UEFI Cyber Security Vulnerability
On Wednesday, March 1st, 2023, researchers announced the discovery of the first real-world malware that can hijack a computer’s boot process even when advanced protections, such as Secure Boot, are enabled and running on fully updated versions of Windows. Dubbed BlackLotus, this malware is a UEFI bootkit that targets the low-level and complex firmware responsible for booting up modern computers, known as the Unified Extensible Firmware Interface (UEFI). Because the UEFI is the first thing to run when a computer is turned on, it influences all other software that follows and is, therefore, the perfect place to launch malware. UEFI bootkits, including BlackLotus, disable OS security mechanisms and ensure that a computer remains infected with stealthy malware even after the operating system is reinstalled or a hard drive is replaced.
However, there are two significant hurdles that stand in the way of UEFI attacks. First, threat actors must gain administrator system rights by exploiting vulnerabilities in the OS or apps or tricking a user into installing trojanised software. Second, UEFI Secure Boot, an industry-wide standard that creates a chain of trust to prevent attackers from replacing the intended bootup firmware with malicious firmware, uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer’s manufacturer. While Secure Boot vulnerabilities have been found in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence, until now.
To bypass Secure Boot, BlackLotus exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw can be exploited to remove Secure Boot functions from the boot sequence during startup, and attackers can also use the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives. Despite Microsoft releasing new patched software, the vulnerable signed binaries have yet to be added to the UEFI revocation list that flags boot files that should no longer be trusted. If those signed binaries are revoked, millions of devices will no longer work, so fully updated devices remain vulnerable because attackers can simply replace patched software with the older, vulnerable software.
As BlackLotus first requires that threat actors gain administrator rights through existing vulnerabilities or attack methods, this latest vulnerability can already be stopped by using One2Call’s Endpoint Detection and Response Cyber Security Service to monitor for vulnerabilities, unusual activities and more. Stopping attacks before they can happen.
Latest News Stories
What is “Cyber Secure By Design”?
Artificial Intelligence (AI) and Large Language Models (LLM’s) have seen a huge leap in both technology and use over the past 12 months, and as such we're also seeing drastic a rise in complex cyber attacks. Recent events, like the leak of LLM software, a data breach...
Cyber Threats to Mac Computers on the Rise
For Mac users, a new cyber security threat is on the horizon. A tool called 'Geacon', used by hackers to gain unauthorised access to computers, is becoming more popular. This tool is a version of 'Cobalt Strike', another tool hackers have used for a long time to...
Tackling the $8 Trillion Cyber Crime Crisis
As the Cyber Threat landscape grows increasingly complex and fast-paced, experts predict that the total cost of Cyber Crime will surpass $8 trillion by the end of 2023. This staggering figure includes money stolen by cyber criminals, investments in security tools and...
Our Customers
Testimonials
Yolande Quickfall, Saxton Mee
One2Call are certainly liked by us as they are always keen to help and resolve any problems that we may have and with a quick response.
Cliff College
It’s clear that Jordon prioritized our needs as a College. He took on a task that wasn’t easy and sorted it quickly.
Lesa, ISB Ltd
Excellent and very prompt Service from Jordan, and as always extremely polite.