Research finds UEFI bootkit capable of bypassing security measures

Image via Pixabay

New research shows that a unified extensive firmware interface (UEFI) bootkit is capable of bypassing security features. The functionality of the bootkit and its individual features make researchers believe that it is a threat known as BlackLotus, a UEFI bootkit that has been sold on hacking forums for $5,000 since at least October 2022. This bootkit can run on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.

The bootkit exploits a more than one-year-old vulnerability to bypass security measures and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability. Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list.

UEFI bootkits are very powerful threats, having full control over the operating system boot process and thus being capable of disabling various operating system security mechanisms and deploying their own kernel-mode or user-mode payloads in early boot stages. This allows them to operate very and with high privileges. So far, only a few have been discovered in the wild and publicly described.

Additional research findings are available here.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.