SoylentNews
SoylentNews is people
https://soylentnews.org/

fliptop writes:

BlackLotus represents a major milestone in the continuing evolution of UEFI bootkits:

Researchers on Wednesday announced a major cybersecurity find—the world's first-known instance of real-world malware that can hijack a computer's boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI— short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC's device firmware with its operating system, the UEFI is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.

[...] The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer's manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn't recognized, Secure Boot will prevent the device from starting.

While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.

[...] To defeat Secure Boot, the bootkit exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, referred to as Baton Drop by the researcher who discovered it, can be exploited to remove Secure Boot functions from the boot sequence during startup. Attackers can also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.

Previously:

• Custom-Made UEFI Bootkit Found Lurking in the Wild
• First-Ever UEFI Rootkit Tied To Sednit APT

Original Submission

1. "fliptop" - https://soylentnews.org/~fliptop/
2. "continuing evolution of UEFI bootkits" - https://arstechnica.com/information-technology/2023/03/unkillable-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw/
3. "short for Unified Extensible Firmware Interface" - https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
4. "UEFI Secure Boot" - https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
5. "CVE-2022-21894" - https://nvd.nist.gov/vuln/detail/CVE-2022-21894
6. "Microsoft patched" - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21894
7. "Baton Drop" - https://github.com/Wack0/CVE-2022-21894
8. "Custom-Made UEFI Bootkit Found Lurking in the Wild" - https://soylentnews.org/article.pl?sid=20/10/06/0027258
9. "First-Ever UEFI Rootkit Tied To Sednit APT" - https://soylentnews.org/article.pl?sid=18/12/29/2226234
10. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=58837

printed from SoylentNews, Stealthy UEFI Malware Bypassing Secure Boot Enabled by Unpatchable Windows Flaw on 2024-04-25 13:57:36