Published: April 17, 2023
Microsoft has shared information and guidance to check if hackers targeted or compromised users by exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. This Secure Boot Security Feature Bypass Vulnerability has a CVSS score of 4.4 at the time of the discovery of this vulnerability.
UEFI bootkits run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. The malware uses CVE-2022-21894 to bypass Windows Secure Boot and subsequently deploy malicious files to the EFI System Partition (ESP) that are launched by the UEFI firmware. This allows the bootkit to:
- Achieve persistence by enrolling the threat actor’s Machine Owner Key (MOK)
- Turn off HVCI to allow deployment of a malicious kernel driver
- Leverage the kernel driver to deploy the user-mode HTTP downloader for command and control (C2)
- Turn off Bitlocker to avoid tamper protection strategies on Windows
- Turn off Microsoft Defender Antivirus to avoid further detection
Microsoft Incident Response has identified multiple opportunities for detection along several steps in its installation and execution processes. The artifacts analyzed include:
- Recently created and locked bootloader files – BlackLotus locks malicious bootloader files to protect them from deletion or tampering.
- Staging directory artifacts created – During the installation process, BlackLotus creates a custom directory under ESP:/system32/
- Registry key modified – To turn off HVCI, the installer modifies the registry key
HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity by setting the value Enabled to "0"
- Windows Event logs entries generated – BlackLotus disables Microsoft Defender Antivirus as a defense evasion method by patching its drivers leading to the generation of Windows Event ID 7023 in Windows logs.
- Network behavior – Outbound network connections from winlogon.exe, particularly to port 80, should be considered highly suspicious.
- Boot Configuration log entries generated – The BlackLotus bootkit has boot drivers that are loaded in the boot cycle. MeasuredBoot logs (Windows Boot Configuration Logs) list the BlackLotus components as EV_EFI_Boot_Services_Application.
Please refer to https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21894 for impacted versions.
Since, launching the bootkit requires privileged access to the target machine (remotely or locally), it is highly recommended to follow the principle of least privilege and strong credential policy and practices to prevent such infection in the environment.
Further to detect the vulnerability, it is advisable to run vulnerability scanning like that available with Netsurion Vulnerability Management and perform automated OS, application, and firmware patch management.
Netsurion Detection and Response
Our security analysts have added the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses of C2 communications) to Netsurion Threat Center, our Threat Intelligence Platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses. Netsurion’s vulnerability management system will also detect the vulnerability (CVE-2022-21894) for customers who have subscribed to Netsurion Vulnerability Management.
- https://www.bleepingcomputer.com/ news/security/microsoft-shares -guidance-to-detect-blacklotus-uefi-bootkit-attacks/
- https://www.welivesecurity.com/ 2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/#exploiting-cve-2022-21894