BlackLotus Secure Boot Bypass Malware Set to Ramp Up

March 10, 2023

Cybersecurity experts have warned that the first in-the-wild malware to bypass Microsoft's Secure Boot (even on fully patched systems), BlackLotus, will spawn copycats and, available in an easy-to-use bootkit on the Dark Web, inspire firmware attackers to increase their activity. This means that companies need to increase efforts to validate the integrity of their servers, laptops, and workstations, starting now.

BlackLotus bypasses a fundamental Windows security feature known as Unified Extensible Firmware Interface (UEFI) Secure Boot, which Microsoft introduced more than a decade ago and is now considered one of the foundations of its Zero Trust framework for Windows. Threat actors and security researchers have targeted Secure Boot implementations more and more, as a successful attack means that an attacker is getting around all of a company's traditional security defenses. With UEFI persistence, attackers can operate much stealthier than with any other kind of OS-level persistence.

Now that BlackLotus has been commercialized, it paves the way for the development of similar wares, researchers note. "We expect to see more threat groups incorporating secure boot bypasses into their arsenal in the future," says Martin Smolár, malware researcher at ESET. Even though Microsoft patched the vulnerability that BlackLotus targets (CVE-2022-21894) more than a year ago, the certificate of the vulnerable version remains valid. Paul Asadoorian, principal security evangelist at Eclypsium, warns that "if an attacker does manage to get a foothold, companies could be running blind, because a successful attack means that an attacker is getting around all of your traditional security defenses." To prevent the vulnerable boot loader from working, Microsoft would have to revoke the hash, but that would also prevent legitimate — although unpatched — systems from working. "To fix this you have to revoke the hashes of that software to tell Secure Boot and Microsoft's own internal process that that software is no longer valid in the boot process," says Asadoorian.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.