The US National Security Agency (ANB) has issued a warning about the detection and prevention of the UEFI-Butkit Blacklotus in a recent publication. The malware is the first to be known for circumventing the secure boot protection in the UEFI, making it a significant threat in the cyberspace. The Blacklotus is capable of interfering with security mechanisms and expanding additional useful loads with elevated privileges, thereby allowing for complete control over the loading procedure of the survey system.
While the Blacklotus is not a threat to firmware, it can achieve constancy and evasion through the use of a vulnerability known as Baton Drop (CVE-2022-21894) to bypass the UEFI Secure Boot protection. Even though this vulnerability was eliminated by Microsoft in January last year, millions of computers remain vulnerable as not everyone monitors the relevance of their software.
To mitigate the consequences of the Blacklotus malware, infrastructure owners are advised to apply the latest security updates and update recovery tools. They should also configure protection to verify changes in the bootage section EFI and use endpoint security products and monitoring tools to measure the integrity of the device and downloading configuration. It is also recommended to configure the safe UEFI load to block the old (until January 2022) signed Windows loaders.
In April, Microsoft released guidance to help organizations verify the infection of corporate computers by the Blacklotus malware through the CVE-2022-21894 vulnerability. Organizations and individuals can use Microsoft’s recommendations to recover from the attack and prevent hackers from establishing constraints and evading detection.
It is important for infrastructure owners to be aware of the threat posed by the Blacklotus malware and take appropriate measures to protect their systems. By implementing the security updates, monitoring tools, and other recommended measures, organizations can avoid significant damage and prevent the expansion of additional useful loads with elevated privileges.