Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11
    Cyber Security

    BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11

    justmattgBy justmattgMarch 1, 2023No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    Mar 01, 2023Ravie LakshmananEndpoint Security / Cyber Threat

    UEFI Bootkit Malware

    A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot defenses, making it a potent threat in the cyber landscape.

    “This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled,” Slovak cybersecurity company ESET said in a report shared with The Hacker News.

    UEFI bootkits are deployed in the system firmware and allow full control over the operating system (OS) boot process, thereby making it possible to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges.

    Offered for sale at $5,000 (and $200 per new subsequent version), the powerful and persistent toolkit is programmed in Assembly and C and is 80 kilobytes in size. It also features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

    Details about BlackLotus first emerged in October 2022, with Kaspersky security researcher Sergey Lozhkin describing it as a sophisticated crimeware solution.

    “This represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility, and most importantly, the potential for much more impact in the forms of persistence, evasion, and/or destruction,” Eclypsium’s Scott Scheferman noted.

    BlackLotus, in a nutshell, exploits a security flaw tracked as CVE-2022-21894 (aka Baton Drop) to get around UEFI Secure Boot protections and set up persistence. The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update.

    A successful exploitation of the flaw allows arbitrary code execution during early boot phases, permitting a threat actor to carry out malicious actions on a system with UEFI Secure Boot enabled without having physical access to it, ESET said.

    UEFI Bootkit Malware

    “This is the first publicly known, in-the-wild abuse of this vulnerability,” ESET researcher Martin Smolár said. “Its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list.”

    “BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability,” effectively paving the way for Bring Your Own Vulnerable Driver (BYOVD) attacks.

    Besides being equipped to turn off security mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender, it’s also engineered to drop a kernel driver and an HTTP downloader that communicates with a command-and-control (C2) server to retrieve additional user-mode or kernel-mode malware.

    The exact modus operandi used to deploy the bootkit is unknown as yet, but it starts with an installer component that’s responsible for writing the files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host.

    The restart is followed by the weaponization of CVE-2022-21894 to achieve persistence and install the bootkit, after which it is automatically executed on every system start to deploy the kernel driver.

    While the driver is tasked with launching the user-mode HTTP downloader and running next-stage kernel-mode payloads, the latter is capable of executing commands received from the C2 server over HTTPS.

    This includes downloading and executing a kernel driver, DLL, or a regular executable; fetching bootkit updates, and even uninstalling the bootkit from the infected system.

    “Many critical vulnerabilities affecting security of UEFI systems have been discovered in the last few years,” Smolár said. “Unfortunately, due the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left many systems vulnerable even a long time after the vulnerabilities have been fixed – or at least after we were told they were fixed.”

    “It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleBitdefender Releases Free Decryptor for MortalKombat Ransomware Strain
    Next Article Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑