NSA Issues Remediation Guidance for BlackLotus Malware

Organizations must ensure they’re taking all required steps to block the powerful BlackLotus UEFI bootkit that can seize control of fully patched Windows 11 systems, the U.S. National Security Agency warns.

See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now

Because even fully patched Windows systems may remain vulnerable to the BlackLotus bootkit, the NSA is warning administrators of government and private networks to beware of having “a false sense of security.”

A bootkit “is a malicious program that is designed to load as early as possible in a device’s sequence, in order to control the operating system start,” according to Microsoft.

BlackLotus targets the “Baton Drop” boot loader flaw – designated CVE-2022-21894 – in Windows that an attacker can exploit to bypass Secure Boot, which includes security controls that protect a Windows system during startup. The risk is that a hacker “could successfully exploit the Baton Drop vulnerability, bypass Secure Boot and compromise the device,” the NSA said.

Microsoft released Windows updates to patch CVE-2022-21894 in January 2022 and again early this year, followed by additional protections in May. “All Windows devices with Secure Boot protections enabled are affected by this issue, both on-premises physical devices and some virtual machines or cloud-based devices,” Microsoft said. “Linux is also affected by this issue,” and Linux distribution providers are issuing their own guidance and mitigations.

Citing “significant confusion” among organizations that use Windows about how to best protect themselves against BlackLotus, the NSA has released a BlackLotus mitigation guide. The guide says that while “no Linux-targeting variant has been observed,” the malware could be updated to exploit Linux systems.

Blocking BlackLotus infections requires more than just ensuring patches are in place, said Zachary Blum, NSA’s platform security analyst.

“Protecting systems against BlackLotus is not a simple fix,” he said. “Patching is a good first step, but we also recommend hardening actions, dependent on your system’s configurations and security software used.”

Security experts say vulnerability alerts issued by Western intelligence agencies are often a sign that a flaw is being actively exploited in the wild, potentially by nation-state-level adversaries.

Why BlackLotus Still Works

Security firm Eset discovered the BlackLotus bootkit malware – the first of its kind ever found – earlier this year and reported that it appeared to have been retailing for $5,000 on hacking forums since at least October 2022.

The malware targets the Unified Extensible Firmware Interface, which connects a device’s firmware to its operating system.

“UEFI bootkits are very powerful threats, having full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages,” said Martin Smolár, a malware analyst at Eset, in a March 1 report. “This allows them to operate very stealthily and with high privileges.”

The NSA sys the trouble with BlackLotus is that the malware includes the ability to substitute unpatched versions for patched versions of the Windows boot loader. These unpatched versions contain the Baton Drop vulnerability, allowing attackers to exploit it.

Attackers have this capability because while Microsoft patched the boot loader, it failed to blacklist older versions by adding them to the Secure Boot Deny List Database in Windows. “Secure Boot DBX prevents execution of unauthorized boot loaders,” according to the NSA’s guidance. As a result, “administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot.”

Mitigations recommended by the NSA include:

• Fully update and patch all Windows systems.




• Avoid using Windows versions prior to Windows 10.




• Enable optional security controls added to Windows by Microsoft in May, including a Code Integrity Boot Policy.




• Use endpoint security tools to block unscheduled attempts to add code into the boot partition, disable memory integrity, disable BitLocker or reboot a device.




• Use endpoint security tools to monitor each device’s Extensible Firmware Interface – EFI – integrity.

While BlackLotus is designed to target Windows 10 and 11, the NSA says “variants may exist to target older, UEFI-booting versions of Windows.” Microsoft has only released security fixes for Windows 8.1, 10 and 11.

Despite the risk posed by BlackLotus, “no one should disable Secure Boot on an endpoint built within the past 5 years,” the NSA said.

Microsoft said in its detailed deployment guidelines that before activating the optional protections released in its May 9 security updates, “you must verify your devices and all bootable media are updated and ready for this security hardening change.” Failing to do so may leave those devices unrecoverable.

Expect additional Windows updates to address the threat. On July 11, Microsoft plans to release further capabilities, including providing an easier, automated way to deploy revocation files for Code Integrity Boot policy and the Secure Boot DBX disallow list. By April 1, 2024 – and earlier, if possible – Microsoft plans to ship updates to Windows that will make it impossible to disable such revocations.