New research shows that a unified extensive firmware interface (UEFI) bootkit is capable of bypassing security features. The functionality of the bootkit and its individual features make researchers believe that it is a threat known as BlackLotus, a UEFI bootkit that has been sold on hacking forums for $5,000 since at least October 2022. This bootkit can run on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.
The bootkit exploits a more than one-year-old vulnerability to bypass security measures and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability. Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list.
UEFI bootkits are very powerful threats, having full control over the operating system boot process and thus being capable of disabling various operating system security mechanisms and deploying their own kernel-mode or user-mode payloads in early boot stages. This allows them to operate very and with high privileges. So far, only a few have been discovered in the wild and publicly described.
Additional research findings are available here.