Harden Systems Against BlackLotus Bootkit Malware - 20230630-002

Overview

BlackLotus is a recently publicized malware product garnering significant attention within tech media. Similar to 2020's BootHole CVE-2023-24932, BlackLotus takes advantage of a boot loader flaw---specifically CVE-2022-21894 Secure Boot bypass known as "Baton Drop"---to take control of an endpoint from the earliest phase of software boot.

Microsoft® issued patches for supported versions of Windows to correct boot loader logic. However, patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX). Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot.

What is the vulnerability?

CVE-2020-10713 - CVSS v3 Base Score: 8.2 HIGH

CVE-2022-21894 - CVSS v3 Base Score: 4.4 MEDIUM

What is vulnerable?

The vulnerability exists in the following products:

• Windows 10 and Windows 11

What has been observed?

An update to BlackLotus BootKit Patching Won't Prevent Compromise.

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC encourages users and administrators to review the BlackLotus Bootkit Malware advisories page for more information, and go beyond patching in order to protect Windows 10 and 11 machines from the BlackLotus bootkit malware.

https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF