The US National Security Agency (NSA) shared tips on how to defend against BlackLotus UEFI bootkit malware attacks. BlackLotus has been circulating on hacking forums since October 2022. The malware can evade detection, resist removal attempts, and neutralize multiple Windows security features such as Defender, HVCI, and BitLocker.
In May, Microsoft released security updates to address a Secure Boot zero-day vulnerability (CVE-2023-24932). The company used this update to work around patches for CVE-2022-21894. It was the Secure Boot bug that was initially exploited in BlackLotus attacks last year.
NSA shares tips to defend BlackLotus UEFI malware attacks
However, the CVE-2023-24932 fix is disabled by default and does not remove the attack vector exploited to deploy BlackLotus. To secure Windows devices, administrators must go through a manual process that requires multiple steps “to update bootable media and apply revocations before enabling this update.”
“BlackLotus is very stoppable on fully updated Windows endpoints, Secure Boot custom devices or Linux endpoints. Microsoft has released patches and continues to strengthen countermeasures against BlackLotus and Baton Drop,” the NSA said.
The Linux community can remove the Microsoft Windows Production CA 2011 certificate from devices that only boot Linux. NSA platform security analyst Zachary Blum advised system administrators and network defenders to take security measures on systems that have been patched against this vulnerability.
“NSA is urging system administrators within DoD and other networks to take action. BlackLotus does not pose a firmware threat, but instead targets the earliest software stage of booting,” the NSA said. “Defensive software solutions can be configured to detect and prevent the installation of the BlackLotus payload or the reboot event that initiates its execution and implantation. The NSA believes that the currently published patches for some infrastructures may create a false sense of security.”
In the latest advisory, US intelligence recommended the following measures as additional measures:
- Apply the latest security updates, update recovery media, and activate optional mitigation
- Reinforce defensive policies by configuring endpoint security software to block attempts to install BlackLotus malware
- Use endpoint security products and firmware monitoring tools to monitor device integrity measurements and boot configuration
- Adjust UEFI Secure Boot to block older (before January 2022), signed Windows boot loaders
See also: Watch out for these new 2023 information-stealing malware operations