Microsoft FAIL: ‘BlackLotus’ Bootkit Breaks Secure Boot

BlackLotus malware targets UEFI Secure Boot. For a mere $5000, you too can own it.

Microsoft patched the vulnerability exploited by the bootkit in January last year, but “forgot” a crucial step: It failed to update the revocation list. That means the vulnerable code will still run if it’s dropped by scrotes.

Naïvely negligent or perfectly pragmatic? In today’s SB Blogwatch, we dig in and find out.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The Tikiyaki Orchestra.

UEFI DBX Ignored for 13 Months

What’s the craic? Jessica Lyons Hardcastle reports—“BlackLotus malware can bypass Secure Boot”:

BlackLotus can disable several OS security tools
Secure Boot is supposed to prevent devices from running unauthorized software on Microsoft machines. … BlackLotus [is] the first known malware to run on Windows systems even with the firmware security feature enabled.

By targeting UEFI the BlackLotus malware loads before anything else in the booting process, including the operating system. … BlackLotus exploits a more than one-year-old vulnerability … to bypass the secure boot process and establish persistence. Microsoft fixed [it] in January 2022, but miscreants can still exploit it because the affected signed binaries have not been added to the UEFI revocation list.

BlackLotus can disable several OS security tools including BitLocker, Hypervisor-protected Code Integrity (HVCI) and Windows Defender. … Expect to see more cybercriminals using [it] soon.

UEFI? ELI5? Ionut Ilascu obliges—“BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11”:

Virtually invisible to antivirus agents
The Unified Extensible Firmware Interface (UEFI) is the software that connects the operating system with the hardware that runs it. It is low-level code that executes when the computer powers up and dictates the booting sequence before the operating system starts any of its routines.

UEFI bootkits are at the opposite end of run-of-the-mill malware. They are rare findings seen in attacks attributed to advanced threat actors working on behalf of a nation-state.

The BlackLotus UEFI malware emerged last year … with a feature set that makes it virtually invisible to antivirus agents installed on the compromised host. … Microsoft addressing the vulnerability … was not enough to close the security gap because the UEFI DBX … revocation list has yet to be updated with the untrusted keys and binary hashes.

Horse’s mouth? Martin Smolár—“Myth confirmed”:

BlackLotus has been advertised and sold on underground forums since at least October. [Here’s] evidence that the bootkit is real, and the advertisement is not merely a scam.

Not many threat actors have started using it yet. But until the revocation of the vulnerable bootloaders … happens, we are concerned that things will change rapidly should this bootkit get into the hands of the well-known crimeware groups.

Microsoft FAIL? Why did it not revoke the vulnerable code? SCHiM explains a possible reason:

It’s quite a painful [dilemma] Microsoft is in, given their commitment to backwards compatibility. The exploit can still be deployed by malicious actors on patched devices because they can bring old vulnerable signed bootloaders.

These old signed bootloaders could technically by revoked, but if Microsoft does that then all old backups, possibly going back years, will no longer boot when restored. I can imagine there’s many hundreds of thousands of backups that would then be silently broken. Imagine you find that out when you restore after a disaster.

Oh come on. Surely we can blame Microsoft? OhForF’ stops swearing:

It’s quite possible that the decision not to add those … vulnerable binaries to the revocation list was taken because doing so has a potential to make a lot of devices that are not yet patched unusable. If that hits a big company they might even decide to have their lawyers check if the small print … really allows providers to force updates on you that make your device unusable for its primary purpose.

Now that this is actively exploited the decision may change.

Come again? u/Relevant-Ad1624 describes another nasty corner-case:

Because if the UEFI dbx gets updated before Windows updates, you get a situation where Windows will not boot. I assume Microsoft does not want to push down updates that could brick boxes.

You would have to revoke literally hundreds of builds of the bootmanager. This is why revocation lists are … not a scalable solution.

Attestation is the solution. Let the machine boot, however since the attestation measurements indicate a rollbacked EFI component, you can then deny access to network resources. It doesn’t necessarily protect the machine, but in corporate environment is safe from a bootkitted machine. Remote attestation is the future.

It is? It’s certainly not the present, notes a slightly snarky mjg59:

It’s … detectable using Remote Attestation … which is nice for all 3 of the people who’ve rolled that out.

Where can one get BlackLotus from? Here’s some information from from [You’re fired—Ed.]:

It looks Anyone can buy a membership for ~$100. … It’s basically just a marketplace for software to steal money from people in first world countries … and a bunch of supporting services like residential proxies, hacked RDPs, SSN lookups, and “drop” bank/crypto exchange accounts.

I think the most “elite” forum is called Mazafaka and requires a substantial deposit and a recommendation from existing members.

Meanwhile, a suitably sweary flayman ragequits thuswise:

The reality is that nothing ****ing works, so what’s the ****ing point? I quit.

And Finally:

A South Pacific Sojourn

Hat tip: MC Chicken Sandwich

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: LoboStudio Hamburg (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi