The US National Security Agency (NSA) is urging system administrators to take extra steps beyond patching to safeguard Windows 10 and 11 machines from the BlackLotus bootkit malware. BlackLotus emerged last fall when it was discovered for sale on the Dark Web for $5,000. It has the notorious distinction of being the first malware in the wild to successfully circumvent Microsoft's Unified Extensible Firmware Interface (UEFI) Secure Boot protections. UEFI is the firmware responsible for the boot-up routine, loading before the operating system kernel and any other software. Although BlackLotus is a software threat and not a firmware threat, it exploits two vulnerabilities in the UEFI Secure Boot function to insert itself into the earliest phase of the software boot process initiated by UEFI: CVE-2022-21894, also known as Baton Drop, with a CVSS score of 4.4; and CVE-2023-24932, with a CVSS score of 6.7. Microsoft patched these vulnerabilities in January 2022 and May 2023, respectively.
However, the NSA warns that applying the available Windows 10 and Windows 11 patches is just "a good first step." The NSA's BlackLotus mitigation guide (PDF) states, "Patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX)." The guide continues, "Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot." This means that threat actors can simply replace fully patched boot loaders with legitimate but vulnerable versions to execute BlackLotus on compromised endpoints. Microsoft is working on a more comprehensive fix scheduled for release in early 2024. Until then, the NSA recommends that infrastructure owners take additional steps to harden their systems, such as tightening user executable policies and monitoring the integrity of the boot partition. An optional advanced mitigation involves customizing the Secure Boot policy by adding DBX records to all Windows endpoints.
"Protecting systems against BlackLotus is not a simple fix," says NSA platform security analyst Zachary Blum in the advisory. The advisory provides extensive hardening advice, but fully implementing the NSA's guidance is a process in itself, according to John Gallagher, vice president of Viakoo Labs. He adds, "Given the manual nature of NSA's guidance, many organizations will find that they don't have the resources needed to fully remediate this vulnerability. Additional measures like use of network access control and traffic analysis should also be used until Microsoft can provide a more complete fix."
BlackLotus offers cyberattackers several significant advantages, including persistence even after OS reinstalls and hard drive replacements. Because the malicious code executes in kernel mode ahead of security software, it is undetectable by standard defenses like BitLocker and Windows Defender (and can even disable them entirely). It can also control and subvert every other program on the machine and load additional stealthy malware with root privileges. John Gallagher explains, "UEFI vulnerabilities, as the guidance from NSA shows, are particularly difficult to mitigate and remediate because they are in the earliest stage of software and hardware interactions." He adds, "The guidance NSA is providing is critically important as a reminder to pay attention to boot-level vulnerabilities and have a method to address them."
The NSA's guidance highlights the confusion many security teams have about how to combat the bootkit threat. The NSA document states, "Some organizations use terms like 'unstoppable,' 'unkillable,' and 'unpatchable' to describe the threat." It continues, "Other organizations believe there is no threat, due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes." The NSA has not provided an explanation for why it is issuing the guidance now, nor has it shared information about recent mass exploitation efforts or in-the-wild incidents. However, John Bambenek, principal threat hunter at Netenrich, points out that the mere fact that the NSA is speaking up should indicate that BlackLotus is a threat that requires attention. He says, "Whenever the NSA releases a tool or guidance, the most important information is what they aren't saying." Bambenek continues, "They took the time and effort to develop this tool, declassify it, and release it. They will never say why, but the reason was worth a significant diversion from how they usually operate by saying nothing."