Security News > 2023 > March > BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11
The developers of the BlackLotus UEFI bootkit have improved the malware with Secure Boot bypass capabilities that allow it to infected even fully patched Windows 11 systems.
BlackLotus is the first public example of UEFI malware that can avoid the Secure Boot mechanism, thus being able to disable security protections that come with the operating system.
Arbitrary code can then be executed in early boot phases, where the platform is still owned by firmware and UEFI Boot Services functions are still available.
Microsoft addressing the vulnerability in June 2022 was not enough to close the security gap because the UEFI DBX has yet to be updated with the untrusted keys and binary hashes used in booting systems that have Secure Boot enabled.
"As a result, attackers can bring their own copies of vulnerable binaries to their victims' machines to exploit this vulnerability and bypass Secure Boot on up-to-date UEFI systems" - ESET. Last year, researchers disclosed multiple UEFI vulnerabilities [1, 2] that could also be leveraged to disable Secure Boot.
BlackLotus is the first ever publicly disclosed UEFI bootkit that bypasses Secure Boot and is associated with the cybercriminal world.