Stories
Slash Boxes
Comments

SoylentNews is people

Stealthy UEFI Malware Bypassing Secure Boot Enabled by Unpatchable Windows Flaw

posted by janrinok on Friday March 10 2023, @02:48AM   Printer-friendly
from the oops,-we've-done-it-again dept.

fliptop writes:

BlackLotus represents a major milestone in the continuing evolution of UEFI bootkits:

Researchers on Wednesday announced a major cybersecurity find—the world's first-known instance of real-world malware that can hijack a computer's boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI— short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC's device firmware with its operating system, the UEFI is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.

[...] The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer's manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn't recognized, Secure Boot will prevent the device from starting.

While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.

[...] To defeat Secure Boot, the bootkit exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, referred to as Baton Drop by the researcher who discovered it, can be exploited to remove Secure Boot functions from the boot sequence during startup. Attackers can also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.

Previously:

Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Stealthy UEFI Malware Bypassing Secure Boot Enabled by Unpatchable Windows Flaw | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by janrinok on Sunday March 12 2023, @09:19AM

    by janrinok (52) Subscriber Badge on Sunday March 12 2023, @09:19AM (#1295753) Journal

    As I understand it: The fix has to be applied to the flash memory on the motherboard, hence:

    It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.

    It seems to me that it has to be applied by the motherboard manufacturer or whomever is programming the flash storage chip. It is not something that appears can be done locally. The earlier patch was made available to manufacturers.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2