Great, BlackLotus Windows UEFI Source Code Revealed To All
Examining The Way BlackLotus Wreaks Havoc On Windows Secure Boot
While source code leaks are often a bad thing, in this case it can only be considered wonderful. BlackLotus, which we have covered before, has been horrifying security professionals and IT workers since it was first revealed. It is capable of avoiding Secure Boot and TPM features to infect your drive’s EFI System Partition irrevocably, thus enabling it to launch malware at boot which is completely invisible to your operating system and antivirus protection. The only fix found so far is quite complex to install and needs to be done manually on every single machine you want to secure. Even better, getting it even slightly wrong will brick not only your local drive but also ensure you can’t use any tools to recover the lost data.
The release of BlackLotus’ source code on GitHub, or at least most of it, will let bad actors design new flavours of bootloaders to invisibly infect machines without having to fork over the several thousand dollars the designers charged for access. There isn’t really any good news to accompany this, as what was leaked had already been discovered by security researchers and doesn’t add to their knowledge. What is does do is make it much easier to use this code in conjunction with other bootloader viruses to create new versions of BlackLotus type attacks, which we have no way to detect let alone provide protection against.
At least it’s the weekend soon?
The source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused great concern among the enterprise, governments, and the cybersecurity community.
More Tech News From Around The Web
- TPU Interviews AMD Vice President: Ryzen AI, X3D, Zen 4 Future Strategy and More @ TechPowerUp
- Time Cards with Atomic Clocks at OCP Regional Summit 2023 Prague @ ServeTheHome
- How Duck Tape Became Famous @ Hackaday
- Microsoft whips up unrest after revealing Azure AD name change @ The Register
- Telly Starts Shipping Free, Ad-Supported 4K TVs @ Slashdot
- WordPress AIOS plugin used by 1M sites logged plaintext passwords @ Bleeping Computer
- Three signs that Wayland is becoming the favored way to get a GUI on Linux @ The Register
- Li-Fi, Light-Based Networking Standard Released @ Slashdot
- USB drive malware attacks spiking again in first half of 2023 @ Bleeping Computer
- Funnily enough, AI models must follow privacy law – including right to be forgotten @ The Register
From what I understand (and from what the Bleeping Computer article says), BlackLotus infects the bootloader/Windows EFI partition (which is on the DRIVE). It doesn’t infect the UEFI firmware, meaning, it doesn’t infect the storage device (flash or whatever) where the UEFI firmware is. You state “motherboards EFI System Partition”, but that’s non-sensical. The EFI system partition is on the drive. The problem here is detection, since it bypasses secureboot/TPM, it is what they refer to as a “bootkit”. It’s going to be difficult to detect it if you’re booting from the drive, but not impossible. The article lists suggestions from the NSA and MS on how to detect it, and in most scenarios not involving critical data recovery, deleting all partitions and starting over is going to be the default response, just like any other infection.
The truly terrifying scenarios would involve actually infecting the storage where the UEFI firmware is (which I think has been confirmed to have happened in the wild, and has been demonstrated by researchers). A less scary. but still worse scenario would be infecting the firmware of the drive (probably possible/has happened as well). I’m sure states and high level actors have been doing this more frequently than we know for a long time, but in the future, these types of techniques will filter down to the more common actors (either through leaks of proof-of-concepts, or just organically), then things will get very interesting (i.e. when you’re owned, your motherboard and drive will be bricks). The good news is, security is so bad that the common actors have little incentive to spend their precious criminal time on researching that, when there’s so much low hanging fruit ($) to be had.
thanks for catching my brainfart, replaced motherboards with drive’s.