Hot Take Bolster UEFI Cybersecurity Now


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
Quote: " By Dr. Jonathan Spring, Senior Technical Advisor,
Sandra Radesky, Associate Director Vulnerability Management

Unified Extensible Firmware Interface (UEFI) is a critical software standard in modern computing, yet most people have never heard of it. UEFI is essential to most computers; it replaces the legacy BIOS format, serving as an interface between hardware and operating systems. Attackers have exploited UEFI implementation flaws to gain persistence – that is, the ability to maintain access to a compromised system despite system resets and defensive actions. Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode. In particular, UEFI secure boot developers haven’t all implemented public key infrastructure (PKI) practices that enable patch distribution (the Linux ecosystem implements it well). The Cybersecurity and Infrastructure Security Agency (CISA) is sharing this information with the community regarding the challenges in responding to UEFI attacks to drive solutions that will provide value to system owners who will benefit from UEFI firmware that can be properly updated to drive solutions that will provide value to system owners who will benefit from UEFI firmware that can be properly updated.

UEFI is the dominant software standard for firmware. Firmware is the software that manages the physical computing machinery that everything else depends on. When you press a power button, UEFI is what gets you from an intricate brick of lifeless silicon to your operating system. The operating system then does the business of the computer: logging you in, being a wireless router, playing a game, or managing an industrial robot. UEFI software also manages the different pieces of computing machinery (i.e., processor, hard drive, graphics card, USB ports, Wi-Fi antenna, etc.) so the operating system can make them function coherently together. Attackers have a clear value proposition for targeting UEFI software. UEFI is a compilation of several components (security and platform initializers, drivers, bootloaders, power management interface, etc.) so what attackers achieve depends on which phase and what element of UEFI they are able to subvert. But every attack involves some kind of persistence. "

Quote: "

UEFI subversion can provide malicious software the ability to persist through​

  • A system reboot, as BlackLotus does – the malware survives basic defensive actions such as turning the device off and on again.
  • An operating system reinstallation— Most incident response practices treat a reinstalled operating system as a clean device. Malware that persists through reinstallation can evade this standard incident response practice.
  • A partial physical part replacement—For example, a compromised component in the motherboard or a corrupted PCI persistent flash storage would persist through a replacement of the physical hard drive. A device infected with this level of persistent malware basically needs to be thrown away rather than repaired.
These are just some examples of the persistence that a UEFI compromise grants an attacker. More persistent malware leads to increased difficulty and costs for removing an attacker from an organization’s systems. "

Quote: "

How Can We Improve UEFI Cybersecurity?​

Secure by Design and PSIRT ( Product Security Incident Response Team ) maturity work jointly to reinforce a holistic security engineering solution, which is more than just secure code. A holistic security engineering solution includes people and an operational mechanism for the feedback loop.

BlackLotus exploits a failure in secure update distribution – an issue at the intersection of Secure by Design and PSIRT maturity. BlackLotus can roll back a file to a vulnerable version and then exploit it, rendering the update distribution channel for UEFI updates on Windows not sufficiently resilient or secure. On May 9, 2023, Microsoft released guidance on how to manually prevent rollback to a vulnerable file version. Microsoft also released plans to automate revocation in early 2024, which is a step in the right direction. However, we continue to work with Microsoft toward a Secure by Default update distribution implementation. BlackLotus highlights the importance of standard-practice PKI usage in secure boot file signing. "

Full source:

Sandbox Breaker

Level 9
Jan 6, 2022
Well written. I usually reflash the firmware for enterprise customers after an incident. I also check the signatures of the firmware installed to ensure validity. ESET has a scanner and Kaspersky also detects known varients. We need our industry to stay ahead of these. And they are not new!

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.