NSA Shares Tips to Defend BlackLotus UEFI Malware Attacks

Onsa MustafaLast Updated: Jun 23, 2023
NSA tips to depend blacklotus

The U.S. National Security Agency (NSA) shared tips on how to defend against BlackLotus UEFI bootkit malware attacks. BlackLotus has been circulating on hacking forums since October 2022. The malware is capable of evading detection, withstanding removal efforts, and neutralizing multiple Windows security features such as Defender, HVCI, and BitLocker.

In May, Microsoft released security updates to address a Secure Boot zero-day vulnerability (CVE-2023-24932). The company used this update to bypass patches released for CVE-2022-21894. It was the Secure Boot bug initially abused in BlackLotus attacks last year.

NSA Shares Tips to Defend BlackLotus UEFI Malware Attacks

However, the CVE-2023-24932 fix is disabled by default and will not remove the attack vector exploited to deploy BlackLotus. To secure Windows devices, admins must undergo a manual procedure requiring multiple steps “to update bootable media and apply revocations before enabling this update.”

“BlackLotus is very stoppable on fully updated Windows endpoints, Secure Boot-customized devices, or Linux endpoints. Microsoft has released patches and continues to harden mitigations against BlackLotus and Baton Drop,” the NSA said.

The Linux community may remove the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux. Zachary Blum, NSA’s Platform Security Analyst, advised system administrators and network defenders to implement hardening actions on systems patched against this vulnerability.

“NSA recommends system administrators within DoD and other networks take action. BlackLotus is not a firmware threat, but instead targets the earliest software stage of the boot,” the NSA said. “Defensive software solutions can be configured to detect and prevent the installation of the BlackLotus payload or the reboot event that starts its execution and implantation. NSA believes that currently published patches could provide a false sense of security for some infrastructures.”

In the latest advisory, the U.S. intelligence agency recommended the following measures as additional mitigations:

  • Apply the latest security updates, update recovery media, and activate optional mitigation
  • Harden defensive policies by configuring endpoint security software to block BlackLotus malware installation attempts
  • Use endpoint security products and firmware monitoring tools to monitor device integrity measurements and boot configuration
  • Customize UEFI Secure Boot to block older (pre-January 2022), signed Windows boot loaders

See Also: Beware Of These New 2023 Info-Stealing Malware Operations

PTA Taxes Portal

Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal

Explore NowFollow us on Google News!
Onsa MustafaLast Updated: Jun 23, 2023
Photo of Onsa Mustafa

Onsa Mustafa

Onsa is a Software Engineer and a tech blogger who focuses on providing the latest information regarding the innovations happening in the IT world. She likes reading, photography, travelling and exploring nature.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Get Alerts!

PhoneWorld Logo

Join the groups below to get the latest updates!

💼PTA Tax Updates
💬WhatsApp Channel

>