BlackLotus - This is going to be fun to fight...

[Sky-Knight]

BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11

ESET warns of a new, powerful UEFI bootkit malware called BlackLotus that can bypass Secure Boot protection on Windows 11 systems.

thehackernews.com

Already "patched" in Jan's rollups: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21894

But I cannot imagine this sort of monster dying that easily.

 

[britechguy]

But I cannot imagine this sort of monster dying that easily.

BlackLotus, The Next Generation [Insert virtually anything for BlackLotus and it still stands true. The never-ending story.]

 

[britechguy]

After reading the referenced article, why is this news now? From the article:

"BlackLotus, in a nutshell, exploits a security flaw tracked as CVE-2022-21894 (aka Baton Drop) to get around UEFI Secure Boot protections and set up persistence. The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update."

The proverbial horse was out of the barn quite a while back, and corraled over a year ago. I don't get why this is a "a big deal" over a year after the vulnerability was patched (which isn't to say the vulnerability was not a big deal, but if anyone has an unpatched system by now, they had to go to great lengths to keep it that way).

There doesn't seem to be any "new news" here, upon further reading.

 

[YeOldeStonecat]

After reading the referenced article, why is this news now? From the article:


There doesn't seem to be any "new news" here, upon further reading.

Because it's getting worse and worse, and as some of the malware kits do...they play the "cat and mouse game" faster than the software vendors patches.
BL can/does/will run on fully updated systems, even the latest patched Windows 11...disabling bitlocker, kicking user access control out the door,

It's official: BlackLotus malware can bypass secure boot

The myth 'is now a reality'

www.theregister.com

Esets article...dated March 01, 2023.

BlackLotus UEFI bootkit: Myth confirmed

ESET researchers are the first to publish an analysis of BlackLotus, the first in-the-wild UEFI bootkit capable of bypassing UEFI Secure Boot.

www.welivesecurity.com

 

[britechguy]

Because it's getting worse and worse, and as some of the malware kits do...they play the "cat and mouse game" faster than the software vendors patches.

And the articles you cite point that out. The original does not, which is why I found it rather strange.

Announcing a horror that's been successfully patched (but - let's be clear - it really hasn't or at least variants haven't) over a year ago is nothing more than clickbait. If it's active in the wild and can infect, which apparently it still is and has been confirmed, then that's a story.

 

[Sky-Knight]

@YeOldeStonecat Hooking this topic in with your other one regarding the stolen M365 auth cookies...

This malware subverts the device trust entirely, so now AAD Joined machines cannot be trusted either. These two problems combined are not solvable.