New research shows that a unified extensive firmware interface (UEFI) bootkit is capable of bypassing security features. The functionality of the bootkit and its individual features make researchers believe that it is a threat known as BlackLotus, a UEFI bootkit that has been sold on hacking forums for $5,000 since at least October 2022. This bootkit can run on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.
The bootkit exploits a more than one-year-old vulnerability to bypass security measures and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability. Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list.