Researchers discovered a malware dubbed BlackLotus, which bypasses Microsoft’s Secure Boot, will spawn copycats that were available on the Dark Web and attracts firmware attackers to increase their activity.
Starting this month, March 2023 researchers published an analysis of the BlackLotus boot kit, which bypasses UEFI Secure Boot.
UEFI is the lowest level of firmware on a system finding a vulnerability in the interface code allows an attacker to execute malware before the OS kernel, security apps, and other software. This ensures the implantation of persistent malware that normal security agents will not detect. It also offers the ability to execute in kernel mode, to control and subvert every other program on the machine even after OS reinstalls and hard drive replacements and load additional malware at the kernel level.
The US DHS and DoC recently warned about the persistent threat posed by firmware rootkits and boot kits in a draft report on supply chain security issues. Here with BlackLotus, the stakes are set high while
Microsoft patched the flaw that BlackLotus targets aka Baton Drop, tracked as CVE-2022-21894. The patch only makes exploitation more difficult not impossible, and the impact of the vulnerability will be hard to measure because affected users will likely not see signs of compromise. The certificate of the vulnerable version remains valid
With this, an attacker can foothold the machine they can turn off logging, and essentially lie to every kind of defensive countermeasure that might have on the system to tell it’s safe. Due to its increasing adoption nature, threat actors’ goal is persistence on the system, and with UEFI persistence, they can operate much stealthier than with any other kind of OS-level persistent.
Microsoft maintains a list of cryptographic hashes of legitimate Secure Boot bootloaders. To prevent the vulnerable boot loader from working, the company would have to revoke the hash, but that would also prevent legitimate — although unpatched — systems from working.
It is recommended that organization to do update their firmware and revocation lists on a regular basis and monitor endpoints for indications that an attacker has made modifications.
This research was documented by researchers from ESET
Indicators of Compromise