BlackLotus represents a major milestone in the continuing evolution of UEFI bootkits:
Researchers on Wednesday announced a major cybersecurity find—the world's first-known instance of real-world malware that can hijack a computer's boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.
Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI— short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC's device firmware with its operating system, the UEFI is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.
[...] The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer's manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn't recognized, Secure Boot will prevent the device from starting.
While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.
[...] To defeat Secure Boot, the bootkit exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, referred to as Baton Drop by the researcher who discovered it, can be exploited to remove Secure Boot functions from the boot sequence during startup. Attackers can also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.
Previously:
(Score: 3, Interesting) by Username on Friday March 10 2023, @10:14AM (3 children)
First thing I do on any new motherboard is disable secureboot, and enable "legacy mode."
(Score: 5, Interesting) by sjames on Friday March 10 2023, @05:46PM
I do use UEFI mode but I disable secure boot. Note that some EFI boards obfuscate that process. You have to delete the root keys to cause disabled secure boot as a side effect.
If EFI grew a useful key management menu that let me easily create my own key on a USB key and sign a bootloader I approve of, I might start to believe secure boot has something to do with MY security as opposed to MS's and various "media corporations".
I'll just be standing over here holding my breath./s
(Score: 2) by Gaaark on Friday March 10 2023, @09:18PM (1 child)
First thing i do is wipe Windows and install linux.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by dltaylor on Sunday March 12 2023, @06:45AM
Linux is another guest.
For security, OpenBSD.