To kill BlackLotus malware, patching is a good start, but...

BlackLotus, the malware capable of bypassing Secure Boot protections and compromising Windows computers, has caught the ire of the NSA, which today published a guide to help organizations detect and prevent infections of the UEFI bootkit.

Kaspersky's lead security researcher Sergey Lozhkin clocked BlackLotus being sold on cybercrime marketplaces for about $5,000 a pop back in October. 

Then, in research published in March, ESET malware analyst Martin Smolár confirmed the myth of an in-the-wild bootkit bypassing Secure Boot "is now a reality," as opposed to hypothetical threats raised by some experts and the usual slew of fake bootkits criminals attempted to trick fellow miscreants into buying.

No Linux-targeting variant of the malware has been observed; BlackLotus strictly nobbles Microsoft Windows machines.

Secure Boot is supposed to prevent devices from running unauthorized software. But by infecting a computer's firmware – its low-level UEFI software – BlackLotus loads before anything else in the booting process, including the operating system and any security tools that could stop it.

It does this by exploiting a Windows boot loader security flaw: CVE-2022-21894, also known as Baton Drop. Microsoft issued a patch to fix this blunder in January last year, but then BlackLotus abused another hole, CVE-2023-24932, to defeat the earlier patch. 

While Redmond fixed CVE-2023-24932 in May this year, "patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX)," according to the NSA guide to destroying BlackLotus [PDF]. 

"Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot," the guide continues, adding that patches "could provide a false sense of security for some infrastructures."

To be clear: no one is saying don't patch, and organizations absolutely should implement the 2022 and March 2023 fixes.

But don't assume the threat is gone just because you've plugged the holes. While "patching is a good first step," according to NSA's Platform Security Analyst Zachary Blum — literally, it's the first "mitigation recommendation" in the BlackLotus report — the US government spy agency also recommends organizations take additional steps to protect themselves.

Also, it's important to note that while Windows 10 and 11 have applicable security updates and ongoing mitigation deployments for BlackLotus, these aren't available for older versions. So if you are using one of those, it's a good idea to migrate to a supported Windows release. Or another operating system.

• It's official: BlackLotus malware can bypass Secure Boot on Windows machines
• Two Microsoft Windows bugs under attack, one in Secure Boot with a manual fix
• A (cautionary) tale of two patched bugs, both exploited in the wild
• Apple squashes kernel bug used by TriangleDB spyware

After installing both security patches and enabling optional mitigations, which includes a Code Integrity Boot Policy, organizations should harden their defensive policies. Specifically, NSA suggests organizations use endpoint and firmware monitoring tools to look for changes to the EFI boot partition, which, so long as they are legitimate changes should be infrequent. And then block any changes outside of a scheduled update.

"If unexpected changes are detected within the EFI boot partition, prevent the device from rebooting," the guide says. 

And finally, the NSA suggests admins customize UEFI Secure Boot — but this is only recommended for "expertly administered and exposed infrastructures" because of limited, long-term effectiveness. 

Also, this step has different instructions for Windows and Linux infrastructures.

For Windows admins following this advice: update Secure Boot with DBX deny-list hashes, which will prevent executing older boot loaders that are vulnerable to exploits. The guide provides a list of DBX hashes — although it's a safe bet that the BlackLotus developers will alter the malware accordingly to avoid detection. So this list may be obsolete very soon.

Also, there's a GitHub repository that includes helpful scripts and guides for customization.

Meanwhile, Linux admins "may forego adding DBX hashes in favor of removing the Microsoft Windows Production CA 2011 certificate from Secure Boot's DB."

This, according to the NSA, negates the need to add BlackLotus- and Baton Drop-related DBX entries. 

However, Linux distributions do still need the Microsoft UEFI Third Party Marketplace CA 2011 certificate to utilize Secure Boot.

We reckon the above advice is worth checking out, if not to stop BlackLotus infections but also to prevent similar bootkit malware in future invading your IT estate. ®