Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot
ESET security researchers have discovered an UEFI bootkit malware that defeats secure boot on Windows 11 and Windows 10 devices. Named BlackLotus, it is considered the first UEFI bootkit malware that has been detected in the wild.
The UEFI bootkit runs on fully up-to-date versions of Windows 11 with UEFI Secure Boot enabled. Bootkits like BlackLotus are very dangerous, as they have full control over the operating system boot process. The control enables them to disable various security mechanisms and deploy their "on kernel-mode or user-mode payloads" during the early stages of the operating system start.
In addition, this makes them very stealthy and powerful thanks to its high privileges at the same time.
Secure Boot explained
Secure Boot is a security standard that is designed to control the boot process of devices. At its core, it is checking signatures of boot software, including UEFI firmware drivers, EFI applications and the operating system, to make sure that all signatures are valid. Malware, which manipulates any of these, would prevent the operating system from launching, as the signature check would fail. Microsoft's Windows 11 operating system requires Secure Boot.
UEFI Secure Boot is designed to prevent UEFI bootkits. ESET notes that a number of known vulnerabilities exist, and that some of these work even on fully updated systems. BlackLotus is exploiting one of these issues.
ESET researchers discovered the first components of BlackLotus back in late 2022, when they noticed "the BlackLotus user-mode component" in Telemetry. Assessment led to the discovered of six BlackLotus installers and the realization that BlackLotus was no ordinary malware.
The researchers made the following discoveries about the malware:
- BlackLotus was able to run on fully patched Windows 11 systems with UEFI Secure Boot enabled.
- The malware exploits a year-old vulnerability, CVE-2022-21894, which is a Secure Boot Security Feature bypass vulnerability. Microsoft did fix the issue in the January 2022 update, but exploitation is still possible, "as the affected, validly signed binaries have still not been added to the UEFI revocation list".
- The malware can disable operating system security features, including BitLocker, Windows Defender and HVCI (Hypervisor-Protected Code Integrity).
- BlackLotus deploys a kernel driver, which protects the bootkit, and an HTTP downloader, which may load additional payloads and communicates with command and control.
- The earliest mention of BlackLotus dates back to October 6, 2022. The bootkit was advertised on an underground forum.
- Some of the BlackLotus installers skip the bootkit installations if they detect certain locales on the device.
ESET's analysis of BlackLotus is detailed and very technical. Interested users should check out the blog post for the full details.
BlackLotus mitigations and remediation
ESET recommends to keep the system and security software up to date. Some security applications may be able to detect the threat before it has a chance to infect the system and achieve persistence.
The main step should be revocation of known vulnerable UEFI binaries that are used to bypass UEFI Secure Boot. ESET recommends distributing updates via Windows Update, but that is something that users have no control over. The company notes that revocation could lead to issues with systems, recovery images and backups, which could become unbootable.
The use of common sense, as always, may also prevent infection of systems. Use of virtual machines or sandbox environments to run executable files of questionable origin may reduce the risk of infection.
ESET published BlackLotus file signatures, certificates and domains on its website. These may be blocked preemptively.
BlackLotus UEFI bootkit is a powerful malware. It can attack fully patched Windows 11 systems with Secure Boot successfully, and become a permanent threat on infected devices. The scope of attacks is unknown at this point.Advertisement