The U.S. National Security Agency (NSA) released today guidance on how to defend against Blacklotus UEFI bootkit malware attacks.

BlackLotus has been circulating on hacking forums since October 2022, marketed as malware capable of evading detection, withstanding removal efforts, and neutralizing multiple Windows security features such as Defender, HVCI, and BitLocker.

In May, Microsoft released security updates to address a Secure Boot zero-day vulnerability (CVE-2023-24932) that was used to bypass patches released for CVE-2022-21894, the Secure Boot bug initially abused in BlackLotus attacks last year.

However, the CVE-2023-24932 fix is disabled by default and will not remove the attack vector exploited to deploy BlackLotus.

To secure Windows devices, admins must undergo a manual procedure requiring multiple steps "to update bootable media and apply revocations before enabling this update."

"BlackLotus is very stoppable on fully updated Windows endpoints, Secure Boot-customized devices, or Linux endpoints. Microsoft has released patches and continues to harden mitigations against BlackLotus and Baton Drop," the NSA said.

"The Linux community may remove the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux. Mitigation options available today will be reinforced by changes to vendor Secure Boot certificates in the future (some certificates are expiring starting in 2026)."

Mitigation advice

Zachary Blum, NSA’s Platform Security Analyst, advised system administrators and network defenders today to also implement hardening actions on systems patched against this vulnerability.

"NSA recommends system administrators within DoD and other networks take action. BlackLotus is not a firmware threat, but instead targets the earliest software stage of boot," the NSA said.

"Defensive software solutions can be configured to detect and prevent the installation of the BlackLotus payload or the reboot event that starts its execution and implantation. NSA believes that currently published patches could provide a false sense of security for some infrastructures."

In today's advisory, the U.S. intelligence agency recommended the following measures as additional mitigations:

Apply the latest security updates, update recovery media, and activate optional mitigation

Harden defensive policies by configuring endpoint security software to block BlackLotus malware installation attempts

Use endpoint security products and firmware monitoring tools to monitor device integrity measurements and boot configuration

Customize UEFI Secure Boot to block older (pre-January 2022), signed Windows boot loaders

BlackLotus has been used in attacks targeting Windows 10 and 11 to exploit a vulnerability (referred to as Baton Drop and tracked as CVE-2022-21894) found in older boot loaders (aka boot managers) which helps bypass Secure Boot protection and trigger a series of malicious actions designed to compromise system security.

By leveraging CVE-2022-21894, the attackers remove the Secure Boot policy, preventing its enforcement (the boot loaders affected by this vulnerability have not yet been included in the Secure Boot DBX revocation list).

"However, patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX). Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot," the NSA said.

As a result, attackers can replace fully patched boot loaders with vulnerable versions, allowing them to install and execute the malware on compromised devices.

During the installation process of BlackLotus, an older Extensible Firmware Interface (EFI) binary of the Windows boot loader is deployed onto the boot partition. Next, BitLocker and Memory Integrity protections are disabled right before the device is restarted to start and implant the malware.

"Protecting systems against BlackLotus is not a simple fix. Patching is a good first step, but we also recommend hardening actions, dependent on your system’s configurations and security software used," Blum said.