Navigating the BlackLotus Threat: Unraveling the UEFI BootKit Attack

Threat Overview – BlackLotus

Every so often, a unique and significant cyber threat emerges in the wild. The BlackLotus UEFI BootKit is one such threat. Written in assembly and C languages, this malware targets Windows systems, even fully patched Windows 11 installations. Unlike other BootKits that target the UEFI firmware stored in the flash storage chip, BlackLotus is distinguished by its ability to disable Secure Boot and other Windows security features such as Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender.

Campaign Overview

BlackLotus is a cunningly sophisticated UEFI bootkit that targets the Unified Extensible Firmware Interface (UEFI), a specification for a software program connecting a computer’s firmware to its operating system. In doing so, it holds the power to manipulate the booting sequence in modern computers, making it a formidable foe in the realm of cyber threats.

The BlackLotus campaign exploits a vulnerability, known as “Baton Drop” (CVE-2022-21894). This flaw enables the threat actors to bypass various security features in Windows, including obtaining keys for BitLocker, a feature that Microsoft allows for hard drive encryption. Despite Microsoft patching this vulnerability in January 2022, the update is disabled by default, requiring manual updating.

Technical Details

Once Secure Boot is bypassed, BlackLotus can disable other Windows security features, deploying its own kernel-mode and user-mode payloads in the early stages of the OS startup. This affords the attackers high-level privileges and stealthy operations, making it a significant threat even to fully patched Windows 11 systems with UEFI Secure Boot enabled.

The National Security Agency (NSA) has recommended measures to protect systems against this threat. These include the latest security patches application, recovery media update, and optional mitigations activation such as Code Integrity Boot Policy. The NSA also advises hardening defensive policies, monitoring device integrity measurements and boot configuration, and customizing UEFI Secure Boot to deny older and vulnerable boot loaders.

At Cyborg Security, our commitment to navigating such threats remains unswerving. We constantly update our Hunt Packages and Hunt Package Collections to keep up with threats, including BlackLotus. As more detection opportunities are identified, new Hunt Packages will be released. For more in-depth analysis and mitigation recommendations, we encourage you to consult the NSA’s advisory.

Taking Action Against BlackLotus

Staying one step ahead of cyber threats requires a proactive approach, and leveraging the right resources is paramount. In the face of threats like BlackLotus, Cyborg Security’s Hunt Packages can be a game-changer.

Our Hunt Packages, which include threat hunting content and a hunt management module, are designed to equip you with the tools to combat emerging threats like BlackLotus. The free access to these Hunt Packages can enhance your detection engineering capabilities and put you on the front foot against potential cyber threats.

If you don’t have a HUNTER Community account yet, we encourage you to sign up for one. It’s completely free and will grant you access to our continually updated library of Hunt Packages. Now is the time to act, build your defense, and ensure you’re prepared for whatever the cyber threat landscape throws your way.

Don’t just trust your security controls; verify them with Cyborg Security’s HUNTER Platform.


Join our newsletter

Follow Us

Discover More!