Windows 10: Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot

Discus and support Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot in Windows 10 News to solve the problem; ESET security researchers have discovered an UEFI bootkit malware that defeats secure boot on Windows 11 and Windows 10 devices. Named BlackLotus, it... Discussion in 'Windows 10 News' started by GHacks, Mar 2, 2023.

  1. GHacks
    GHacks New Member

    Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot


    ESET security researchers have discovered an UEFI bootkit malware that defeats secure boot on Windows 11 and Windows 10 devices. Named BlackLotus, it is considered the first UEFI bootkit malware that has been detected in the wild.

    Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot blacklotus-uefi-bootkit.png

    The UEFI bootkit runs on fully up-to-date versions of Windows 11 with UEFI Secure Boot enabled. Bootkits like BlackLotus are very dangerous, as they have full control over the operating system boot process. The control enables them to disable various security mechanisms and deploy their "on kernel-mode or user-mode payloads" during the early stages of the operating system start.

    In addition, this makes them very stealthy and powerful thanks to its high privileges at the same time.

    Secure Boot explained


    Secure Boot is a security standard that is designed to control the boot process of devices. At its core, it is checking signatures of boot software, including UEFI firmware drivers, EFI applications and the operating system, to make sure that all signatures are valid. Malware, which manipulates any of these, would prevent the operating system from launching, as the signature check would fail. Microsoft's Windows 11 operating system requires Secure Boot.

    UEFI Secure Boot is designed to prevent UEFI bootkits. ESET notes that a number of known vulnerabilities exist, and that some of these work even on fully updated systems. BlackLotus is exploiting one of these issues.

    BlackLotus malware


    ESET researchers discovered the first components of BlackLotus back in late 2022, when they noticed "the BlackLotus user-mode component" in Telemetry. Assessment led to the discovered of six BlackLotus installers and the realization that BlackLotus was no ordinary malware.

    The researchers made the following discoveries about the malware:

    • BlackLotus was able to run on fully patched Windows 11 systems with UEFI Secure Boot enabled.
    • The malware exploits a year-old vulnerability, CVE-2022-21894, which is a Secure Boot Security Feature bypass vulnerability. Microsoft did fix the issue in the January 2022 update, but exploitation is still possible, "as the affected, validly signed binaries have still not been added to the UEFI revocation list".
    • The malware can disable operating system security features, including BitLocker, Windows Defender and HVCI (Hypervisor-Protected Code Integrity).
    • BlackLotus deploys a kernel driver, which protects the bootkit, and an HTTP downloader, which may load additional payloads and communicates with command and control.
    • The earliest mention of BlackLotus dates back to October 6, 2022. The bootkit was advertised on an underground forum.
    • Some of the BlackLotus installers skip the bootkit installations if they detect certain locales on the device.

    ESET's analysis of BlackLotus is detailed and very technical. Interested users should check out the blog post for the full details.

    BlackLotus mitigations and remediation


    ESET recommends to keep the system and security software up to date. Some security applications may be able to detect the threat before it has a chance to infect the system and achieve persistence.

    The main step should be revocation of known vulnerable UEFI binaries that are used to bypass UEFI Secure Boot. ESET recommends distributing updates via Windows Update, but that is something that users have no control over. The company notes that revocation could lead to issues with systems, recovery images and backups, which could become unbootable.

    The use of common sense, as always, may also prevent infection of systems. Use of virtual machines or sandbox environments to run executable files of questionable origin may reduce the risk of infection.

    ESET published BlackLotus file signatures, certificates and domains on its website. These may be blocked preemptively.

    Closing Words


    BlackLotus UEFI bootkit is a powerful malware. It can attack fully patched Windows 11 systems with Secure Boot successfully, and become a permanent threat on infected devices. The scope of attacks is unknown at this point.

    Thank you for being a Ghacks reader. The post Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot appeared first on gHacks Technology News.

    read more...
     
    GHacks, Mar 2, 2023
    #1
  2. newtekie1 Win User

    Windows 8 Secure Boot Feature: Not So Secure?

    • Linux
    • Linux
    • Linux
    • Linux
    • Oh and OSX
    Here is a statement from a Kernal Developer at Red Hat:

    I'm not sure this exploits the legacy BIOS but rather it exploits the legacy boot method on MBR drives, injecting a signed key before the OS boots, which you are correct in that it has nothing to do with Windows 8. And the simplest fix would just be to require boot drives use GPT when Secure Boot is enabled in UEFI.
     
    newtekie1, Mar 2, 2023
    #2
  3. Windows 8 Secure Boot Feature: Not So Secure?

    So Linux is switching to secure boot also? Or they have to because of UEFI?
     
    Damn_Smooth, Mar 2, 2023
    #3
  4. qubit Win User

    Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot

    Windows 8 Secure Boot Feature: Not So Secure?

    I had a feeling you wouldn't be convinced... lol

    Re your Windows example, I have the actual OEM DVD box of the 64-bit version of XP in my paw as we speak and you know what it's called? "Microsoft Windows XP Professional x64 Edition". Yup, industry standard feature of '64-bit processing' is embedded right there in the product name. You surely must have seen these in your shop? qubit 1, NT 0 *Wink Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot ;)

    Here, look at this snippet from InfoWorld:

    Exactly the same way I've said it. So they surely must be wrong as well? I guess you're gonna say that the quotes make a difference?
     
    qubit, Mar 2, 2023
    #4
Thema:

Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot

Loading...
  1. Windows 11 Security at risk? BlackLotus UEFI bootkit defeats Secure Boot - Similar Threads - Security risk BlackLotus

  2. Secure boot state off, but Secure boot is on in UEFI settings

    in Windows 10 Gaming
    Secure boot state off, but Secure boot is on in UEFI settings: Hello, I have been trying to play Valorant, but every time I launch the game I get an error stating that TPM and secure boot need to be enabled. To start, I have an Acer Nitro 5 AN515-55-52KW running windows 11 The UEFI/BIOS I have is Insydeh20 setup utility version 2.06 I...
  3. Secure boot state off, but Secure boot is on in UEFI settings

    in Windows 10 Software and Apps
    Secure boot state off, but Secure boot is on in UEFI settings: Hello, I have been trying to play Valorant, but every time I launch the game I get an error stating that TPM and secure boot need to be enabled. To start, I have an Acer Nitro 5 AN515-55-52KW running windows 11 The UEFI/BIOS I have is Insydeh20 setup utility version 2.06 I...
  4. UEFI Secure Boot for Windows 11 compatible

    in Windows 10 Gaming
    UEFI Secure Boot for Windows 11 compatible: how can I enable UEFI secure boot with my ACER Aspire E 14? It is the only thing that makes my laptop not compatible with Windows 11. https://answers.microsoft.com/en-us/windows/forum/all/uefi-secure-boot-for-windows-11-compatible/4333d95b-e4c7-4d7e-b83b-776feeb1149f
  5. UEFI Secure Boot for Windows 11 compatible

    in Windows 10 Software and Apps
    UEFI Secure Boot for Windows 11 compatible: how can I enable UEFI secure boot with my ACER Aspire E 14? It is the only thing that makes my laptop not compatible with Windows 11. https://answers.microsoft.com/en-us/windows/forum/all/uefi-secure-boot-for-windows-11-compatible/4333d95b-e4c7-4d7e-b83b-776feeb1149f
  6. UEFI Secure boot

    in Windows 10 Installation and Upgrade
    UEFI Secure boot: hi guys...pls help meif i need windows 11 then it tells me to enable secure boot....but if i go to my BIOS and enable my secure boot it should show my desktop....but it is showing something to setup........
  7. UEFI Secure Boot on Windows 10

    in Windows 10 Ask Insider
    UEFI Secure Boot on Windows 10: Hi, does protecting Windows 10 boot process from know attacks is by simply enabling Secure Boot option in UEFI settings in contrast to the long procedure to follow in GNU/Linux distributions to enable that security feature ? Thanks. submitted by /u/Spare_Prize1148 [link]...
  8. UEFI Secure Boot questions

    in AntiVirus, Firewalls and System Security
    UEFI Secure Boot questions: My laptop has Windows 10 with Secure Boot enabled in my UEFI firmware setting and my question is, can Secure Boot still protect booting from a malicious OS or tool (from a bootable USB stick) even when using the F12 Boot Menu Options prompt? I have a Dell laptop, which uses...
  9. UEFI with secure boot disabled

    in AntiVirus, Firewalls and System Security
    UEFI with secure boot disabled: I ran a Belarc analysis and it showed a notification that the " UEFI with secure boot is disabled ".Is this a default setting or does it need to be enabled?I looked at the boot settings but was unable to figure out how to resolve this issue.I am not one who likes to guess at...
  10. UEFI with Secure Boot (UEFI version) ?

    in Windows 10 Support
    UEFI with Secure Boot (UEFI version) ?: I want to enable UEFI with Secure Boot and I do have an option to enable Secure Boot. But how can I tell if I am running UEFI firmware version 2.3.1.c ? Because to enable Secure Boot, machines must have UEFI firmware version 2.3.1.c I went to System Information, but It...