The US National Security Agency (NSA) has issued a warning to systems administrators about the need for additional security measures to protect Windows 10 and 11 machines from the BlackLotus bootkit malware. This comes after BlackLotus, which was initially available for sale on the Dark Web for $5,000, became the first known malware to successfully bypass Microsoft’s Unified Extensible Firmware Interface (UEFI) Secure Boot protections.
UEFI is responsible for the boot-up routine of a computer, loading before the operating system kernel and any other software. BlackLotus, a form of software rather than a firmware threat, exploits two vulnerabilities in the UEFI Secure Boot function to insert itself into the early phase of the boot process. These vulnerabilities, known as CVE-2022-21894 (Baton Drop) and CVE-2023-24932, were patched by Microsoft in January 2022 and May 2023 respectively.
While patching is a crucial step in protecting against BlackLotus, the NSA emphasizes that it is only the first step. The agency’s BlackLotus mitigation guide states that patches have not been issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX). This means that malicious actors can replace fully patched boot loaders with legitimate but vulnerable versions, allowing them to execute BlackLotus on compromised endpoints.
To address this issue, the NSA recommends additional steps to harden systems. These include tightening user executable policies, monitoring the integrity of the boot partition, and customizing the Secure Boot policy by adding DBX records to all Windows endpoints. However, implementing the NSA’s guidance may prove challenging for many organizations due to its manual nature.
BlackLotus is a particularly dangerous bootkit due to its ability to ensure persistence even after operating system reinstalls and hard drive replacements. It operates in kernel mode, making it undetectable by standard security defenses like BitLocker and Windows Defender. It can also subvert and control other programs on the machine and load additional malware with root privileges.
While the severity of the threat is acknowledged by most systems administrators, confusion remains about how to combat it effectively. Some organizations view the threat as “unstoppable,” while others believe that the risk has been mitigated by Microsoft’s previous patches. The NSA reminds organizations that the risk lies somewhere between these extremes and emphasizes the need to pay attention to boot-level vulnerabilities.
The reason behind the NSA’s decision to issue this guidance at this time is unclear, as no recent mass exploitation efforts or in-the-wild incidents have been reported. However, the fact that the NSA has chosen to provide this guidance indicates that BlackLotus is a threat that demands attention.
John Bambenek, principal threat hunter at Netenrich, points out that the release of guidance by the NSA is significant in itself. He suggests that the agency’s decision to develop and release this tool indicates the seriousness of the threat, even if the reasons behind it are not explicitly stated.
In conclusion, the NSA’s warning about the BlackLotus bootkit malware highlights the need for additional security measures beyond patching. The agency’s guidance provides valuable recommendations, but organizations must be prepared for the manual effort required to fully remediate the vulnerabilities. Until Microsoft releases a more comprehensive fix, infrastructure owners should consider implementing advanced mitigations and utilizing additional security measures to protect against BlackLotus and similar threats.