The U.S. National Security Agency (NSA) recently released guidance to assist organizations in detecting and preventing infections of an advanced crimeware solution, a Unified Extensible Firmware Interface (UEFI) bootkit known as BlackLotus.
The BlackLotus Threat
BlackLotus, first spotlighted by Kaspersky in October 2022, is a UEFI bootkit that can bypass Windows Secure Boot protections. Since its discovery, multiple samples of the malware have been spotted in the wild. The malware exploits a known Windows flaw, Baton Drop (CVE-2022-21894), found in vulnerable boot loaders that haven’t been added to the Secure Boot DBX revocation list. This vulnerability was initially addressed by Microsoft in January 2022. Threat actors can exploit this loophole by replacing fully patched boot loaders with vulnerable versions to execute BlackLotus on compromised endpoints. BlackLotus grants a threat actor full control over the operating system booting procedure, enabling them to interfere with security mechanisms and deploy additional payloads with elevated privileges. Notably, BlackLotus is not a firmware threat. It targets the earliest software stage of the boot process to achieve persistence and evasion. According to ESET researcher Martin Smolár, while “UEFI bootkits may lose on stealthiness when compared to firmware implants […] as bootkits are located on an easily accessible FAT32 disk partition,” running as a bootloader provides them with almost the same capabilities as firmware implants without overcoming the multilevel SPI flash defenses.
Understanding the Confusion
The NSA has raised concerns about “significant confusion” and a “false sense of security” regarding the threat posed by BlackLotus. In an information sheet, the NSA highlighted the wide range of beliefs held by organizations about malware. Some believe it’s an unstoppable, unmatchable threat, while others consider themselves safe, having applied the two patches Microsoft had issued. “The risk exists somewhere between both extremes,” the NSA cautioned. It was also pointed out that Linux administrators should be vigilant for variants affecting popular Linux distributions due to BlackLotus integrating Shim and GRUB into its implantation routine.
Targeting Flaws in Boot Loaders
BlackLotus targets Windows boot by exploiting a flaw in older boot loaders or boot managers to initiate a series of malicious actions that compromise endpoint security. This is achieved by exploiting the Baton Drop vulnerability to disable the Secure Boot policy and prevent its enforcement.
Microsoft’s Role and Future Actions
Microsoft addressed an additional Baton Drop vulnerability (CVE-2023-24932) exploited by BlackLotus in May 2023. However, system administrators need to verify all their devices, and bootable media are updated and ready for the patch before enabling the new protections. The company is taking a phased approach to completely close the attack vector, with fixes expected to be generally available in the first quarter of 2024.
Preventive Measures and Recommendations
While patching is a crucial first step, organizations should also implement hardening actions based on their system configurations and security software. As a part of the prevention strategy, the NSA recommends the following mitigation steps:
- Update recovery media
- Configure defensive software to scrutinize changes to the EFI boot partition
- Monitor device integrity measurements and boot configuration for anomalous changes in the EFI boot partition
- Customize UEFI Secure Boot to block older, signed Windows boot loaders
- Remove the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux
Additionally, organizations should enable new optional protections provided in Microsoft’s May patch. This includes mitigations to prevent the rollback of the boot manager and kernel to versions vulnerable to Baton Drop and BlackLotus. “The optional mitigations – including a Code Integrity Boot Policy – should be enabled after the organization has updated its Windows installation, recovery, and diagnostic software to the latest available versions,” as per the information sheet released by the NSA.
Specific Measures Against BlackLotus
BlackLotus operates by placing an older Windows boot loader Extensible Firmware Interface (EFI) binary into the boot partition and disabling Memory Integrity and BitLocker. To counter this, the NSA recommends configuring endpoint security products to block these events outside of a legitimate, scheduled update.
- Configure defensive software to scrutinize changes to the EFI boot partition in particular.
- Leverage applications allow lists to permit only known and trusted executables.
In addition, the NSA urges organizations to use endpoint security products and tools to monitor the composition of the EFI boot partition. Any unexpected changes in bootmgfw.efi, bootmgr.efi, or the introduction of additional unexpected EFI binaries (e.g., shimx64.efi or grubx64.efi) should raise red flags. Given the infrequent nature of changes to the boot partition, any modification warrants additional scrutiny.
The BlackLotus threat underscores the persistent and evolving nature of cybersecurity risks. Organizations need to stay informed and take proactive measures to safeguard their systems. While the confusion surrounding BlackLotus presents challenges, these can be mitigated by adopting the comprehensive measures recommended by the NSA and Microsoft, tailored to the specific needs of the organization. For more detailed guidance, organizations can refer to the official NSA information sheet here. By understanding the threat and implementing the advised preventative measures, businesses can significantly reduce their vulnerability to the BlackLotus bootkit and similar cybersecurity threats.
Alongside the revelation of NSA’s BlackLotus UEFI Bootkit, it’s essential to note the vulnerabilities of other digital systems, highlighted by the recent hacking of spyware provider LetMeSpy.