To secure this very powerful component of modern computing, the idea of secure boot, firmware signing keys, and other operating system controls were developed to prevent an attacker from inserting malware and avoiding operating system level protections. Sadly, as with all things threat groups were not onboard with this (perhaps they missed the meeting) and very sophisticated groups began targeting UEFI firmware. This led to the creation of a new industry, UEFI firmware vulnerability scanning and reporting. As the number of confirmed attacks and vulnerabilities identified grew is became clear that what was once thought of as very secure, was open to people with the right skill set. Of course, this should have been the case when you consider that some of the first POCs for UEFI based malware and agents were shown at Def Con in 2014. Now that we have some history on the subject, we can dive into today’s news about UEFI and one of the more dangerous UEFI bootkits, BlackLotus.
When BlackLotus first popped up on the scene it was found to exploit a UEFI vulnerability CVE-2022-21894 (Baton Drop) and was able to turn off OS-Level security protections in Windows as well as bypass Secure Boot (which is was not supposed to be able to). Microsoft quickly patched the attack vector in the same year, but the BlackLotus team was able to get around the fix and continue exploiting Windows based systems via the UEFI. This is even after a number of fixes and revocations and one “patch” that is not even enabled by default because it has the potential to brick a system and make it non-recoverable.
Although BlackLotus and its updates have always been for sale on the darker sides of the internet, it was not until recently that the source code has been available. Attackers of all skill levels could buy BlackLotus for about $5,000 and updates for around $200 meaning this was not a tool specific to any particular group as long as they had the money. Now that the source code is out, things have changed. While it does not mean that just anyone can create a UEFI hack, it does lower the R&D cost for groups that already possess a certain level of skill. Available to anyone via GitHub thanks to the work “Yukari” the flavor of BlackLotus does not contain the Baton Drop vulnerability pivot but has the “bootlicker” UEFI rootkit instead.
Researchers at Binarly have reviewed the code and say that it is not complete but does have enough information to allow other groups to develop their own UEFI based malware. Remember, Microsoft did not push out the fix for the type of exploitation due to the inherent risks involved. That means that while there is a patch, and it may show as “installed” the patch is actually disabled due to the massive changes to Secure Boot. Both Microsoft and the NSA have provided guidance on detection and mitigation for BlackLotus in the past, but it is a great idea to read these if you have not already and re-read them even if you have and then put them into practice.
It might also be a good idea to start testing the fixes Microsoft put in place for CVE-2022-21894 and CVE-2023-24932 in your environment. This may take time and involve some minor risk in ensuring you do not end up with a bricked system but given the expansion of this new threat it would be worth it to start now before the threat groups start developing and testing their new toys. Once a UEFI system is infected it can be exceptionally hard to detect and wreak havoc while it is in an environment.
Stay Safe out there