An optional advanced mitigation involves customizing the Secure Boot policy by adding DBX records to all Windows endpoints.
Until then, the NSA recommends that infrastructure owners take additional steps to harden their systems, such as tightening user executable policies and monitoring the integrity of the boot partition. Microsoft is working on a more comprehensive fix scheduled for release in early 2024. However, the NSA warns that applying the available Windows 10 and Windows 11 patches is just "a good first step." The NSA's BlackLotus mitigation guide (PDF) states, "Patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX)." The guide continues, "Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot." This means that threat actors can simply replace fully patched boot loaders with legitimate but vulnerable versions to execute BlackLotus on compromised endpoints. Microsoft patched these vulnerabilities in January 2022 and May 2023, respectively. Although BlackLotus is a software threat and not a firmware threat, it exploits two vulnerabilities in the UEFI Secure Boot function to insert itself into the earliest phase of the software boot process initiated by UEFI: CVE-2022-21894, also known as Baton Drop, with a CVSS score of 4.4 and CVE-2023-24932, with a CVSS score of 6.7. UEFI is the firmware responsible for the boot-up routine, loading before the operating system kernel and any other software. It has the notorious distinction of being the first malware in the wild to successfully circumvent Microsoft's Unified Extensible Firmware Interface (UEFI) Secure Boot protections. BlackLotus emerged last fall when it was discovered for sale on the Dark Web for $5,000. The US National Security Agency (NSA) is urging system administrators to take extra steps beyond patching to safeguard Windows 10 and 11 machines from the BlackLotus bootkit malware.
0 kommentar(er)
