Microsoft Offers Guidance on Secure Boot Bypasses by BlackLotus Malware
Microsoft this week offered guidance on how organizations can investigate the possible presence of so-called "BlackLotus" bootkits, which are capable of exploiting Unified Extensible Firmware Interface (UEFI)-based Windows systems.
BlackLotus is able to affect Windows systems, including fully patched Windows 11 clients, at the boot level. It can inject kernel-mode payloads with high privileges, according to the original description of the BlackLotus malware by security solutions firm ESET, in this March 1, 2023 ESET security post.
Secure Boot Bust
UEFI firmware features a Secure Boot capability that was designed to avoid such attacks by bootkits and rootkits. However, attackers nevertheless found a way.
Secure Boot was defeated to inject boot-level payloads by exploiting a vulnerability that Microsoft patched back in Jan. 2022, namely CVE-2022-21894. This vulnerability, called "baton drop," allows the removal of blocks of memory to bypass Secure Boot, according to this GitHub description.
The object of BlackLotus is to establish an HTTP connection to command-and-control software operated by the attacker. It can do so in stealthy manner because it bypassed Secure Boot. Microsoft explained that the "bootkit is primarily a persistence and defense evasion mechanism."
BlackLotus bootkits have been available for sale on hacking forums for "$5,000 since at least October 2022," ESET explained. Even though a patch for CVE-2022-21894 was issued last year by Microsoft, UEFI systems can still be exploited by BlackLotus because the affected UEFI binaries haven't been revoked.
"One year since the vulnerability was fixed, vulnerable UEFI binaries are still not revoked, allowing threats such as BlackLotus to stealthily operate on systems with UEFI Secure Boot enabled, thus providing victims a false sense of security," ESET wrote in March.
Microsoft's BlackLotus Guidance
Microsoft's April guidance doesn't offer much that's new or reassuring on preventing BlackLotus attacks compared with the comprehensive March ESET post.
Microsoft mostly echoed ESET's research findings and noted that BlackLotus can "deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus."
If Microsoft Defender Antivirus is not deactivated, though, then it is capable of detecting BlackLotus threat components, which get identified as trojans for Win32 and Win64 systems. Microsoft also indicated that Microsoft Defender for Endpoint will send alerts regarding "known BlackLotus activity and/or post-exploitation activity," which will be labeled as "possible vulnerable EFI bootloader" in the alerts.
Microsoft also advised organizations to maintain "credential hygiene" by following least-privilege access permissions. Organizations should avoid enabling "domain-wide, admin-level service accounts." They should also restrict local administrative privileges. Doing so is "key to preventing threat actors looking to deploy BlackLotus, which requires either remote administrative privileges on a target machine or physical access to the device," Microsoft explained.
Antimalware products (if not disabled by BlackLotus) should be kept up to date. Microsoft added that "customers utilizing automatic updates for Microsoft Defender Antivirus do not need to take additional action."
Lastly, Microsoft recommended removing third-party UEFI certificate authority (CA) from a Windows system's Secure Boot configuration. This point seems to pertain to Linux users who use Windows. Here's Microsoft's explanation, per this document:
The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increases the attack surface of systems.
This third-party CA issue apparently doesn't apply to so-called "Secured-core PCs" as "Secured-core PCs require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible," Microsoft's document explained.
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.