Security News > 2023 > April > Microsoft shares guidance to detect BlackLotus UEFI bootkit attacks

Microsoft has shared guidance to help organizations check if hackers targeted or compromised machines with the BlackLotus UEFI bootkit by exploiting the CVE-2022-21894 vulnerability.

Analyzing devices compromised with BlackLotus, the Microsoft Incident Response team identified several points in the malware installation and execution process that allow its detection.

Recently modified and locked files in the ESP location, especially if they match known BlackLotus bootloader file names "Should be considered highly suspect." It is advised to remove the devices from the network and examine them for evidence of activity related to BlackLotus.

Another tell of BlackLotus is the presence of the "/system32/" directory on the ESP, which is the storage location for the files required to install the UEFI malware.

A second safety feature that BlackLotus disables is Microsoft Defender Antivirus, the default security agent on the Windows operating system.

To fend off an infection via BlackLotus or other malware exploiting CVE-2022-21894, Microsoft recommends organizations practice the principle of least privilege and credential hygiene.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-shares-guidance-to-detect-blacklotus-uefi-bootkit-attacks/