The BlackLotus Bootkit

First...

Before I dive into the details of BlackLotus, I need make two things clear:

1. BlackLotus is installed by someone with physical and/or privileged access. If this malware is present, a threat actor is already in your network.
2. If you suspect the presence of BlackLotus on your systems, follow the guidance put out by the NSA and Microsoft.

Okay, on to the article: The tech world has been buzzing lately about a new malware menace named BlackLotus. This bootkit is not your run-of-the-mill malicious software but a potent threat exploiting a boot loader flaw, specifically CVE-2022-21894, known as "Baton Drop". Like its predecessor, BootHole, BlackLotus hijacks the booting process, compromising a computer's security from its earliest software phase, meaning it can bypass typical OS security mechanisms such as Bitlocker, Defender, etc. This post aims to unpack the confusion surrounding BlackLotus, delve into its mechanism, and offer concrete steps to mitigate its risks.

Understanding BlackLotus: Not Unstoppable, but Not to Be Underestimated?

Hyperbolic descriptions like "unstoppable", "unkillable", and "unpatchable" have swirled around BlackLotus, painting an unnerving picture. Others think that Microsoft's 2022 and 2023 patch releases have neutralized the threat. The truth, as it often is, lies somewhere in between.

Exploiting Baton Drop, BlackLotus targets Windows boot by substituting a patched bootloader with a vulnerable version, disabling Secure Boot's protective policy. Alarmingly, these vulnerable boot loaders haven't been added to the Secure Boot Deny List Database (DBX), leaving room for BlackLotus to enter the system.

Mitigating BlackLotus: A Multi-pronged Strategy

Let's delve into the recommended steps to protect your systems from BlackLotus, ranging from updating recovery media, hardening defensive policies, and customizing Secure Boot.

Action 1: Update Recovery Media and Activate Optional Mitigations?

Windows admins should promptly install the latest security patches, including Microsoft's optional mitigations from May 2023 that prevent rollback to Baton Drop and BlackLotus vulnerable boot manager and kernel versions. Critical to note here is the importance of migrating to supported versions of Windows, particularly Windows 10 and 11, which have ongoing mitigation deployments for BlackLotus.?

Action 2: Harden Defensive Policies

Here, our focus is on the software's install process, which places an older Windows boot loader Extensible Firmware Interface (EFI) binary into the boot partition, disables Memory Integrity, turns off BitLocker, and reboots the device. Many endpoint security products can block these events if configured correctly. In particular, changes to the EFI boot partition should be scrutinized, and only trusted executables should be allowed.

Action 3: Monitor Device Integrity Measurements and Boot Configuration?

Endpoint security products often come equipped with integrity-scanning features. Configuring these tools to monitor the composition of the EFI boot partition and detect unexpected changes in bootmgr.efi or bootmgfw.efi can help prevent BlackLotus' intrusion. It's crucial to prevent the device from rebooting if unexpected changes are detected.

Action 4: Customize UEFI Secure Boot?

This is a rather advanced step and is only recommended for expertly administered infrastructures. For Windows, one could update Secure Boot with DBX deny list hashes, which prevent executing older and vulnerable boot loaders. But remember, BlackLotus can rapidly switch to alternate vulnerable boot loaders to evade this, so this method's effectiveness may be limited. For Linux, admins may opt to remove the Microsoft Windows Production CA 2011 certificate from Secure Boot's DB, eliminating the need to add DBX entries related to Baton Drop and BlackLotus.

A Final Word

While Microsoft's patches offer some level of protection, system administrators should not be lulled into complacency. The threat posed by BlackLotus still lurks, and thus a thorough understanding of the rootkit and its potential exploits is critical to mitigating risks and ensuring robust cybersecurity. Finally, this article is not a comprehensive manual. For all the relevant details, read the full press release by the NSA here and the Microsoft guidance here.

References: