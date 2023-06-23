



Amid concerns that system administrators are not adequately protected from threats, the NSA has published a guide on how to mitigate attacks involving BlackLotus bootkit malware.

The BlackLotus UEFI bootkit made a name for itself in October 2022 when it was spotted selling for $5,000 on cybercriminal underground forums.

This news sent shivers down the spines of many in the cybersecurity community, as BlackLotus was the first existing UEFI bootkit capable of bypassing UEFI Secure Boot on a fully updated UEFI system.

BlackLotus infects a computer’s low-level firmware, bypassing the Secure Boot defenses built into Windows 10 and Windows 11 and allowing malicious code to execute before the PC’s operating system and security defenses are loaded. It is advanced malware that

In this way, an attacker could disable security measures such as BitLocker and Windows Defender without triggering an alarm, and deploy BlackLotus’ built-in protection against removal of the bootkit itself.

Microsoft issued a patch for the Secure Boot flaw in January 2022, but exploitation remains possible as the affected validly signed binaries have not been added to the UEFI revocation list.

Earlier this year, security researchers explained how BlackLotus took advantage of this, “bringing its own copy of a legitimate but vulnerable binary onto systems to exploit vulnerabilities.”

According to the NSA, there is “significant confusion” about the threat posed by BlackLotus.

Some organizations use terms like “unstoppable,” “unkillable,” and “unpatchable” to describe this threat. Other organizations believe Microsoft is not threatened by the patches it released in January 2022 and he released early 2023 for supported versions of Windows. Risk exists somewhere between the two extremes. ”

Patching Windows 10 and Windows 11 against vulnerabilities is just a “good first step,” according to the NSA’s advisory.

In its mitigation guide, the agency details additional steps to harden the system.

However, these changes involve changing how UEFI Secure Boot is configured and should be done with caution. Once activated, it cannot be undone and a mistake can render your current Windows boot media unusable.

“Protecting systems from BlackLotus is not an easy fix,” said Zachary Blum, NSA Platform Security Analyst.

Editor’s Note: The opinions expressed in this guest author article are those of the contributor only and do not necessarily reflect those of Tripwire.

