Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw

By | March 6, 2023
Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw
Aurich Lawson | Getty Images

Researchers on Wednesday announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Dubbed BlackLotus, the malware is what’s known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI—short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.

Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.

As appealing as it is to threat actors to install nearly invisible malware that has kernel-level access, there are a few formidable hurdles standing in their way. One is the requirement that they first hack the device and gain administrator system rights, either by exploiting one or more vulnerabilities in the OS or apps or by tricking a user into installing trojanized software. Only after this high bar is cleared can the threat actor attempt an installation of the bootkit.

The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer’s manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn’t recognized, Secure Boot will prevent the device from starting.

While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.

On Wednesday, researchers at security firm ESET presented a deep-dive analysis of the world’s first in-the-wild UEFI bootkit that bypasses Secure Boot on fully updated UEFI systems running fully updated versions of Windows 10 and 11. While there are no strings or other indicators directly showing the name of the creators or the bootkit, ESET researchers have concluded that it almost certainly corresponds to a bootkit, known as BlackLotus, that has been advertised in underground cybercrime forums since last year. The price: $5,000, and $200 thereafter for updates.

A brief history of BlackLotus.
Enlarge / A brief history of BlackLotus.

To defeat Secure Boot, the bootkit exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, referred to as Baton Drop by the researcher who discovered it, can be exploited to remove Secure Boot functions from the boot sequence during startup. Attackers can also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.

CVE-2022-21894 has proven to be especially valuable to the BlackLotus creators. Despite Microsoft releasing new patched software, the vulnerable signed binaries have yet to be added to the UEFI revocation list that flags boot files that should no longer be trusted. Microsoft has not explained the reason, but it likely has to do with hundreds of vulnerable bootloaders that remain in use today. If those signed binaries are revoked, millions of devices will no longer work. As a result, fully updated devices remain vulnerable because attackers can simply replace patched software with the older, vulnerable software.