The U.S. National Security Agency (NSA) has issued guidance to assist organizations in identifying and preventing infections caused by a UEFI bootkit known as BlackLotus. BlackLotus is an advanced crimeware solution, initially highlighted by Kaspersky in October 2022, capable of bypassing Windows Secure Boot protections. The malware exploits a known Windows flaw called Baton Drop (CVE-2022-21894), allowing threat actors to replace fully patched boot loaders with vulnerable versions and execute BlackLotus on compromised endpoints.
While BlackLotus targets the earliest software stage of the boot process, it is not a firmware threat and does not affect Linux systems. To mitigate the risk posed by BlackLotus, the NSA recommends infrastructure owners harden user executable policies, monitor the boot partition’s integrity, update recovery media, configure defensive software to scrutinize changes to the EFI boot partition, and customize UEFI Secure Boot to block older, signed Windows boot loaders. Additionally, organizations are advised to remove the Microsoft Windows Production CA 2011 certificate on devices exclusively booting Linux.
Microsoft is working to address the issue with phased fixes expected to be generally available in the first quarter of 2024. It’s crucial for organizations to stay vigilant and implement the recommended mitigation steps to protect against potential BlackLotus infections, which could give threat actors complete control over the operating system booting procedure, allowing interference with security mechanisms and deployment of additional payloads with elevated privileges.
Reference:
