Computer security became a little more challenging, with the BlackLotus malware becoming the first to bypass Secure Boot.
Secure Boot is a method of signing the kernel and various boot components, ensuring that no malicious software can be inserted into the boot process and compromise a machine. While there have been many claims of malware that can bypass secure boot, BlackLotus is the first.
According to ESET malware analyst Martin Smolár, “the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality.”
Smolár goes on to discuss ESET’s findings, including the fact that BlackLotus can compromise even “the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.”
The malware uses a vulnerability that was patched more than a year ago because “the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.”
In many ways, a bootkit like BlackLotus is the Holy Grail of exploits because the bootkit has “full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages.”
Because the bootkit hijacks the process early on, attackers can even enroll their own keys in the system so that the malware can have unfettered access without tripping any security measures.
ESET’s research is disturbing on many levels, not the least of which is the fact that BlackLotus can be delivered both off and online. This means an attacker does not need physical access to a device in order to compromise it.
To make matters worse, it appears the vulnerability BlackLotus exploits is not the only one.
“UEFI Secure Boot stands in the way of UEFI bootkits, but there are a non-negligible number of known vulnerabilities that allow bypassing this essential security mechanism,” writes Smolár. “And the worst of this is that some of them are still easily exploitable on up-to-date systems even at the time of this writing – including the one exploited by BlackLotus.”
At this point, there are not absolute mitigation measures, only a combination of things that can reduce the likelihood of a compromise. Once a computer is compromised, the safest thing to do is to reinstall it and use the mokutil utility to delete the signed key BlackLotus deposits that enables it to bypass Secure Boot.
