Unkillable UEFI malware bypassing Secure Boot enabled by unpatched Windows bug

Aurich Lawson | Getty Images

Researchers announced Wednesday a major cybersecurity find—the first known example of real-world malware that can hijack a computer’s boot process even if Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Called BlackLotus, the malware is a known UEFI bootkit. These sophisticated pieces of malware hijack UEFI—short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting almost all modern computers. As the mechanism that connects a PC device’s firmware to its operating system, UEFI is an OS in its own right. It resides on an SPI-connected flash storage chip soldered to the computer motherboard, making it difficult to test or patch.

Because UEFI is the first thing that runs when a computer is turned on, it influences the OS, security applications, and all other software that follows. These characteristics make UEFI the perfect place to run malware. If successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with hidden malware running in kernel mode or user mode, even after reinstallation. the operating system or replaced a hard drive.

As enticing as it is for threat actors to install nearly invisible and unremovable malware at the kernel level, there are some formidable obstacles standing in their way. One is the requirement that they first hack the device and gain system administrator rights, by exploiting one or more vulnerabilities in the OS or apps or by tricking a user into installing of trojanized software. Only after removing this long bar will the threat actor attempt to install the bootkit.

The second thing that prevents UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that every piece of software used at startup is trusted by the manufacturer of a computer. Secure Boot is designed to create a chain of trust that prevents attackers from replacing the intended bootup firmware with malicious firmware. If a firmware link in that chain is not recognized, Secure Boot will prevent the device from booting.

While researchers have found vulnerabilities in Secure Boot in the past, there is no indication that threat actors have been able to bypass the protection in the 12 years it has been in existence. Until now.

On Wednesday, researchers at the security company ESET presented an in-depth analysis of the world’s first in-the-wild UEFI bootkit that bypasses Secure Boot in fully updated versions. UEFI system running fully updated versions of Windows 10 and 11. While there are no strings or other clues that directly indicate the name of the creators or the bootkit, researchers at ESET concluded that it is almost identical to a bootkit, known as BlackLotus, which has been advertised on underground cybercrime forums since last year. The price: $5,000, and $200 after that for updates.

A brief history of BlackLotus.
raising / A brief history of BlackLotus.


To defeat Secure Boot, the bootkit exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, called Baton Drop by the researcher who discovered it, could be exploited to get. Secure Boot function from the boot sequence during startup. Attackers could also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.

CVE-2022-21894 proved to be extremely valuable to the creators of BlackLotus. Despite Microsoft releasing new patched software, the vulnerable signed binaries have not yet been added to the UEFI recovery list that flags boot files that should no longer be trusted. Microsoft did not explain the reason, but it probably has something to do with the hundreds of vulnerable bootloaders that remain in use today. If the signed binaries are revoked, millions of devices will no longer work. As a result, fully updated devices remain vulnerable because attackers can simply replace the patched software with older, vulnerable software.

Leave a Comment