Security News > 2023 > April > Microsoft shares guidance to detect BlackLotus UEFI bootkit attacks
Microsoft has shared guidance to help organizations check if hackers targeted or compromised machines with the BlackLotus UEFI bootkit by exploiting the CVE-2022-21894 vulnerability.
Analyzing devices compromised with BlackLotus, the Microsoft Incident Response team identified several points in the malware installation and execution process that allow its detection.
Recently modified and locked files in the ESP location, especially if they match known BlackLotus bootloader file names "Should be considered highly suspect." It is advised to remove the devices from the network and examine them for evidence of activity related to BlackLotus.
Another tell of BlackLotus is the presence of the "/system32/" directory on the ESP, which is the storage location for the files required to install the UEFI malware.
A second safety feature that BlackLotus disables is Microsoft Defender Antivirus, the default security agent on the Windows operating system.
To fend off an infection via BlackLotus or other malware exploiting CVE-2022-21894, Microsoft recommends organizations practice the principle of least privilege and credential hygiene.
News URL
Related news
- CISA warns of Microsoft Streaming bug exploited in malware attacks (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-11 | CVE-2022-21894 | Unspecified vulnerability in Microsoft products Secure Boot Security Feature Bypass Vulnerability | 4.4 |