The NSA has published a guide to help organizations detect and prevent BlackLotus infections, which includes configuring defensive software solutions and monitoring boot events. The guide also provides indicators of compromise and recommended actions for recovery.
BlackLotus is a sophisticated malware that can bypass Secure Boot and compromise Windows systems. Secure Boot is a firmware security feature that prevents devices from running unauthorized software. BlackLotus can infect the firmware of the devices and load before the operating system and any security tools. It is sold on the dark web for $5,000 and has geofencing capabilities to avoid infecting computers in certain countries, such as Russia and Ukraine. It exploits a vulnerability in Windows boot loader (CVE-2022-21894) that allows it to load an unsigned driver and gain persistence.
The driver can execute malicious code in kernel mode and evade detection by antivirus software. Microsoft has released patches and mitigations for this vulnerability, but they are not enough to fully protect the systems, as the vulnerable boot loaders are still trusted by Secure Boot. This means that BlackLotus can still be executed on fully-patched systems. Microsoft shared guidance on how threat hunters can identify BlackLotus infections back in April 2023. In May, Microsoft then provided optional mitigations to prevent rollback to the vulnerable boot loaders.
The NSA warned that Linux systems are also at risk from BlackLotus, a malware that uses Shim and GRUB to compromise the boot process. Linux admins should monitor their systems for signs of infection and update their Secure Boot settings.
The agency recommended that Windows users apply the latest patches, enable security software to detect changes in the EFI boot partition, and prevent infected devices from rebooting. They should also update the DBX deny list with hashes of vulnerable boot loaders to block their execution.
“Updating the DBX may make some Windows install and recovery media unusable. Windows 11 and 10 users can get updated media from Microsoft. Do not update the DBX until you have install and recovery media with the January 2022 or later patches,” the NSA said.
For Linux users, the agency suggested removing the Microsoft Windows Production CA 2011 certificate from the Secure Boot database, which would prevent BlackLotus from using it to bypass Secure Boot checks.