uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,018

NSA guide to combat powerful BlackLotus bootkit that targets Windows

The US. On Thursday, the National Security Agency (NSA) released guidelines to assist businesses in identifying and guarding against the BlackLotus UEFI bootkit infection.

The organization advises "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition" in order to achieve this goal. ".

In October 2022, Kaspersky first raised awareness of BlackLotus, an advanced anti-crimeware solution. Samples of the malware have since circulated in the wild and are a UEFI bootkit capable of evading Windows Secure Boot safeguards.

This is done by exploiting a known Windows vulnerability known as Baton Drop (CVE-2022-21894, CVSS score: 4.4), which was found in vulnerable boot loaders not included in the Secure Boot DBX revocation list. In January 2022, Microsoft released a patch to address the vulnerability.

Threat actors may use this flaw to replace fully patched boot loaders with vulnerable versions and launch BlackLotus on infected endpoints.

A threat actor can completely control how the operating system boots up thanks to UEFI bootkits like BlackLotus, which gives them the power to tamper with security features and install additional payloads with elevated privileges.

It's important to note that BlackLotus targets the initial software phase of the boot process rather than the firmware to achieve persistence and evasion. No proof exists that the malware specifically targets Linux systems.

When compared to firmware implants, UEFI bootkits may not be as stealthy. ] as bootkits are located on an easily accessible FAT32 disk partition," ESET researcher Martin Smolár stated in an analysis of BlackLotus in March 2023.

But operating as a bootloader spares them from having to get past multilevel SPI flash defenses like the BWE, BLE, and PRx protection bits or hardware protections like Intel Boot Guard, giving them nearly the same capabilities as firmware implants. ".

GRATIS GUIDE.

The Ultimate Three-Step Guide to Zero Trust Access Implementation Today!
Simply take concrete steps to increase the security and productivity of your company instead of using empty platitudes. Do not overlook this thorough guide!

Guide, download.

Organizations are urged to take the following mitigation measures in addition to installing the Microsoft May 2023 Patch Tuesday updates, which fixed a second Secure Boot bypass vulnerability (CVE-2023-24932, CVSS score: 6.7) exploited by BlackLotus.

reinstall recovery media.

Defensive software should be set up to monitor alterations to the EFI boot partition.
Keep an eye out for strange changes in the EFI boot partition by monitoring device integrity measurements and boot configuration.
In order to prevent older, signed Windows boot loaders, modify UEFI Secure Boot.
On devices that only boot Linux, remove the Microsoft Windows Production CA 2011 certificate.
For its part, Microsoft is closing the attack vector gradually. In the first quarter of 2024, the fixes are anticipated to be generally accessible.