In a recent development, cybersecurity experts have warned that malicious cyber actors might exploit a known flaw in Microsoft Windows’ secure startup process to bypass Secure Boot protection and run the BlackLotus malware. This new threat is significant as it uses a flaw called “Baton Drop” to bypass security measures put in place by the device’s Secure Boot start-up procedure.
BlackLotus has been making appearances on hacker forums since October 2022. It is advertised as a malware that can avoid detection, go through removal attempts, and disable various Windows security mechanisms, such as Defender, HVCI, and BitLocker. By taking advantage of weak boot loaders that have not been added to the Secure Boot Deny List Database (DBX), the malware attacks Secure Boot.
The attack vector used to install BlackLotus is still present since the CVE-2023-24932 patch is disabled by default. This means that administrators must perform a manual procedure, which involves updating bootable media and applying revocations, in order to safeguard Windows devices.
Fortunately, the NSA has released guidelines to help combat the BlackLotus malware. System administrators and network security professionals are recommended to take hardening measures on systems that have been patched against this vulnerability. Defensive software solutions can help detect and stop the installation of the BlackLotus payload or any reboot event that initiates its execution and implantation.
However, the NSA also warns that certain infrastructures may have a false sense of security from currently available updates. The agency recommends actions such as updating recovery media, installing the most recent security updates, and turning on optional mitigations. Additionally, it is advised to improve defensive policies by setting endpoint security to thwart efforts to install the BlackLotus malware. Endpoint security products and firmware monitoring tools should also be used to keep track of device integrity and boot settings. Customizing UEFI Secure Boot to block older signed Windows boot loaders is another recommended mitigation strategy.
The attacks exploiting the BlackLotus malware primarily target Windows 10 and 11. The vulnerability (CVE-2022-21894), also known as Baton Drop, affects older boot loaders, allowing attackers to bypass Secure Boot security and initiate malicious operations to compromise system security. These boot loaders have not yet been added to the Secure Boot DBX revocation list, allowing attackers to remove the Secure Boot policy.
To install and run the malware on compromised devices, an older version of the Windows boot loader is deployed onto the boot partition. BitLocker and Memory Integrity protections are then turned off just before the device is restarted, enabling the malware to start and implant itself. This process allows attackers to replace fully patched bootloaders with vulnerable versions, making it difficult to defend systems against BlackLotus.
While patching is an important initial step, cybersecurity experts emphasize the need for additional hardening activities based on the system’s setup and the security software employed. Zachary Blum, NSA’s Platform Security Analyst, states that managing and securing endpoints efficiently is crucial in mitigating the risks posed by BlackLotus.
In conclusion, the discovery of the BlackLotus malware exploiting a known flaw in Microsoft Windows’ Secure Boot start-up process highlights the importance of implementing strong security measures and regularly updating systems. By following the guidelines provided by the NSA and adopting defensive strategies, organizations can significantly reduce the risk of falling victim to this new threat.