Go to listing page

BlackLotus UEFI Bootkit Bypasses Fully Patched Windows 11

BlackLotus UEFI Bootkit Bypasses Fully Patched Windows 11
Cybersecurity company ESET claims that the latest variant of BlackLotus has the ability to compromise a fully up-to-date Windows 11 system with UEFI Secure Boot enabled.

UEFI bootkits are often considered a powerful threat that may let a hacker take over the OS boot process and disable various security mechanisms. Although there have been several malicious attempts in this area by ESpecter, MoonBounce, MosaicRegressor, FinSpy, and LoJax, recent research revealed the first-ever publicly disclosed UEFI bootkit that bypasses fully updated Secure Boot.

What is the big deal?

  • First observed in October 2022, BlackLotus is the first known malware to publicly abuse the CVE-2022-21894 (aka Baton Drop), a Secure Boot security feature bypass vulnerability in Windows.
  • Even though this vulnerability has been patched by Microsoft in January 2022 Patch Tuesday release, systems are still at risk as the vulnerable UEFI binaries are still not revoked from the UEFI revocation list.

Modus operandi

According to the report, the attack begins with the execution of an installer component on the target machine. The installer could be either offline (carrying Windows binaries embedded in them) or online (downloads the Windows binaries from the C2 server).
  • The goal of the installer is to write the files to the EFI system partition, disable the HVCI and BitLocker security, and reboot the machine.
  • During the first reboot, it abuses CVE-2022-21894 to bypass UEFI Secure Boot protections and set up persistence. It subsequently enrolls the attackers’ Machine Owner Key (MOK) and reboots again.
  • During the next reboot, the self-signed UEFI bootkit gets executed, and the kernel driver and HTTP downloader payloads are deployed. 
  • This allows the download and execution of further user mode and driver components and provides protection against the bootkit’s uninstallation.

The bottom line

This bootkit represents a leap forward in terms of persistence, evasion, and full control of the targeted devices. Moreover, due to the complex UEFI ecosystem and associated supply-chain dependencies, experts indicate that full and effective patching of the vulnerability exploited by BlackLotus may take a long time. It is suggested to adopt a proactive security approach, including using standard anti-malware and firewall solutions and leveraging threat intelligence insights to minimize the possible impact of the threat.
Cyware Publisher

Publisher

Cyware