Project Hyphae
Search

Year old UEFI vulnerability meditates in the BlackLotus position.

Share This Post

ESET announced it has identified and analyzed 6 installers for the BlackLotus bootkit malware. This malware, which leverages the year old Windows vulnerability CVE-2022-21894 to bypass secure boot, allows it to infect even a fully patched Windows 11 device. In January 2022’s patch release, Microsoft published updates to fix the issue, but since their update didn’t include “validly signed binaries”, it allows an attacker to drop it’s own vulnerable versions of the binaries and compromise the system. In August 2022, a Proof of Concept was published to GitHub for the exploitation of CVE-2022-21894, and the UEFI bootkit has been for sale on hacking forums since October 2022. Until the UEFI revocation list is updated to add validly signed binaries, all versions of Windows listed on Microsoft’s Advisory are still vulnerable. BlackLotus takes this further and deploys a kernel driver to prevent removal, installs a HTTP downloader for Command and Control communication/payload delivery, and protects handles for the bootkit’s files by triggering a Blue Screen of Death if the handles are closed.

Link to Microsoft’s Advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21894

Link to ESET’s News Release: https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-analyzes-blacklotus-a-uefi-bootkit-that-can-bypass-uefi-secure-boot-on-fully-patched-s/



Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.