BlackLotus represents a major milestone in the continuing evolution of UEFI bootkits:
Researchers on Wednesday announced a major cybersecurity find—the world's first-known instance of real-world malware that can hijack a computer's boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.
Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI— short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC's device firmware with its operating system, the UEFI is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.
[...] The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer's manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn't recognized, Secure Boot will prevent the device from starting.
While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.
[...] To defeat Secure Boot, the bootkit exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, referred to as Baton Drop by the researcher who discovered it, can be exploited to remove Secure Boot functions from the boot sequence during startup. Attackers can also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.
Previously:
« Researchers Getting Better at Reading Minds | On Shaky Ground: Why Dependencies Will be Your Downfall »
Related Stories
LEIPZIG, GERMANY – Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.
The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system's UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.
"UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level," he said.
The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software's LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system’s UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.
Each time the system restarts, the code executes on boot, before the OS loads and before the system's antivirus software is launched. That means that even if the device's hard drive is replaced, the LoJack software will still operate.
Custom-made UEFI bootkit found lurking in the wild:
For only the second time in the annals of cybersecurity, researchers have found real-world malware lurking in the UEFI, the low-level and highly opaque firmware required to boot up nearly every modern computer.
As software that bridges a PC's device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an operating system in its own right. It's located in a SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. And it's the first thing to be run when a computer is turned on, allowing it influence or even control the OS, security apps, and all other software that follows.
Those characteristics make the UEFI the perfect place to stash malware, and that's just what an unknown attack group has done, according to new research presented on Monday by security firm Kaspersky Lab.
Last year, after the Moscow-based company integrated a new firmware scanner in its antivirus products, researchers recovered a suspicious UEFI image from one of its users. After further research, Kaspersky Lab discovered that a separate user had been infected by the same UEFI image in 2018. Both infected users were diplomatic figures located in Asia.
(Score: 5, Insightful) by Runaway1956 on Friday March 10, @05:15AM (4 children)
Secure boot is a Microsoft thing, from start to finish. They dreamed of it, they coded it, they implemented it, and they blackmailed manufacturers into building it into computers.
Secure boot is a Microsoft flaw. Apple's version of the same thing seems to be better, but maybe that's not even true. However, Apple hasn't forced their TPM onto every other distro in the world like Microsoft has. People pay the Apple tax by choice - the rest of us pay the Microsoft tax by way of extortion.
Abortion is the number one killed of children in the United States.
(Score: 3, Interesting) by Username on Friday March 10, @10:14AM (3 children)
First thing I do on any new motherboard is disable secureboot, and enable "legacy mode."
(Score: 5, Interesting) by sjames on Friday March 10, @05:46PM
I do use UEFI mode but I disable secure boot. Note that some EFI boards obfuscate that process. You have to delete the root keys to cause disabled secure boot as a side effect.
If EFI grew a useful key management menu that let me easily create my own key on a USB key and sign a bootloader I approve of, I might start to believe secure boot has something to do with MY security as opposed to MS's and various "media corporations".
I'll just be standing over here holding my breath./s
(Score: 2) by Gaaark on Friday March 10, @09:18PM (1 child)
First thing i do is wipe Windows and install linux.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by dltaylor on Sunday March 12, @06:45AM
Linux is another guest.
For security, OpenBSD.
(Score: 2, Insightful) by Nofsck Ingcloo on Saturday March 11, @03:36PM (2 children)
The title says "unpatchable flaw". The last paragraph of the summary say Microsoft patched in 2022. What's the real story?
1984 was not written as an instruction manual.
(Score: 2) by janrinok on Sunday March 12, @09:19AM
As I understand it: The fix has to be applied to the flash memory on the motherboard, hence:
It seems to me that it has to be applied by the motherboard manufacturer or whomever is programming the flash storage chip. It is not something that appears can be done locally. The earlier patch was made available to manufacturers.
(Score: 2) by janrinok on Sunday March 12, @09:20AM
By the way - it is nice to see your account active again!