BlackLotus Malware Hijacks Windows Secure Boot Process

Researchers have discovered malware that “can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.”

Dubbed BlackLotus, the malware is what’s known as a UEFI bootkit. These sophisticated pieces of malware target the UEFI—short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Previously discovered bootkits such as CosmicStrand, MosaicRegressor, and MoonBounce work by targeting the UEFI firmware stored in the flash storage chip. Others, including BlackLotus, target the software stored in the EFI system partition.

Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.

ESET has an analysis:

The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn’t gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature—UEFI Secure Boot—is now a reality. In this blogpost we present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022.

[…]

  • It’s capable of running on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.
  • It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability.
  • Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate—but vulnerable—binaries to the system in order to exploit the vulnerability.
  • It’s capable of disabling OS security mechanisms such as BitLocker, HVCI, and Windows Defender.
  • Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads.

This is impressive stuff.

Tags: , , ,

Posted on March 8, 2023 at 6:11 AM20 Comments

Comments

iAPX March 8, 2023 6:53 AM

And the fairytale of trust chain is broken…

Unsupported and thus non-updated drivers are in use in a huge number of computers, also unsupported by their builders, thus Microsoft could not really take the step to block them with the risk of bricking these computers.

And we end-up with this nightmare, were there is a well-known threat and a well-known means to stop it, but it could not be done…

Leon Theremin March 8, 2023 8:38 AM

That, UEFI backdoors, sounds impressive until you have your fully air-gapped computer messed up with BadBIOS by the criminals behind Havana Syndrome to prevent your scientific research from progressing.

No computer is safe, period.

Read or watch “The Three Body Problem” series to understand why humanity is under electromagnetic surveillance and sabotage and our science and tech is hindered so we can’t defend ourselves.

Religion is organized fraud to prevent scientific progress, but attacks with radiation are done to scientist also.

https://www.youtube.com/watch?v=YrLompD6e_k

Matthias U March 8, 2023 9:23 AM

Meanwhile, the UEFI CRL page has no public signature on these revocation list files, no release date of the latest version, and no RSS feed to watch for updates. What should I do, download the file weekly and alert my operators whenever it has been changed?

They also state that “Distribution of the data in these files to running systems could cause instability”. Does anybody even know why?

I’ll ignore the content-free legalese nonsense, this form is too short to contain the rant I’d otherwise add here.

The answer to the question “How brain-dead can you be?” has always been “Deader”.

John Tillotson March 8, 2023 10:39 AM

It’s interesting that the response of the vendors to security problems is “make something big and fancy and complicated to solve the problem”, where often the security problems would probably be better mitigated by simplifying systems. Somehow in the commercial software space we wind up with many layers of crappy security, although we may be much better served by a simplified and thoroughly sorted and audited system.

Besides, was UEFI really meant to be a genuine security solution, or was “security” just an excuse to help implement this complicated system to get closer to universal lock-in with a vendor?

As with all discussions on “trust” in security, it’s very important to consider the 1984 essay “Reflections on trusting trust” by Ken Thompson: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

@IAPX “And the fairytale of trust chain is broken…” is the best quote I’ve heard on this issue: Thanks!

MSB March 8, 2023 1:51 PM

I do miss the old days where many computers had a jumper or DIP switch that had to be physically moved to enable writing to the BIOS.

Until we see legislation that enforces liability for these failures, companies have no motivation to fix bad practices. It’s not like it’s possible for meaningful competition to even exist in this market-place, as the incumbent players have so much power they can just buy up or outright squash any competition.

Pretty much every other industry has regulations and standards that must be applied to prevent harm and damage to the individuals. We have regulated bodies that manage those standards in a constantly evolving manner; We have and government inspectors that ensure those standards are being met; and we have enforcement with judiciary oversight. This applies to everything from building to food to packaging and labelling. It’s time to get software organized and start holding corporations responsible for the TRILLIONS of dollars in damages they cause every year!

Clive Robinson March 8, 2023 3:45 PM

@ Bruce, ALL,

Re : Where it all started.

“This is impressive stuff.”

In some ways yes, in others definitely not.

First a bit of history,

As I’ve mentioned in the past over several years the problem originated back in the 1970’s with Apple and the Apple ][ computer. There is a logical problem with “drivers” for storage and communications systems.

When you boot a computer it has to get drivers for non-native hardware from somewhere. Apple decided that the interface cards would store the basics to become functional in an on card “Boot-ROM”. So as the Basic I/O System (BIOS) came up after the Power On Sytstem Test(POST) it would copy the Boot-ROM code into RAM and make “I/O hooks” to link it into the “I/O Handler” jump table. Once done it was available as the OS came up, and in the case of the Apple][ design stayed available. The “skunk-works” design of the IBM-PC copied this I/O model and it stayed with us so that Lenovo could install malware on all it’s consumer level laptops and for a very serious security hole to exist which gained renued public knowledge with the idea of BadBIOS.

This security hole still exists even though those behind UEFI said it would not… As,I’ve repeatedly pointed out “signed code is a joke” for longer than this blog has existed and you will find discussions between @Nick P, myself and later @Wael about the failings of it and UEFI so this is not “new news”.

As, @iAPX observes above,

“And the fairytale of trust chain is broken…”

Thus the real questions are,

1, Can it be fixed?
2, Can we mitigate it?

To which the short answers are “No” and “Yes” respectively.

The long answer is the same for both, you have to accept the fact you loose so much functionality and incure so many other issues you won’t want to start the journey or reach the destination.

So time for yet another of my predictions,

“This is another present that will keep giving effectively indefinately”

Why because trying to fix it is actually impossible without loss of what is seen as critical functionality, thus will not be tolerated (even though some “Smart Device” designs have tried, they can not remove both communications and storage upgrades that necessitate this issue).

So some “infinate regression” in action will happen to fix this curent CVE, but… That does not solve the underlying problem, so this issue will reapear again using some other vulnerability in software, firmware, or hardware (oh and don’t forget the wetware either). Each fix will be,

“A sticking plaster on a broken bone”

Solution, that fixes the visable surface synptoms, but not the true underlying problem.

This security failure has been with us getting in to it’s sixth decade or 30 technology generations, and nobody has come up with an acceptable fix, nore will they any time soon if at all (give up being able to augment communications and storage and you have a mitigation, but not a fix).

Keith Douglas March 8, 2023 4:28 PM

John Tillotson – failure to learn from the developers (which admittedly devs have yet to learn completely either). I attended a workshop a few years ago which I later read the paper about: “Deliver Less Software and Delight Your Clients”. Too many features, too many corner cases and “they might need it”.

the more you eat the more you... March 8, 2023 10:23 PM

If only people would:

Stop:

  • collaborating with M$
  • working for M$
  • contributing in any way to M$
  • refusing to allow modifications to hardware/mobo by M$
  • developers shift to open source and flee M$
  • hardware manufacturers working with/for M$
  • talking about M$, on blogs, news sites, reddit, etc.
  • M$ from having so much power/influence around the world
  • hiring former M$ people
  • talking to M$ people
  • accepting the EULA and instead demanding a refund on OEM h/w
  • using M$ software, hardware, and services
  • M$ from buying or partnering with gaming companies
  • playing games on M$

and so on…

Clive Robinson March 9, 2023 9:13 AM

@ bobthebuilder

Re : The importance of knowing the past.

You say,

“Ahhh no, not while maintaining the expected functionality”

The question arises,

“Do you understand the issue?”

Your use of “expected” rather than “necessary” strongly suggests that like most in ICT and ICTsec in particular you do not.

The thing is I’ve worked in many engineering disciplines from designing boats through designing medical equipment, safety critical equipment, space payloads and their bus systems as well as “Fast Moving Consumer Electronics”(FMCE) and Mil Spec etc. As well as software at all levels from the actual design of “Register Transfer Language”(RTL) for ALU/CPU using discreet and bitslice logic throuch microcode and through the ISA out into assembler across the divide into Algol like languages and up the stack.

A marked difference between hardware engineering and software is,

“Learning from history”

It hardly happens in software design and as for ICTsec the fact that almost identical attacks happen every few years suggest there are “no lessons learned in ICTsec”.

Which brings us to your,

“… the talking heads continue to ask such irrelevant questions as Who knew what, when and for how long?”

The reason it’s important is it’s not just those who you dismiss as “talking heads” asking. It now includes angry legislators as well, on both sides of the puddle[1]. Trust me when I say they could easily make your life a living hell, and with what has recently come out of the Whitehouse, and the proposed EU CRA it looks like they are sharpening the toasting forks.

But there are also the “silent questioners” to frightened to put their hands up and ask. Why? Because of “Managment” and very very poor “industry practice” where now shipping product that fails any reasonable merchantability test is the norm not the exception of flyby night crooks grabing a quick buck and running in just about any other commodity market you can name.

So yes the history is important especially the “Why?” and “how long” as these give an indicator as to the difficulty of resolving the problem.

As I noted above,

“This security failure has been with us getting in to it’s sixth decade or 30 technology generations, and nobody has come up with an acceptable fix, nore will they any time soon if at all (give[ing] up being able to augment communications and storage and you have a mitigation, but not a fix).”

So now nowing that,

“What constructive thing are you going to do to change it?”

Over to you, for a reply.

[1] It was the Biden administration a few days ago ratteling the Software Development cage with the “National Cybersecurity Strategy”(NCS). Rather than read the press blurb a more to the point industry focused view,

https://www.axios.com/2023/03/02/national-cybersecurity-strategy-biden

Now it’s the EU turn with their CRA proposal and this will blow many if not all pieces of software appart. From what I remember and orhers appear to realise effectively all products will be covered for a €15million fine or higher,

https://berthub.eu/articles/posts/eu-cra-secure-coding-solution/

Ismar March 9, 2023 5:38 PM

Why not ask ChatGTP for a solution;-) ?
BTW the way I read this, to perform initial infection you either need physical access to the computer or have admin rights on the same so it is not all bad news

Bobthebuilder March 10, 2023 4:27 PM

Looks like Bob is unwelcome in these parts. Not sure what was wrong with my last post but like whatever. Enjoy!

Winter March 10, 2023 5:21 PM

@Bobthebuilder

Not sure what was wrong with my last post but like whatever. Enjoy!

It has happened to every one of us. No one knows why one post is blocked and another is not. That’s life.

Clive Robinson March 10, 2023 6:01 PM

@ Bobthebuilder,

“Not sure what was wrong with my last post”

Having read and replied to your post, I can tell you it was clearly in breach of this blogs posting rules.

You can find a link to the rules given on every Friday Squid thread.

Read them and you will see what it is you did wrong.

Bobthebuilder March 10, 2023 6:49 PM

@Clive
Profanity??
maybe in some circles it was excessive, but I can assure you in my world it would be considered civil and displaying remarkable self restraint given my disgust for the self-serving nature of our information security industry.

If you want real solutions then don’t ask for the opinion of anyone that profits from today’s silliness. They’ll never find a solution because the intended purpose for most products, in the information security domain, is to leak said information as opposed to securing it.
Information Security is a magic trick…you’re never suppose to ask what’s behind the curtain.

iAPX March 10, 2023 7:33 PM

Some of my comments have not been accepted, not censored, just not accepted.
There are rules and also there is a clear owner of this space.

This reminds me of a rule for a 80’s online service in France:
“Est maître des lieux celui qui les créé et les organise”
(Is the master the one that create this space and organize it)

And I respect that.

Clive Robinson March 10, 2023 7:38 PM

@ Bobthebuilder,

“Profanity??”

That won’t have Helped.

But it was probably “partisan politics” where you crossed the line.

In general politics is problematic and has in the past caused significant friction and wasted “column inches”.

It causes most issues when political party or persons are invoked, as they almost always raise strong feelings.

Even non partisan “social or economic” politics are best avoided unless they are strongly supporting an actual security issue related to ICTsec or related areas. Even then stick to “method” and “outcomes” and keep it as neutral as possible.

MarkH March 10, 2023 8:41 PM

@Bob, whose comment included the phrase “given my disgust.” That might be a clue right there.

Emotions are natural and human, and motivate us to do things that are good or bad or indifferent.

Emotional states don’t convey useful information about the external world, or offer solutions to difficult problems.

If the correct result of a problem is 42, nobody except my nearest or dearest cares how I felt about the problem, or the process of solving it. Venting is not solution-finding.

Suggestion: write with the respect and decorum you’d use when meeting for the first time the mother of a professional colleague.

Bobthebuilder March 10, 2023 9:59 PM

@MarkH with all due respect some of us aren’t interested in hiding our feelings.
The Information security industry has earned my distain, they deserve every ounce of vitriol that I can splash on them.
To be honest if you don’t have a passion for a topic then why waste your time on it.
I guess that’s that then….

MarkH March 10, 2023 10:16 PM

@Bob:

There’s nothing wrong with emotions, as I carefully note in my previous comment (please read attentively).

No matter how enthused / excited / frustrated / angry / resentful / etc. etc. etc. I may feel about any particular matter, venting my emotions in this forum is a complete waste of my time.

If readers cast their eye over such useless venting, it’s a complete waste of their time.

An excellent recipe for security mistakes is to prize emotion over fact and logic.

Constructive presentations of facts, analysis and sound reasoning from you or any other contributor are usually received with intelligent interest.

Untitled March 13, 2023 5:36 AM

@Ismar

the way I read this, to perform initial infection you either need physical access to the computer or have admin rights on the same so it is not all bad news

It is bad news, seeing that outside controlled environments, most average (l)user Windows PCs run in admin mode anyway, or if by chance they’re in standard mode, every software update demands, and gets, admin privileges. Who cares about M$ (l)users? We should, because apart from the theft and fraud, millions of pwned PCs make great botnets.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.