Friday, March 31, 2023
HomeSECURITYMeet BlackLotus, the first UEFI bootkit that bypasses Secure Boot in Windows...

Meet BlackLotus, the first UEFI bootkit that bypasses Secure Boot in Windows 11


Meet BlackLotus, the first UEFI bootkit that bypasses Secure Boot in Windows 11

For the bootkit to work, attackers use an old vulnerability, which, nevertheless, is still relevant on many computers.

Hidden bootkit called BlackLotus became the first widely known malware capable of bypassing security secure boot V UEFImaking it a major threat in cyberspace.

“This bootkit can run even on fully updated Windows 11 systems with UEFI Secure Boot enabled,” reads the report ESET company.

UEFI bootkits are deployed in the motherboard firmware and provide full control over the operating system boot process, allowing you to disable OS-level security mechanisms and deploy arbitrary payloads with high privileges during system startup.

Details about BlackLotus first surfaced in October 2022, when Kaspersky Lab researcher Sergey Lozhkin described it as “sophisticated criminal software”.

In a nutshell, BlackLotus exploits a vulnerability CVE-2022-21894 (aka Baton Drop) to bypass UEFI Secure Boot protection and set up its persistence on the victim’s computer.

According to ESET, successful exploitation of the vulnerability allows the execution of arbitrary code at the early stages of computer boot, allowing an attacker to perform malicious actions on a system with UEFI Secure Boot enabled without physical access to it.

“This is the first publicly known use of this vulnerability,” said Martin Smolar, researcher at ESET.

The exact way the bootkit is deployed is not yet known, but it starts with an installer component that is responsible for writing files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host. After the reboot, the bootkit itself is installed, and then it is automatically executed every time the system starts to deploy the kernel driver.

“Over the past few years, many critical vulnerabilities affecting the security of UEFI systems have been discovered. Unfortunately, due to the complexity of the entire UEFI ecosystem and problems with the update supply chain, many of these vulnerabilities remain relevant even long after the fix, ”concluded the ESET specialist.

Source link


Please enter your comment!
Please enter your name here

Most Popular