The US National Security Agency (NSA) released management to detect and prevent infection UEFI-BlackLotus bootkit. In this regard, the agency recommends that infrastructure owners take measures to strengthen user program execution policies and control the integrity of the boot partition.

Hidden bootkit BlackLotus became the first widely known malware , capable of bypassing Secure Boot protection in UEFI, making it a serious threat in cyberspace. BlackLotus can even run on fully updated Windows 11 systems with UEFI Secure Boot enabled.

UEFI bootkits like BlackLotus give an attacker complete control over how the operating system boots, allowing them to tamper with security mechanisms and deploy extra privileged payloads.

It is worth noting that BlackLotus is not a threat to the firmware, but rather focuses on the very early stage of the software download process to achieve persistence and evasion.

BlackLotus exploits CVE-2022-21894 (Baton Drop) to bypass UEFI Secure Boot protection and configure its persistence in the victim’s computer . Microsoft fixed this vulnerability back in January last year, but due to the fact that not everyone keeps their software up to date, millions of computers are still vulnerable to BlackLotus.

In addition to applying fixes for the second Secure Boot bypass vulnerability ( CVE-2023-24932 ) operated by BlackLotus, organizations are encouraged to take the following mitigation steps:

• Apply the latest security updates, update recovery tools;
• Set up security software to check for changes to the EFI boot partition;
• Use endpoint security products and firmware monitoring tools to monitor device integrity measurements and boot configuration;
• Set up UEFI Secure Boot to block old (until January 2022) signed Windows boot loaders.

In April the corporation Microsoft issued a guide , which will help organizations to check the infection of BlackLotus corporate computers through the CVE-2022-21894 vulnerability. Organizations and individuals can also take advantage of Microsoft’s best practices for attack recovery and prevention of hacker persistence and detection evasion.