Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot
ESET security researchers have discovered an UEFI bootkit malware that defeats secure boot on Windows 11 and Windows 10 devices. Named BlackLotus, it is considered the first UEFI bootkit malware that has been detected in the wild.
The UEFI bootkit runs on fully up-to-date versions of Windows 11 with UEFI Secure Boot enabled. Bootkits like BlackLotus are very dangerous, as they have full control over the operating system boot process. The control enables them to disable various security mechanisms and deploy their "on kernel-mode or user-mode payloads" during the early stages of the operating system start.
In addition, this makes them very stealthy and powerful thanks to its high privileges at the same time.
Secure Boot explained
Secure Boot is a security standard that is designed to control the boot process of devices. At its core, it is checking signatures of boot software, including UEFI firmware drivers, EFI applications and the operating system, to make sure that all signatures are valid. Malware, which manipulates any of these, would prevent the operating system from launching, as the signature check would fail. Microsoft's Windows 11 operating system requires Secure Boot.
UEFI Secure Boot is designed to prevent UEFI bootkits. ESET notes that a number of known vulnerabilities exist, and that some of these work even on fully updated systems. BlackLotus is exploiting one of these issues.
ESET researchers discovered the first components of BlackLotus back in late 2022, when they noticed "the BlackLotus user-mode component" in Telemetry. Assessment led to the discovered of six BlackLotus installers and the realization that BlackLotus was no ordinary malware.
The researchers made the following discoveries about the malware:
- BlackLotus was able to run on fully patched Windows 11 systems with UEFI Secure Boot enabled.
- The malware exploits a year-old vulnerability, CVE-2022-21894, which is a Secure Boot Security Feature bypass vulnerability. Microsoft did fix the issue in the January 2022 update, but exploitation is still possible, "as the affected, validly signed binaries have still not been added to the UEFI revocation list".
- The malware can disable operating system security features, including BitLocker, Windows Defender and HVCI (Hypervisor-Protected Code Integrity).
- BlackLotus deploys a kernel driver, which protects the bootkit, and an HTTP downloader, which may load additional payloads and communicates with command and control.
- The earliest mention of BlackLotus dates back to October 6, 2022. The bootkit was advertised on an underground forum.
- Some of the BlackLotus installers skip the bootkit installations if they detect certain locales on the device.
ESET's analysis of BlackLotus is detailed and very technical. Interested users should check out the blog post for the full details.
BlackLotus mitigations and remediation
ESET recommends to keep the system and security software up to date. Some security applications may be able to detect the threat before it has a chance to infect the system and achieve persistence.
The main step should be revocation of known vulnerable UEFI binaries that are used to bypass UEFI Secure Boot. ESET recommends distributing updates via Windows Update, but that is something that users have no control over. The company notes that revocation could lead to issues with systems, recovery images and backups, which could become unbootable.
The use of common sense, as always, may also prevent infection of systems. Use of virtual machines or sandbox environments to run executable files of questionable origin may reduce the risk of infection.
ESET published BlackLotus file signatures, certificates and domains on its website. These may be blocked preemptively.
BlackLotus UEFI bootkit is a powerful malware. It can attack fully patched Windows 11 systems with Secure Boot successfully, and become a permanent threat on infected devices. The scope of attacks is unknown at this point.
All I wanted was a way to write-protect the firmware on my motherboard. And the industry had to go and create yet another layer that will need constant patching; UEFI.
The more they over think the plumbing, the easier it is to stop up the drain. -LtCdr. Montgomery Scott, UFP Starfleet, “Scotty.”
Would you please shed some more light on what these locales are?
“Some of the BlackLotus installers skip the bootkit installations if they detect certain locales on the device.”
Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine apparently. https://thehackernews.com/2023/03/blacklotus-becomes-first-uefi-bootkit.html
Interesting. I was offered a good deal for a Windows 11 Pro machine back in November last year and accepted it. But the system is still sitting on my table without ever being turned on. I decided not to boot it up yet because I wanted to get as much info as possible about the OS before taking that step.
But the more I read the less I feel confident about it especially now that BlackLotus has made its appearance. The alternative will be to remove Windows 11 altogether and install Linux on it.
If, when I do boot it up I’m forced to login with a Microsoft a/c that in itself will be a good enough reason to get rid of it.
It’s common knowledge that if you install a russian language pack on your computer, you are reducing your risk of getting malware significantly.
Oho…more of my posts deleted. What’s up Martin? Did I upset you or something?
How about I just post the locales Tachy was enquiring about without posting the source?…. Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.
Nothing has been deleted by us. WordPress comment moderation system is sometimes weird.
Apologies Martin. I didn’t realize WordPress has a say in what appears on forums.
Proof that Windows 11’s security is a joke.
Dumb Microsoft always be dumber.
How difficult could it be to fix this problem? Using BIOS updates or something related with it?
How difficult could it be to fix this problem? Using BIOS updates or something related?
Boot sector scans with Kaspersky Rescue; I think Avast Free offers the option. BitDefender.
Or Command Line options with Microsoft Defender:
Making a huge assumption that the above instructions will work for Windows 11.
Nasty stuff is around the corner . . . .
@VioletMoon thanks for your useful information! :]
And what does someone have to do to become infected? So far everything I’ve read is about how it works once in, but nothing about catching it. Is it easy (eg visiting a compromised web page), slightly harder (stupidly downloading infected software) or incredibly hard (attacker needs access to PC). So many of these reports read like some dangerous virus like Lyssavirus, but if you’re not fondling bats the risk is low.
I guess that an XP system drives this vorus nuts
Yes, Celeste. It’s always about what something does once it is in. What about PREVENTION? How exactly would this get onto your computer, in the first place?
I probably inconvenience myself far more than I need to – for example, if something requires physical access to my computer, then I don’t need to worry about it.
It would be VERY helpful if the writers of these articles would be SPECIFIC about EXACTLY HOW a particular piece of malware could gain access to a computer.
@ Anne Fennell,
In this particular case they weren’t unable to provide that information because the method of infection hasn’t yet been discovered at the time of going to print.
There’s an interesting analysis on the ESET site regarding BlackLotus which is worth a read if you’re interested in more in-depth info: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
what about second hand & refurb market though…could easily be tampered with.
It’s a great question:
“It is currently being distributed through phishing emails and malicious websites.”
“BlackLotus can easily be disguised as a legitimate update.”
Not much to go on, but watch your back. It seems the malware will be targeting enterprise systems with users who click on “just about any site or email received.”