Security News > 2023 > March > BlackLotus UEFI bootkit disables Windows security mechanisms
ESET researchers have published the first analysis of a UEFI bootkit capable of circumventing UEFI Secure Boot, a critical platform security feature.
"Our investigation started with a few hits on what turned out to be the BlackLotus user-mode component - an HTTP downloader - in our telemetry late in 2022. After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware," says Martin Smolár, the ESET researcher who led the investigation into the bootkit.
The bootkit exploits a more than one-year-old vulnerability to bypass UEFI Secure Boot and set up persistence for the bootkit.
UEFI bootkits are very powerful threats, having full control over the operating system boot process and thus being capable of disabling various operating system security mechanisms and deploying their own kernel-mode or user-mode payloads in early boot stages.
UEFI bootkits may lose on stealthiness when compared to firmware implants - such as LoJax, the first in-the-wild UEFI firmware implant, discovered by ESET Research in 2018 - as bootkits are located on an easily accessible FAT32 disk partition.
In order to prevent the exploitation of known vulnerable UEFI binaries to bypass UEFI Secure Boot, it is necessary to revoke them in the UEFI revocation database.
News URL
https://www.helpnetsecurity.com/2023/03/02/blacklotus-uefi-bootkit-windows/
Related news
- Windows 10 KB5044273 update released with 9 fixes, security updates (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)
- Microsoft announces new and improved Windows 11 security features (source)
- Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity (source)