NSA Shares Tips to Defend BlackLotus UEFI Malware Attacks
The U.S. National Security Agency (NSA) shared tips on how to defend against BlackLotus UEFI bootkit malware attacks. BlackLotus has been circulating on hacking forums since October 2022. The malware is capable of evading detection, withstanding removal efforts, and neutralizing multiple Windows security features such as Defender, HVCI, and BitLocker.
In May, Microsoft released security updates to address a Secure Boot zero-day vulnerability (CVE-2023-24932). The company used this update to bypass patches released for CVE-2022-21894. It was the Secure Boot bug initially abused in BlackLotus attacks last year.
However, the CVE-2023-24932 fix is disabled by default and will not remove the attack vector exploited to deploy BlackLotus. To secure Windows devices, admins must undergo a manual procedure requiring multiple steps “to update bootable media and apply revocations before enabling this update.”
“BlackLotus is very stoppable on fully updated Windows endpoints, Secure Boot-customized devices, or Linux endpoints. Microsoft has released patches and continues to harden mitigations against BlackLotus and Baton Drop,” the NSA said.
The Linux community may remove the Microsoft Windows Production CA 2011 certificate on devices that exclusively boot Linux. Zachary Blum, NSA’s Platform Security Analyst, advised system administrators and network defenders to implement hardening actions on systems patched against this vulnerability.
“NSA recommends system administrators within DoD and other networks take action. BlackLotus is not a firmware threat, but instead targets the earliest software stage of the boot,” the NSA said. “Defensive software solutions can be configured to detect and prevent the installation of the BlackLotus payload or the reboot event that starts its execution and implantation. NSA believes that currently published patches could provide a false sense of security for some infrastructures.”
In the latest advisory, the U.S. intelligence agency recommended the following measures as additional mitigations:
- Apply the latest security updates, update recovery media, and activate optional mitigation
- Harden defensive policies by configuring endpoint security software to block BlackLotus malware installation attempts
- Use endpoint security products and firmware monitoring tools to monitor device integrity measurements and boot configuration
- Customize UEFI Secure Boot to block older (pre-January 2022), signed Windows boot loaders
See Also: Beware Of These New 2023 Info-Stealing Malware Operations
PTA Taxes Portal
Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal
Explore NowFollow us on Google News!