomplish industriousness and avoidance. There is no proof that the malware targets Linux frameworks.

“UEFI bootkits may lose on covertness when contrasted with firmware inserts […] as bootkits are situated on an effectively available FAT32 circle segment,” ESET scientist Martin Smolár said in an examination of BlackLotus in Walk 2023.

“Notwithstanding, running as a bootloader gives them practically similar capacities as firmware inserts, however without defeating the staggered SPI streak safeguards, like the BWE, BLE, and PRx security bits, or the insurances given by equipment (like Intel Boot Gatekeeper).

Other than applying the May 2023 Fix Tuesday refreshes from Microsoft, which tended to a second Protected Boot sidestep blemish (CVE-2023-24932, CVSS score: 6.7) took advantage of by BlackLotus, associations are encouraged to do the accompanying moderation steps –

Update recuperation media
Arrange cautious programming to investigate changes to the EFI boot parcel
Screen gadget uprightness estimations and boot setup for odd changes in the EFI boot parcel
Modify UEFI Secure Boot to obstruct more seasoned, marked Windows boot loaders
Eliminate the Microsoft Windows Creation CA 2011 declaration on gadgets that solely boot Linux
Microsoft, as far as concerns its, is adopting a staged strategy to close the assault vector totally. The fixes are supposed to be by and large accessible in the principal quarter of 2024.

Found this article fascinating? Follow us on Twitter  and LinkedIn to peruse more select substance we post.

Leave a Reply

Your email address will not be published. Required fields are marked *