BlackLotus Secure Boot Bypass Malware Set to Ramp Up
March 10, 2023
Cybersecurity experts have warned that the first in-the-wild malware to bypass Microsoft's Secure Boot (even on fully patched systems), BlackLotus, will spawn copycats and, available in an easy-to-use bootkit on the Dark Web, inspire firmware attackers to increase their activity. This means that companies need to increase efforts to validate the integrity of their servers, laptops, and workstations, starting now.
BlackLotus bypasses a fundamental Windows security feature known as Unified Extensible Firmware Interface (UEFI) Secure Boot, which Microsoft introduced more than a decade ago and is now considered one of the foundations of its Zero Trust framework for Windows. Threat actors and security researchers have targeted Secure Boot implementations more and more, as a successful attack means that an attacker is getting around all of a company's traditional security defenses. With UEFI persistence, attackers can operate much stealthier than with any other kind of OS-level persistence.
Now that BlackLotus has been commercialized, it paves the way for the development of similar wares, researchers note. "We expect to see more threat groups incorporating secure boot bypasses into their arsenal in the future," says Martin Smolár, malware researcher at ESET. Even though Microsoft patched the vulnerability that BlackLotus targets (CVE-2022-21894) more than a year ago, the certificate of the vulnerable version remains valid. Paul Asadoorian, principal security evangelist at Eclypsium, warns that "if an attacker does manage to get a foothold, companies could be running blind, because a successful attack means that an attacker is getting around all of your traditional security defenses." To prevent the vulnerable boot loader from working, Microsoft would have to revoke the hash, but that would also prevent legitimate — although unpatched — systems from working. "To fix this you have to revoke the hashes of that software to tell Secure Boot and Microsoft's own internal process that that software is no longer valid in the boot process," says Asadoorian.
- Unpatched Zero-Day Bugs in Akuvox E11 Smart Intercom Allow Eavesdropping
- CISA Warns of Critical VMware RCE Flaw Exploited in Attacks
- Cisco Patches High-Severity DoS Vulnerability in Enterprise Routers
- IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks
- Chinese Cyberspies Exploit Unpatched SonicWall Gear
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.