BlackLotus Secure Boot Bypass Malware Set to Ramp Up

BlackLotus, the first in-the-wild malware to bypass Microsoft’s Secure Boot (even on fully patched systems), will spawn copycats and, available in an easy-to-use bootkit on the Dark Web, inspire firmware attackers to increase their activity, security experts said this week.

That means that companies need to increase efforts to validate the integrity of their servers, laptops, and workstations, starting now.

On March 1, cybersecurity firm ESET published an analysis of the BlackLotus bootkit, which bypasses a fundamental Windows security feature known as Unified Extensible Firmware Interface (UEFI) Secure Boot. Microsoft introduced Secure Boot more than a decade ago, and it’s now considered one of the foundations of its Zero Trust framework for Windows because of the difficulty in subverting it.

Yet threat actors and security researchers have targeted Secure Boot implementations more and more, and for good reason: Because UEFI is the lowest level of firmware on a system (responsible for the booting-up process), finding a vulnerability in the interface code allows an attacker to execute malware before the operating system kernel, security apps, and any other software can swing into action. This ensures the implantation of persistent malware that normal security agents will not detect. It also offers the ability to execute in kernel mode, to control and subvert every other program on the machine — even after OS reinstalls and hard drive replacements — and load additional malware at the kernel level.

There have been some previous vulnerabilities in boot technology, such as the BootHole flaw disclosed in 2020 that affected the Linux bootloader GRUB2, and a firmware flaw in five Acer laptop models that could be used to disable Secure Boot. The US Department of Homeland Security and Department of Commerce even recently warned about the persistent threat posed by firmware rootkits and bootkits in a draft report on supply chain security issues. But BlackLotus ups the stakes on firmware issues significantly.

That’s because while Microsoft patched the flaw that BlackLotus targets (a vulnerability known as Baton Drop or CVE-2022-21894), the patch only makes exploitation more difficult — not…