The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.
To that end, the agency is recommending that “infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition.”
This is accomplished by taking advantage of a known Windows flaw called Baton Drop (CVE-2022-21894, CVSS score: 4.4) discovered in vulnerable boot loaders not added into the Secure Boot DBX revocation list. The vulnerability was addressed by Microsoft in January 2022.
This loophole could be exploited by threat actors to replace fully patched boot loaders with vulnerable versions and execute BlackLotus on compromised endpoints.
UEFI bootkits like BlackLotus grant a threat actor complete control over the operating system booting procedure, thereby making it possible to interfere with security mechanisms and deploy additional payloads with elevated privileges.
Besides applying the May 2023 Patch Tuesday updates from Microsoft, which addressed a second Secure Boot bypass flaw (CVE-2023-24932, CVSS score: 6.7) exploited by BlackLotus, organizations are advised to carry out the following mitigation steps –
Microsoft, for its part, is taking a phased approach to completely close the attack vector. The fixes are expected to be generally available in the first quarter of 2024.
Source: https://thehackernews.com/
