The National Security Agency (NSA) is warning of a known vulnerability in the Microsoft Windows secure startup process that malicious actors could use to bypass Secure Boot protection and execute BlackLotus malware.
 
In an effort to help enterprise security professionals mitigate this threat, the NSA recently released the “BlackLotus Mitigation Guide” Cybersecurity Information Sheet (CSI) guide which provides an overview of recommended actions to detect and prevent malicious activities associated with BlackLotus.
 
“Protecting systems against BlackLotus is not a simple fix,” NSA’s Platform Security Analyst Zachary Blum said in a relase. “Patching is a good first step, but we also recommend hardening actions, dependent on your system’s configurations and security software used.”

Given the scale that this vulnerability exists, John Gallagher, Vice President of Viakoo Labs at Viakoo, said it makes sense that NSA would ask organizations to pay attention and make plans to address it. 

“Unified Extensible Firmware Interface (UEFI) vulnerabilities, as the guidance from NSA shows, are particularly difficult to mitigate and remediate because they are in the earliest stage of software and hardware interactions,” Gallagher said. “The guidance NSA is providing is critically important as a reminder to pay attention to boot-level vulnerabilities and have a method to address them.”  

Gallagher added that until Microsoft has a more comprehensive fix — planned for early 2024 — the NSA guide gives organizations that may be impacted a plan of attack so they can estimate what resources they will need.  

“Given the manual nature of NSA’s guidance, many organizations will find that they don’t have the resources needed to fully remediate this vulnerability,” Gallagher said. “Additional measures like use of network access control and traffic analysis should also be used until Microsoft can provide a more complete fix.”  

According to the NSA release, “BlackLotus exploits a known vulnerability called ‘Baton Drop,’ CVE-2022-21894, which bypasses security features during the device’s startup process, also known as Secure Boot. The malware targets Secure Boot by exploiting vulnerable boot loaders not added into the Secure Boot Deny List Database (DBX).”

Callie Guenther, Cyber Threat Research Senior Manager at Critical Start, said the BlackLotus bootkit, which bypasses the UEFI Secure Boot, poses a significant threat to organizations. 

“The bootkit allows threat actors to execute malware before the operating system and security measures become active, providing them with persistent control and the ability to subvert security defenses,” Guenther said. “BlackLotus's ability to evade traditional security defenses and subvert logging and countermeasures makes it challenging for organizations to detect and respond to attacks. This highlights the need for robust defensive measures and security solutions that can identify and mitigate such advanced threats.”

Guenther added that BlackLotus's ability to evade traditional security defenses and subvert logging and countermeasures makes it challenging for organizations to detect and respond to attacks which highlights the need for robust defensive measures and security solutions that can identify and mitigate such advanced threats.
 
“The incident highlights the potential vulnerabilities associated with firmware, particularly UEFI Secure Boot implementations,” Guenther said. “Organizations need to recognize the importance of validating the integrity of their servers, laptops and workstations, including regularly updating firmware and monitoring for any indications of compromise,” 

Guenther stressed the importance of collaboration and threat intelligence sharing.

“Given the evolving threat landscape, organizations can benefit from collaborating and sharing threat intelligence to stay updated on emerging threats, tactics and techniques used by threat actors,” Guenther said. “Sharing information and insights within the cybersecurity community can help organizations collectively strengthen their defenses against such threats.”