Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday March 10 2023, @02:48AM   Printer-friendly
from the oops,-we've-done-it-again dept.

BlackLotus represents a major milestone in the continuing evolution of UEFI bootkits:

Researchers on Wednesday announced a major cybersecurity find—the world's first-known instance of real-world malware that can hijack a computer's boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI— short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC's device firmware with its operating system, the UEFI is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.

[...] The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer's manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn't recognized, Secure Boot will prevent the device from starting.

While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.

[...] To defeat Secure Boot, the bootkit exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, referred to as Baton Drop by the researcher who discovered it, can be exploited to remove Secure Boot functions from the boot sequence during startup. Attackers can also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.

Previously:


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by sjames on Friday March 10 2023, @05:46PM

    by sjames (2882) on Friday March 10 2023, @05:46PM (#1295544) Journal

    I do use UEFI mode but I disable secure boot. Note that some EFI boards obfuscate that process. You have to delete the root keys to cause disabled secure boot as a side effect.

    If EFI grew a useful key management menu that let me easily create my own key on a USB key and sign a bootloader I approve of, I might start to believe secure boot has something to do with MY security as opposed to MS's and various "media corporations".

    I'll just be standing over here holding my breath./s

    Starting Score:    1  point
    Moderation   +3  
       Interesting=2, Touché=1, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5