The US National Security Agency (NSA) today released guidance on how to defend against BlackLotus UEFI Starter Kit malware attacks.

Black Lotus circulated on hacking forums since october 2022marketed as malware capable of evading detection, resisting removal efforts, and neutralizing several Windows security features such as Defender, HVCI, and BitLocker.

In May, Microsoft released security updates to address a zero-day vulnerability in Secure Boot (CVE-2023-24932) which was used to circumvent patches released for CVE-2022-21894the Secure Boot bug initially abused in Attacks of BlackLotus Last year.

However, the CVE-2023-24932 patch is disabled by default and will not remove the exploited attack vector to deploy BlackLotus.

To secure Windows devices, administrators must undergo a manual procedure requiring multiple steps “to update bootable media and apply revocations before enabling this update”.

“BlackLotus may be stopped on fully updated Windows devices, Secure Boot custom devices, or Linux devices. Microsoft has released fixes and continues to strengthen mitigations against BlackLotus and Baton Drop,” said the The NSA said.

“The Linux community may remove the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux. The mitigation options available today will be enhanced by changes to vendor Secure Boot certificates in the future (some certificates expire from 2026).”

Mitigation tips

NSA Platform Security Analyst Zachary Blum today advised system administrators and network defenders to also implement hardening actions on systems patched against this vulnerability.

“NSA recommends that system administrators in DoD and other networks take action. BlackLotus is not a firmware threat, but rather targets the first software stage of booting,” the NSA said. said.

“Defensive software solutions can be configured to detect and prevent the installation of the BlackLotus payload or the reboot event that initiates its execution and implantation. The NSA believes that the currently released patches could give a false sense of security to some infrastructure.

In today’s advisory, the US intelligence agency recommended the following as additional mitigations:

• Apply the latest security updates, update recovery media, and enable optional mitigation
• Reinforce defensive policies by configuring endpoint security software to block attempts to install BlackLotus malware
• Use endpoint security products and firmware monitoring tools to monitor device health metrics and boot configuration
• Customize UEFI Secure Boot to block older (pre-Jan 2022) signed Windows bootloaders

BlackLotus was used in attacks targeting Windows 10 and 11 to exploit a vulnerability (called Baton Drop and tracked as CVE-2022-21894) found in older boot loaders (or boot managers) that allows Secure Boot protection to be bypassed and triggers a series of malicious actions designed to compromise system security.

By exploiting CVE-2022-21894, attackers remove the Secure Boot policy, preventing its application (boot loaders affected by this vulnerability have not yet been included in the Secure Boot DBX revocation list).

“However, no patch has been released to revoke trust in unpatched boot loaders via the Secure Boot Deny List (DBX) database. Administrators should not consider the threat fully patched, as boot loaders boots vulnerable to Baton Drop are still trusted by Secure Boot,” the NSA said. said.

As a result, attackers can replace fully patched bootloaders with vulnerable versions, allowing them to install and run the malware on compromised devices.

During the BlackLotus installation process, an Extensible Firmware Interface (EFI) Windows boot loader binary is deployed to the boot partition. Then, BitLocker and Memory Integrity protections are disabled just before the device restarts to start and implant the malware.

“Protecting systems against BlackLotus is not a simple solution. Applying patches is a good first step, but we also recommend hardening actions, depending on your system configurations and the security software used,” said Blum said.