Malicious cyber actors could take advantage of a known vulnerability in the Microsoft Windows secure startup process to bypass Secure Boot protection and execute BlackLotus malware.
To guide system administrators and network defenders on how to mitigate this threat, the National Security Agency (NSA) is publicly releasing the “BlackLotus Mitigation Guide” Cybersecurity Information Sheet (CSI). The guide provides an overview of recommended actions to detect and prevent malicious activities associated with BlackLotus.
“Protecting systems against BlackLotus is not a simple fix, “said Zachary Blum, NSA’s Platform Security Analyst. “Patching is a good first step, but we also recommend hardening actions, dependent on your system’s configurations and security software used.”
BlackLotus exploits a known vulnerability called “Baton Drop,” CVE-2022-21894, which bypasses security features during the device’s startup process, also known as Secure Boot. The malware targets Secure Boot by exploiting vulnerable boot loaders not added into the Secure Boot Deny List Database (DBX).
The Secure Boot DBX prevents execution of unauthorized boot loaders. According to the CSI, boot loaders vulnerable to Baton Drop have not been added into the Secure Boot DBX revocation list and are still trusted during Secure Boot process. A malicious cyber actor, therefore, could successfully exploit the Baton Drop vulnerability, bypass Secure Boot, and compromise the device.
NSA recommends system administrators and network defenders take action by implementing the mitigations listed in this report.
