Cybersecurity and infrastructure protection (Cybersecurity and Infrastructure Security Agency (CISA) calls to strengthen the protection of UEFI-Firmware updating mechanisms. In the fight against Botkin Blacklotus.
According to its blog, CISA is urging the entire computer industry to adopt a default security approach to enhance the overall security of UEFI firmware responsible for system loading. The default security approach refers to developers taking responsibility for safety, including updating methods.
UEFI is a prime target for attacks due to the ability of malicious code loaded into the firmware to achieve a high level of stability in the system. This allows the code to execute before the OS or any antivirus software, making it invisible to most incident response and OS-level protection measures. It is also resistant to system reboots.
UEFI allows attackers to disable security mechanisms at the OS level and load arbitrary malicious code with elevated privileges during system startup. The recent Blacklotus attacks highlight the challenges that arise without a more robust update mechanism.
“It is crucial for every system buyer to have confidence in its default safety and its ability to be updated securely,” emphasized CISA.
CISA suggests several measures to improve cybersecurity when updating UEFI, including auditing, managing, and updating UEFI components like any other software. It also encourages the use of secure development practices and media.
In April, Microsoft released a patch to help organizations detect Blacklotus infections through the CVE-2022-21894 vulnerability. Microsoft also provides recommendations for recovery and prevention of further compromise.
In June, the NSA published a guide to detect and prevent Blacklotus infections. The agency advises infrastructure owners to strengthen user program execution policies and monitor the integrity of the boot sector.