top of page

CVE-2022-21894: Windows 11's Secure Boot Defeated by BlackLotus Malware

Updated: Mar 31, 2023

Hackers are like chefs who cook up exploits instead of meals - they're always looking for new vulnerabilities to spice things up!

Introduction

Microsoft recently released its latest operating system, Windows 11, designed with enhanced security features to protect users from various threats. One of the critical security features is Secure Boot, which helps ensure that the system only boots trusted operating system loaders and firmware. However, a new malware called BlackLotus has managed to bypass this security feature, leading to concerns about the safety of Windows 11.


In this blog, we will explore the nitty-gritty of the BlackLotus malware and its ability to bypass Windows 11's Secure Boot feature. We will also discuss the implications of this breach and what users can do to protect themselves.


Backstory of BlackLotus

A new bootkit, "BlackLotus", has recently surfaced, which can evade Secure Boot defences, making it a dangerous threat in the cyber world. This stealthy Unified Extensible Firmware Interface (UEFI) bootkit allows complete control over the OS boot process, disabling OS-level security mechanisms and deploying payloads during startup with high privileges. This powerful toolkit is 80 kilobytes in size, programming in Assembly and C, and is available for purchase at $5,000 (with subsequent versions priced at $200 each).


The BlackLotus malware is designed to bypass Secure Boot, a security feature introduced in Windows 8 and improved in Windows 11. Secure Boot ensures that the system only boots trusted operating system loaders and firmware. It is a critical security feature that helps protect against rootkits and other malware that try to infect the system at boot time.



It has geofencing features that prevent it from infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine. Even the latest Windows 11 systems with UEFI Secure Boot enabled are susceptible to this malware.

BlackLotus exploits a security flaw known as Baton Drop (CVE-2022-21894) to bypass UEFI Secure Boot protections and establish persistence. Microsoft patched this vulnerability in its January 2022 Patch Tuesday update.


In October 2022, details about BlackLotus emerged, and Kaspersky security researcher Sergey Lozhkin described it as a sophisticated crimeware solution. According to Eclypsium's Scott Scheferman, this represents a significant advancement in terms of ease of use, scalability, accessibility, and potential impact in terms of persistence, evasion, and destruction.

If the vulnerability is successfully exploited, it allows for arbitrary code execution during the early boot phases, allowing threat actors to carry out malicious activities on a system with UEFI Secure Boot enabled without physical access, as per ESET.



In addition to disabling security mechanisms such as BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender, BlackLotus also drops a kernel driver and an HTTP downloader that communicates with a command-and-control (C2) server to obtain additional user-mode or kernel-mode malware. While the exact method of deploying the bootkit is unknown, it begins with an installer component that writes the files to the EFI system partition, disables HVCI and BitLocker, and reboots the host.


Implications and Protection:

The ability of BlackLotus to bypass Secure Boot on Windows 11 has severe implications for system security. It means that malware authors can create sophisticated and persistent attacks that are difficult to detect and remove. It also shows that even the most advanced security features can be vulnerable to attack.


To protect against this attack, users should ensure that their system's firmware is up-to-date with the latest security patches. They should also keep antivirus software up-to-date, which can help detect and remove malware infections.

That's it for the day; we hope you enjoyed reading this blog.


References:


 

Register for instructor-led online courses today!


Check out our free programs!

Reach out to us with your custom pen testing needs at: info@darkrelay.com


2,664 views
bottom of page