Researchers found BlackLotus uses an old vulnerability and can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled. Credit: Solarseven / Getty Images A Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus is found to be capable of bypassing an essential platform security feature, UEFI Secure Boot, according to researchers from Slovakia-based cybersecurity firm ESET.BlackLotus uses an old vulnerability and can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled, the researchers found.UEFI Secure Boot is a feature of the UEFI firmware, which is a successor to the traditional BIOS (Basic Input/Output System) firmware found on older computers. Secure Boot is designed to ensure that the system boots only with trusted software and firmware. Bootkit on the other hand is a malware that infects the boot process of a computer. BlackLotus has been advertised and sold on underground forums for $5,000 since at least early October 2022, ESET said in a press statement. “We can now present evidence that the bootkit is real, and the advertisement is not merely a scam,” Martin Smolár, the ESET researcher who led the investigation into the bootkit, said in the press statement.BlackLotus uses old vulnerabilityBlackLotus takes advantage of a vulnerability that has been present for over a year (known as CVE-2022-21894) to bypass UEFI Secure Boot and establish persistence for the bootkit. This represents the initial instance of this vulnerability being publicly exploited in a real-world situation. Despite Microsoft releasing a fix for the vulnerability in January 2022, BlackLotus is capable of exploiting it and enabling attackers to disable security measures of the operating system, including BitLocker, HVCI, and Windows Defender.The bootkit has been able to still exploit the vulnerability post January fix because the validly signed binaries have still not been added to the UEFI revocation list, the mechanism to revoke the digital certificates of UEFI drivers.Due to the complexity of the whole UEFI ecosystem and related supply-chain problems, many of the UEFI vulnerabilities have left systems vulnerable even a long time after the vulnerabilities have been fixed, according to ESET.Bootkit deploys payload with kernel hackThe primary objective of BlackLotus, after it has been installed, is to initiate the deployment of a kernel driver, which serves to safeguard the bootkit against any attempts to eliminate it. It also deploys an HTTP downloader that enables communication with the Command and Control server and has the ability to load further user-mode or kernel-mode payloads.“Our investigation started with a few hits on what turned out to be (with a high level of confidence) the BlackLotus user-mode component — an HTTP downloader — in our telemetry late in 2022,” Smolár said. “After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware.”Certain BlackLotus installation packages, as analyzed by ESET, refrain from carrying out the installation of the bootkit in case the affected host employs regional settings associated with Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine. “The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet,” Smolar said. “We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”The ESET research team recommends keeping systems and its security products up to date to raise the chance that a threat will be stopped right at the beginning, before it’s able to achieve pre-OS persistence. Related content news UnitedHealth hackers exploited Citrix vulnerabilities, CEO to testify In the written testimony before the House Energy and Commerce Committee, CEO Andrew Witty said after gaining access, the threat actor moved laterally within the systems using sophisticated methods and exfiltrated data. By Prasanth Aby Thomas Apr 30, 2024 3 mins Hacker Groups Cyberattacks Vulnerabilities news Most attacks affecting SMBs target five older vulnerabilities Attackers target flaws for a reason: Even years after they are discovered, they still work. By John Dunn Apr 30, 2024 4 mins Threat and Vulnerability Management Network Security Vulnerabilities opinion Close the barn door now! Avoid the risk of not monitoring retained access before it’s a problem There’s usually a strict protocol for granting access to systems or data to a new employee or contractor. But there are perils in not keeping tabs on that access as that person moves around or leaves. By Christopher Burgess Apr 30, 2024 6 mins CSO and CISO Access Control Human Resources feature Cyber breach misinformation creates a haze of uncertainty A string of recent false or misleading cyber breach reports, fueled by rampant online dissemination, is fostering an atmosphere of growing misinformation that makes it difficult to separate fact from fiction. By Cynthia Brumfield Apr 30, 2024 9 mins CSO and CISO Data Breach Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe