Security News > 2023 > April > Microsoft shares guidance to detect BlackLotus UEFI bootkit attacks
Microsoft has shared guidance to help organizations check if hackers targeted or compromised machines with the BlackLotus UEFI bootkit by exploiting the CVE-2022-21894 vulnerability.
Analyzing devices compromised with BlackLotus, the Microsoft Incident Response team identified several points in the malware installation and execution process that allow its detection.
Recently modified and locked files in the ESP location, especially if they match known BlackLotus bootloader file names "Should be considered highly suspect." It is advised to remove the devices from the network and examine them for evidence of activity related to BlackLotus.
Another tell of BlackLotus is the presence of the "/system32/" directory on the ESP, which is the storage location for the files required to install the UEFI malware.
A second safety feature that BlackLotus disables is Microsoft Defender Antivirus, the default security agent on the Windows operating system.
To fend off an infection via BlackLotus or other malware exploiting CVE-2022-21894, Microsoft recommends organizations practice the principle of least privilege and credential hygiene.
News URL
Related news
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- Microsoft Defender will isolate undiscovered endpoints to block attacks (source)
- US indicts Black Kingdom ransomware admin for Microsoft Exchange attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-11 | CVE-2022-21894 | Unspecified vulnerability in Microsoft products Secure Boot Security Feature Bypass Vulnerability | 0.0 |