Security News > 2023 > June > To kill BlackLotus malware, patching is a good start, but...
BlackLotus, the malware capable of bypassing Secure Boot protections and compromising Windows computers, has caught the ire of the NSA, which today published a guide to help organizations detect and prevent infections of the UEFI bootkit.
In research published in March, ESET malware analyst Martin Smolár confirmed the myth of an in-the-wild bootkit bypassing Secure Boot "Is now a reality," as opposed to hypothetical threats raised by some experts and the usual slew of fake bootkits criminals attempted to trick fellow miscreants into buying.
By infecting a computer's firmware - its low-level UEFI software - BlackLotus loads before anything else in the booting process, including the operating system and any security tools that could stop it.
While Redmond fixed CVE-2023-24932 in May this year, "Patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database," according to the NSA guide to destroying BlackLotus [PDF].
"Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot," the guide continues, adding that patches "Could provide a false sense of security for some infrastructures."
For Windows admins following this advice: update Secure Boot with DBX deny-list hashes, which will prevent executing older boot loaders that are vulnerable to exploits.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/06/22/blacklotus_nsa_guide/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-09 | CVE-2023-24932 | Unspecified vulnerability in Microsoft products Secure Boot Security Feature Bypass Vulnerability | 6.7 |