BlackLotus UEFI bootkit can defeat Secure Boot protection

[Alfonso Maruccia]

Why it matters: Discovered in October 2022, BlackLotus is a powerful UEFI-compatible bootkit sold on underground marketplaces at $5,000 per license. The malware provides impressive capabilities, and a new analysis now confirms security experts' worst fears.

BlackLotus is a potent threat against modern firmware-based computer security. This UEFI bootkit provides offensive capabilities previously available only to advanced-persistent threats (APT) and state-sponsored groups to script kiddies and any paying "customer." Kaspersky researchers discovered and dissected the malware in 2022 and found a very compact mixture of Assembly and C code.

A new report by ESET analyst Martin Smolár now confirms one of the most outstanding and dangerous capabilities of the malware: BlackLotus is the first "in-the-wild" UEFI bootkit to compromise a system even when the Secure Boot feature is correctly enabled. Smolár says it's a malicious kit that can run on fully updated UEFI systems.

BlackLotus can also do its dirty deeds on a fully updated Windows 11 system. The Slovak security enterprise says the malware is the first publicly known threat designed to abuse the CVE-2022-21894 "Secure Boot Security Feature Bypass Vulnerability." Microsoft fixed this flaw in January 2022. However, bad actors can still exploit it using validly signed binary files not added to the UEFI revocation list.

The bootkit can disable many advanced security features at the OS level, such as BitLocker, HVCI, and Windows Defender. Smolár notes that once installed, the malware's primary goal is to deploy a kernel driver, which protects the bootkit from removal. Then an HTTP downloader contacts the command&control server for further instructions or additional user-mode or kernel-mode malicious payloads.

According to Smolár, the BlackLotus offer discovered on hacker forums is genuine. The malware is as capable as the original seller said, and we don't know who created it yet. So far, the most telling evidence about its origins is that some BlackLotus installers do not proceed with bootkit installation on systems located in Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.

Smolár points out that UEFI bootkits are "very powerful threats" because they control the OS boot process and disable various OS security mechanisms to deploy malicious payloads invisibly during startup. BlackLotus is the first instance of a genuinely all-powerful UEFI bookit discovered in the wild. It likely won't be the last since a proof-of-concept to exploit CVE-2022-21894 is already available on GitHub.

Permalink to story.

https://www.techspot.com/news/97791-blacklotus-uefi-bootkit-can-defeat-secure-boot-protection.html

 

[Lionvibez]

Hmm not good!!!!

Thankfully most script kiddies don't have 5k to spend on this.

 

[passwordistaco]

Smells like a state actor gone into private enterprise.

The article doesn't mention some crucial info - what is the attack vector? How can a user avoid/prevent infection?

 

[wiyosaya]

So, any more information about what it takes to install this? If it takes actual physical access to the PC, then it seems like its is not as much of a threat as this article makes it out to be. But what the heck, its a nice click-bait article since it does not present complete information - unless I missed it, which seems unlikely since I read the article more than once.

And this just goes to show that it seems like no matter what the protection mechanisms are, they can always be circumvented by some one with the will to do so.

 

[kiwigraeme]

So, any more information about what it takes to install this? If it takes actual physical access to the PC, then it seems like its is not as much of a threat as this article makes it out to be. But what the heck, its a nice click-bait article since it does not present complete information - unless I missed it, which seems unlikely since I read the article more than once.

And this just goes to show that it seems like no matter what the protection mechanisms are, they can always be circumvented by some one with the will to do so.

Imagine will be combined with other vulnerabilities - to trigger system reboot with payload .

Safely assume any PC taken possession off is 100% compromised whether latest windows , linux , Apple etc -or the famous on TS unhackable XP system

Linux secure boot apparently vulnerable as well

People complained about MS implemented this - so those people won't care as didn't want it anyway

Considering people find takeovers for highly controlled game consoles , iphones with less attack zones

so for Joe Bloggs - removing unwanted software , keeping software up to date , not opening , responding to stuff etc - limited accounts is probably enough

plus "validly signed binary files" probably another article of this and certificates would be good - with the like of legitimate software update servers hijacked

 

[Bullwinkle M]

Smells like a state actor gone into private enterprise.

The article doesn't mention some crucial info - what is the attack vector? How can a user avoid/prevent infection?

"CVE-2022-21894 "Secure Boot Security Feature Bypass Vulnerability." Microsoft fixed this flaw in January 2022. However, bad actors can still exploit it using validly signed binary files not added to the UEFI revocation list"
-----------------------------------------------------------------------------------
Bleeping Computer had a recent article describing this attack vector
Article was pulled in the past 24 hours but likely due to recent updates on the story
Check back in 24 hours
-------------------------------

How can a user avoid/prevent infection?

Keep Windows and UEFI firmware updated and wait for further information
---------------------------------------------------------------------------------------------------
I simply avoid this crap by running a 2011 Old-School BIOS and keep it password protected
The BIOS is original and has never been updated
It has a Read Only Backup and BIOS changes are never allowed while a boot disk/hard disk/thumb drive or any other malware vector is connected to the system

It works great as I run Windows XP-SP2 "ONLINE" in a full admin account while studying malware without a single Microsoft security update

It is a totally Secure OS and firmware combo!

Only untrained UEFI users need to worry about this recent malware threat

 

[Bullwinkle M]

Just Updated:

BlackLotus execution flow
https://www.bleepingcomputer.com/ne...asses-uefi-secure-boot-on-patched-windows-11/

 

[maxxcool7421]

Smells like a state actor gone into private enterprise.

The article doesn't mention some crucial info - what is the attack vector? How can a user avoid/prevent infection?

Same old crap. Phishing ..

 

[maxxcool7421]

"CVE-2022-21894 "Secure Boot Security Feature Bypass Vulnerability." Microsoft fixed this flaw in January 2022. However, bad actors can still exploit it using validly signed binary files not added to the UEFI revocation list"
-----------------------------------------------------------------------------------
Bleeping Computer had a recent article describing this attack vector
Article was pulled in the past 24 hours but likely due to recent updates on the story
Check back in 24 hours
-------------------------------

Keep Windows and UEFI firmware updated and wait for further information
---------------------------------------------------------------------------------------------------
I simply avoid this crap by running a 2011 Old-School BIOS and keep it password protected
The BIOS is original and has never been updated
It has a Read Only Backup and BIOS changes are never allowed while a boot disk/hard disk/thumb drive or any other malware vector is connected to the system

It works great as I run Windows XP-SP2 "ONLINE" in a full admin account while studying malware without a single Microsoft security update

It is a totally Secure OS and firmware combo!

Only untrained UEFI users need to worry about this recent malware threat

Infection can still occur with the KB patches as the UEFI revocation has not been updated.

in the end .. same junk as always .. dont click the bad things

 

[wiyosaya]

Infection can still occur with the KB patches as the UEFI revocation has not been updated.

in the end .. same junk as always .. dont click the bad things

Unfortunately, there are those out there who have no clue as to what "the bad things" means and will click them - unknowingly.

 

[NikoBB]

M$ and others who promote SafeBoot openly admitted in an IEEE paper back in 2009 that the goal is a digital concentration camp, not the safety of owners of a system with such a feature. They blamed the fact that the owners of systems without SafeBoot have full control over their computers and, oh horror, can install pirated software and break manufacturers' software! M$, like smartphone manufacturers, has long wanted to take full control over the computers of users of its Windows, so that they, and not the owner of the device, can decide what he can put on it and how to use it. And this is the pure definition of "digital concentration camp". On smartphones, 99% of the world's population is already in a digital concentration camp, since they do not even have smartphone administrator rights in the system (root) and are completely dependent on the will of the OS and smartphone manufacturer.

And let's not forget about Intel ME, a secret deliberately poorly documented and managed system by the x86 PC owner. All motherboards since 2006 have an integrated Intel ME coprocessor that can independently control their computer against their will remotely. What 99% of the population, again, is not even aware of and there are already a bunch of exploits that allow you to take full control of your computer even if it is turned off, but connected to a cable or wi-fi network.

And since in most motherboards and laptops there is no direct BIOS setup Intel Me owners don't even know what's going on there...

Read wiki article about this spy system and blackhole to your PC...

 

[Ecurb]

Hmm not good!!!!

Thankfully most script kiddies don't have 5k to spend on this.

Hmm not good!!!!

Thankfully most script kiddies don't have 5k to spend on this.

Someone will pirate it and load it on pirate’s bay. QED

 

[NikoBB]

All this once again proves that the entire consortium of hardware and software manufacturers do not care about the safety of customers. All they care about is having control over the majority of people on the planet in terms of what they can install and how they use it. They are all 100% mental totalitarians and greedy capitalists. Nothing more.

As Thomas Dunning said in the 19th century:

Capital is said … to fly turbulence and strife, and to be timid, which is very true; but this is very incompletely stating the question. Capital eschews no profit, or very small profit, just as Nature was formerly said to abhor a vacuum. With adequate profit, capital is very bold. A certain 10 per cent. will ensure its employment anywhere; 20 cent. certain will produce eagerness; 50 per cent., positive audacity; 100 per cent. will make it ready to trample on all human laws; 300 per cent., and there is not a crime at which it will scruple, nor a risk it will not run, even to the chance of its owner being hanged. If turbulence and strife will bring a profit, it will freely encourage both. Smuggling and the slave-trade have amply proved all that is here stated.

And we are talking about a super profit of 300%+...