Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
NSA Issues Guidance on BlackLotus
The National Security Agency has issued a mitigation guide for the BlackLotus bootkit. We reported on BlackLotus back in March, following an initial report from ESET, although the malware had been available since at least October 2022. It works by exploiting CVE-2022-21894, a vulnerability which was fixed by Microsoft in their January 2022 updates. However, the affected binaries were not added to the UEFI Secure Boot Deny List Database (DBX), and BlackLotus works by carrying its own copies of those older binaries - a technique referred to as "Baton Drop"
The NSA guide recommends a number of actions:
- Update recovery media and activate optional mitigations
- Harden defensive policies
- Monitor device integrity measurements and boot configuration
- Customize UEFI Secure Boot
It is important to bear in mind that BlackLotus is not a firmware implant, but a bypass of the secure boot process, and it can be removed or quarantined. Currently, it is only known to affect Windows 10 and 11;, but fixes are also available for Windows 8.1. Although BlackLotus does contain some Linux boot binaries, Linux is not one of its targets. Linux admins can defend their systems by removing the Microsoft Windows Production CA 2011 certificate from Secure Boot's DB.
National Security Agency, BlackLotus Mitigation Guide, cybersecurity information, ver 1.0, June 2023. Available online at https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.