NSA Publishes BlackLotus Mitigation Guide

The U.S. National Security Agency (NSA) has published a mitigation guide for BlackLotus malware. BlackLotus is a UEFI bootkit that is planted in the firmware of an infected device. Bootkits load at the initial stage of the boot process, before operating systems are loaded, and are not typically identified by security solutions. Further, the developer claims that security software cannot detect and kill the bootkit since it runs under the SYSTEM account within a legitimate process.

Bootloaders are commonly used by state-sponsored Advanced Persistent Threat (APT) actors; however, BlackLotus is being offered on hacking forums so it is now available to cybercriminals, giving them APT-level capabilities if they can afford the high price. Due to its capabilities and the difficulty detecting and killing the malware, it is a cause of concern amongst security professionals; however, the NSA points out that the malware is stoppable, provided systems administrators take action and are vigilant.

The malware exploits a boot loader flaw called Baton Drop – CVE-2022-21894 – which allows an attacker to take full control of an endpoint from the earliest phase of the software boot. The NSA highlights similarities with BootHole malware from 2020; however, rather than breaking the Linux boot security chain, BlackLotus targets the Windows boot to set off a chain of events that compromises endpoint security. After exploiting Baton Drop, the Secure Boot policy is stripped, and its enforcement is prevented.

Microsoft has released patches for supported Windows versions to fix the vulnerability; however, patching alone will not fully remediate the threat as the patches do not revoke trust in unpatched boot loaders via the Secure Boot Deny Database (DBX) which means boot loaders that are vulnerable to Baton Drop are still trusted by Secure Boot. Attackers can substitute fully patched boot loaders with vulnerable versions to execute BlackLotus. System administrators that simply apply the patches may have a false sense of security that they are protected against BlackLotus.

The NSA recommends first applying the latest security updates, updating recovery media, and activating its recommended optional mitigations. Defensive policies should be hardened, and security software should be configured to block BlackLotus installations. System administrators are advised to harden their executable policies and monitor the integrity of the boot partition and customize Secure Boot by adding DBX records to Windows endpoints or by removing the Windows Production CA certificate from Linus endpoints.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news