BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11

[silversurfer]

Content source

https://thehackernews.com/2023/03/blacklotus-becomes-first-uefi-bootkit.html

A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot defenses, making it a potent threat in the cyber landscape.

"This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News.

"This is the first publicly known, in-the-wild abuse of this vulnerability," ESET researcher Martin Smolár said. "Its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list."

"BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability," effectively paving the way for Bring Your Own Vulnerable Driver (BYOVD) attacks.

BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11

ESET warns of a new, powerful UEFI bootkit malware called BlackLotus that can bypass Secure Boot protection on Windows 11 systems.

thehackernews.com

BlackLotus UEFI bootkit: Myth confirmed | WeLiveSecurity

ESET researchers are the first to publish an analysis of BlackLotus, the first in-the-wild UEFI bootkit capable of bypassing UEFI Secure Boot.

www.welivesecurity.com

 

[ForgottenSeer 69673]

Oh, so spooky!!!! I see an image of a person wearing a ghost sheet.
Some degenerate thinks they can take the name of my fav flower in vain? May the supranatural forces they cannot comprehend make them poop in their pantihose.

 

[zkSnark]

• It’s capable of disabling OS security mechanisms such as BitLocker, HVCI, and Windows Defender.

Any AV or other security measures to protect from this malware?

 

[ForgottenSeer 98186]

Any AV or other security measures to protect from this malware?

This bootkit requires an installer. That means that an installer has to get onto the system and execute. Either it is put onto the system and executed by a user or there is some form of exploit that gets the installer onto a system and it runs. One of the best solutions is default-deny (block execution) such as SRP, WDAC, and similar products.

Once a bootkit is on the system it will be difficult to detect and to remove. So the best protection will prevent the execution of installer or break the exploit or post-exploit run sequence.

 

[HarborFront]

I wonder if ESET's UEFI Scanner would warn and stop the boot up process?

 

[SeriousHoax]

The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update.

 

[Gandalf_The_Grey]

This bootkit exploit is a year old security boot vulnerability under CVE-2022-21894. Although this vulnerability was already patched last year in January, ESET notes that the exploitation of this is still possible as signed binaries have not yet been added to the UEFI revocation list.

BlackLotus bypasses Secure Boot, Microsoft Defender, VBS, BitLocker on updated Windows 11

BlackLotus, which is a bootkit, has been doing the rounds on the internet since last year. This bootkit is capable of bypassing Secure Boot, disabling BitLocker, Microsoft Defender, and more.

www.neowin.net

 

[ForgottenSeer 69673]

Also, even if it were able to infect your OS, it would be gone on reboot if you are in Shadow Mode.

 

[Andy Ful]

Also, even if it were able to infect your OS, it would be gone on reboot if you are in Shadow Mode.

You should be more concrete in your posts. Most users do not know what it is Shadow Mode, because Shadow Defender is not a popular program.
Anyway, it is very probable that you are right. Shadow Defender can protect EFI partitions (in theory). It is also improbable that the malware would bother to fight Shadow Defender in any way.

 

[ForgottenSeer 69673]

You should be more concrete in your posts. Most users do not know what it is Shadow Mode, because Shadow Defender is not a popular program.
Anyway, it is very probable that you are right. Shadow Defender can protect EFI partitions (in theory). It is also improbable that the malware would bother to fight Shadow Defender in any way.

Thank you, Andy. You are right. I should be a bit wordier in my posts. I used to be. Using Shadow Defender's encrypted write Casch (not writing to disk) also helps yes because Shadow Defender is not a highly popular program, maybe the hackers would not bother. That was my thought also. And as you know, I still use Appguard, configured my way.

I have tried to get someone to test this setup, but none will. Cruelsister, I know is itching to give it a go!!!
I also use Adguard and Malwarebytes extensions in Edge.
I also keep a backup copy of my BIOS
And a Full Marcrium image on a bootable stick
And Firewall Application Blocker in white list mode.

There, how's that?

 

[ForgottenSeer 98186]

Also, even if it were able to infect your OS, it would be gone on reboot if you are in Shadow Mode.

This is not necessarily true. About 10 years ago rootkits and bootkits were all the rage in security geek world. Does anybody remember GMER and ithurricane's PowerTool? There was a lot of hysteria and speculation about rootkits and protecting against them. Somebody did rootkit testing and Shadow Defender (whole-system virtualization) did not completely protect Ring 0. Tony had to make a fix back then.

Virtualization protection against rootkits is tricky stuff. At some low level (Ring 0, firmware) malware can bypass Shadow Defender. It is just a matter of it being carefully studied for its weaknesses. Although I do not know who would put in that time and effort except as a learning exercise. It certainly would not interest the average threat actor interested in money.

 

[ForgottenSeer 69673]

About 10 years ago rootkits and bootkits were all the rage in security geek world.

Yes, I was a member of Rootkit.com. MP_ART, EP_XOFF, Holy father etc. I Rember how GMER and XP_OFF used to debate back and forth and How XP_OFF and MP_ART created Rustock A and B. course then you also had the UnhackMe Program author in the mix as well. My handle at the time for both there and Wilders was controller_2000. Which means OMG 23 years ago.
XP_OFF went to work for Microsoft.

Can you please explain to me what Ring0 has to do with encrypted write Casch?

It is not just about Shadow Defender in my case. It is the overall security config I sport.

How's that?

 

[ForgottenSeer 98186]

Can you please explain to me what Ring) has to do with encrypted write Casch?

Shadow Defender, at the time I referenced, did not virtualize every sector of Ring 0 and some sectors could be modified during Shadow Mode. I cannot recall the specifics. It is over at Wilders buried deep.

This has nothing to do with rootkits, but also, Shadow Defender and other virtualization products do not virtualize firmware. So malicious firmware installers or firmware exploits run in Shadow Mode can theoretically infect a machine.

 

[ForgottenSeer 69673]

Remembering Rootkits: Oh, the memories. Back in the day when there were only 1000 of us Wilders members, If I mentioned Rootkits, all I got was Naked Belly Laughs.
Not one other member even knew what a rootkit was. how funny!!!

 

[ForgottenSeer 69673]

I wonder how many members here or at the Wilders had ever exchanged emails with

Joanna Rutkowska (remember Blue pill?) Her Blog runs from 2006 to 2021.​

Or even Kevin from Bo Clean ?

Joanna Rutkowska - Wikipedia

en.wikipedia.org

 

[ForgottenSeer 98186]

I wonder how many members here or at the Wilders had ever exchanged emails with

Joanna Rutkowska (remember Blue pill?) Her Blog runs from 2006 to 2021.​

Or even Kevin from Bo Clean ?

I remember Joanna from the Qubes project. Never interacted with her. Saw her in-person at a few conferences.

I remember Kevin from the old, early Comodo forum. I cannot recall if I ever had any communications with him.

You're digging up ancient history when it comes to Kevin.

 

[simmerskool]

Thank you, Andy. You are right. I should be a bit wordier in my posts. I used to be. Using Shadow Defender's encrypted write Casch (not writing to disk) also helps yes because Shadow Defender is not a highly popular program, maybe the hackers would not bother. That was my thought also. And as you know, I still use Appguard, configured my way.

How does SD work with AV updates and do you have pop3 email delivered? Do then exclude certain directories in SD? (& if you inadvertently download malware in email?) I used SD several years ago, and eventually it seemed like a pain in the ass. But I also think I have a SD lifetime license. Is current v1.5.0.726 (Aug 2020)?

 

[ForgottenSeer 69673]

I remember Joanna from the Qubes project. Never interacted with her. Saw her in-person at a few conferences.

I remember Kevin from the old, early Comodo forum. I cannot recall if I ever had any communications with him.

You're digging up ancient history when it comes to Kevin.

Wow then in all my travels, never saw your handle before. Which means you also must have had another, if you remember what I do. Very interesting to say the least. As far as Wilders goes. I have posted why some poor mods drove me away, Will never go back. Do you also remember Diamond CS products? They were awesome too.

Thank you for bringing back some good ol memories Oerlink and Andy.

 

[ForgottenSeer 98186]

Diamond CS products?

PortExplorer is from the 2010-ish era.

 

[ForgottenSeer 98186]

As far as Wilders goes. I have posted why some poor mods drove me away, Will never go back.

You know Peter2150 from Wilders died probably 6 or 7 years ago?