1. Forum
  2. Micronet
  3. MIN COMP

  • Unpatchable UEFI bootkit bypasses Secure Boot

    From August Abolins@618:500/23.10 to All on Mon Mar 6 13:36:00 2023

    ==================================================================<
    ** Original area : "/grc/securitynow"
    ** Original message from : PHolder+NNTP@gmail.com (Paul Holder)
    ** Original message to :
    ** Original date/time : 06 Mar 23, 12:48 >==================================================================<

    https://arstechnica.com/information-technology/2023/03/unkillable-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw/

    Researchers on Wednesday announced a major cybersecurity find?the
    world?s first-known instance of real-world malware that can hijack a
    computer?s boot process even when Secure Boot and other advanced
    protections are enabled and running on fully updated versions of
    Windows.

    Dubbed BlackLotus, the malware is what?s known as a UEFI bootkit. These sophisticated pieces of malware infect the UEFI?short for Unified
    Extensible Firmware Interface?the low-level and complex chain of
    firmware responsible for booting up virtually every modern computer. As
    the mechanism that bridges a PC?s device firmware with its operating
    system, the UEFI is an OS in its own right. It?s located in an
    SPI-connected flash storage chip soldered onto the computer
    motherboard, making it difficult to inspect or patch.

    ...

    While researchers have found Secure Boot vulnerabilities in the past,
    there has been no indication that threat actors have ever been able to
    bypass the protection in the 12 years it has been in existence. Until
    now.

    ...


    --- OpenXP 5.0.57
    * Origin: (618:500/23.10)
  • From digimaus@618:618/1 to August Abolins on Mon Mar 6 16:58:08 2023
    August Abolins wrote to All <=-

    While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until
    now.

    Yet Microsoft patched the issue but, as Microsoft is known to do, half-assed its response:

    "BlackLotus exploits a more than one-year-old vulnerability, CVE-2022-21894,
    to bypass the secure boot process and establish persistence. Microsoft
    fixed this CVE in January 2022, but miscreants can still exploit it because
    the affected signed binaries have not been added to the UEFI revocation
    list, Smolar noted."

    "Making it even more difficult to detect: BlackLotus can disable several OS security tools including BitLocker, Hypervisor-protected Code Integrity
    (HVCI) and Windows Defender, and bypass User Account Control (UAC),
    according to the security shop."

    (From: https://www.theregister.com/2023/03/01/blacklotus_malware_eset)

    Glad I don't run Windows anymore.

    -- Sean


    ... "Software is like sex, it's better when it's free" - Linux Torvalds
    --- MMail/FreeBSD
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)