March 10 – Cyber security experts are sounding the alarm in regards to a potent new form of malware, which can circumvent an essential security protocol that typically initiates when Microsoft Windows users power on their computers.
This “bootkit” malware, called BlackLotus, enables hackers to bypass UEFI Secure Boot – the security measure that scrutinizes the firmware controlling the fundamental hardware functions when the Windows system boots up.
One cyber security firm recently highlighted the fact that the malware in question is not your typical malware. Subsequently, another hardware and firmware security firm corroborated their claims by stating that BlackLotutus is the first-ever bootkit to break through Secure Boot.
Although Microsoft addressed the vulnerability by patching it a year ago, researchers have now discovered that BlackLotus can evade this update. Hackers can minipulate the attack chain by installing an older, more vulnerable version of the boot manager.
Once BlackLotus secures persistence in the boot process, it disables multiple Operating System (OS) security features, such as BitLocker, HVCI, and Windows Defender, providing ample opportunity to hackers to infiltrate networks via additional malware.
Although for BlackLotus to succeed on a fixed computer, an attacker would require administrative access to the system. “…the attacker elevates to higher privileges to bypass even more security measures,” opening the door to a plethora of surveillance and disruption options.
Researchers initially identified BlackLotus in October of 2022, when the malware was offered for $5,000 on an underground web forum, with additional updates available for $200 each. While instances of the malware have been relatively rare, it is possible that we’ll see an uptick in threat actor use of this malware in the future.
For more malware insights, please see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.