Research finds UEFI bootkit capable of bypassing security measures

Image via Pixabay

New research shows that a unified extensive firmware interface (UEFI) bootkit is capable of bypassing security features. The functionality of the bootkit and its individual features make researchers believe that it is a threat known as BlackLotus, a UEFI bootkit that has been sold on hacking forums for $5,000 since at least October 2022. This bootkit can run on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.

The bootkit exploits a more than one-year-old vulnerability to bypass security measures and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability. Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list.

UEFI bootkits are very powerful threats, having full control over the operating system boot process and thus being capable of disabling various operating system security mechanisms and deploying their own kernel-mode or user-mode payloads in early boot stages. This allows them to operate very and with high privileges. So far, only a few have been discovered in the wild and publicly described.

Additional research findings are available here.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.