NSA Guidance for Mitigating BlackLotus Bootkit Infections

NSA Guidance for Mitigating BlackLotus Bootkit Infections: The National Security Agency (NSA) has issued mitigation guidance to help organizations protect their systems against BlackLotus UEFI bootkit infections.

This guidance provides technical recommendations for hardening systems and preventing the deployment of stealthy malware.

Key Takeaways

• The NSA has released technical guidance to help organizations mitigate BlackLotus UEFI bootkit infections.

• BlackLotus is a stealthy malware with capabilities such as UAC bypass, secure boot bypass, and prolonged persistence.

• Mitigation measures include patching Windows systems, monitoring EFI boot partition changes, and updating Secure Boot with deny list hashes, while Linux administrators can remove the Microsoft Windows Production CA 2011 certificate.

The National Security Agency (NSA) has released technical mitigation guidance aimed at assisting organizations in fortifying their systems against BlackLotus UEFI bootkit infections.

BlackLotus is a sophisticated malware that surfaced in underground forums in late 2022. It possesses various capabilities, including user access control (UAC) and secure boot bypass, unsigned driver loading, and prolonged persistence.

Understanding the Exploitation and Vulnerabilities

The bootkit exploits a one-year-old Windows vulnerability (CVE-2022-21894) to disable secure boot and deploys an older, vulnerable Windows boot loader to take advantage of the bug.

It is important to note that BlackLotus can only be deployed on systems that have already been compromised.

Previous Actions Taken by Microsoft

In April, Microsoft shared information to help threat hunters identify BlackLotus infections in their environments. Microsoft emphasized that the bootkit can only be deployed on compromised systems.

In May, the company released optional mitigations to prevent the rollback to vulnerable boot loaders.

NSA Mitigation Recommendations

The NSA’s mitigation guidance acknowledges that BlackLotus can execute on fully patched systems because the targeted vulnerable boot loaders have not been added to the Secure Boot DBX revocation list.

The agency advises system administrators, especially those within the Department of Defense and other networks, to remain vigilant and take proactive measures as relying solely on available security patches may create a false sense of security.

Mitigation Measures for Windows and Linux Systems

For Windows systems, organizations are advised to maintain up-to-date patching, configure security software to monitor EFI boot partition changes and prevent devices from rebooting if such changes are detected.

Additionally, updating Secure Boot with DBX deny list hashes can prevent the execution of older and vulnerable boot loaders. However, it is important to note that adding boot loader hashes to the DBX may render certain Windows install and recovery images, discs, and removable media drives unbootable. Microsoft provides updated install and recovery images for Windows 11 and 10.

Linux system administrators can follow the NSA’s guidance to remove the Microsoft Windows Production CA 2011 certificate from the Secure Boot database. This eliminates the need to add DBX hashes for Linux systems.

Conclusion

The NSA’s mitigation guidance serves as a valuable resource for organizations seeking to protect their systems from BlackLotus UEFI bootkit infections. By following the recommended mitigation measures and remaining vigilant, organizations can enhance their security posture and defend against this sophisticated malware.

It is crucial to implement these measures promptly and maintain an ongoing focus on system hardening to mitigate the risks posed by BlackLotus.