BlackLotus bootkit patch may bring "false sense of security", warns NSA
Read more in my article on the Tripwire blog:
Tomorrow, I start as Director of Product Marketing at Eclypsium, Inc. I am excited to work alongside an extremely smart and thoughtful team.
Increasingly, attackers are targeting firmware to evade OS-level protections and maintain persistence. It's an "out of sight, out of mind" attack vector, but extremely critical. Watch this space because it could get real messy, real fast. Think of what an APT can do with with root access to enterprise network appliances, or what malware syndicates could do with an easy-to-use boot kit.
What controls do you currently have in place to assess and mitigate the risk of firmware attacks, especially those delivered through your supply chain? Eclypsium makes this easy for IT and security teams. Delivered as SaaS, the platform helps you to establish trust in your software, firmware, and hardware supply chain. Eclypsium has the largest library of firmware profiles and can verify the observed firmware matches the firmware profile that should be on the device, as well as report on firmware configurations.
This blog post from @paulasadoorian chronicles recent real-world firmware attacks and explains why attackers focus on firmware: https://eclypsium.com/blog/endpoint-firmware-attack-timeline-introduction/
This Week in Security: .zip Domains, Zip scanning - The world may not be ready, but the .zip Top Level Domain (TLD) is here. It’s a pa... - https://hackaday.com/2023/05/19/this-week-in-security-zip-domains-zip-scanning/ #thisweekinsecurity #hackadaycolumns #securityhacks #blacklotus #secureboot #news #zip
#Microsoft does it again on #PatchTuesday with a flawless victory against the forces of...bootable media?
That includes any emergency boot disks, recovery partitions created by the OEM that makes your computer, recovery partitions you made prior to today, bootable media from third parties including emergency recovery tools.
On the one hand, the CVE-2023-24932 bug seems really bad. UEFI malware that inserts itself at a lower level than Secure Boot? It's incredibly dangerous. [Edit: changed "but" to "bug"]
On the other hand, it's also extremely rare and unlikely to affect most users. Meanwhile, the thing that does affect many Windows users are crashes that cause the computer not to be able to boot.
And now, the #KB5025885 patch removes the one safety net under the high wire. Now you get to go wild and free and maybe...your computer falls to its death.
Ai yi yi, I am normally the guy who tells you to apply these important patches right away, and this has me questioning that advice.
If you decide that you need to do this, you probably need to find another method of creating a bootable backup of your system drive, just in case something goes wrong. I use a NVMe drive and have an external backup device that lets me clone from my main drive to a second NVMe drive, but that's a highly specialized set of tools and it's not cheap or easy.
This whole situation seems like something that could have been handled a lot better by our friends in the MSRC.
#CVE202324932 #24932 #UEFI #SecureBoot #BlackLotus #patch #Windowsupdate
Researchers on Wednesday announced a major #cybersecurity find—the world’s first-known instance of real-world #malware that can hijack a computer’s boot process even when #Secure #Boot and other advanced protections are enabled and running on fully updated versions of #Windows.
Dubbed #BlackLotus, the malware is what’s known as a UEFI bootkit. These sophisticated pieces of malware target the #UEFI—short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer.
As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right.
It’s located in an SPI-connected #flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.
Previously discovered bootkits such as #CosmicStrand, #MosaicRegressor, and #MoonBounce work by targeting the UEFI firmware stored in the flash storage chip. Others, including BlackLotus, target the software stored in the EFI system partition.
While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence.
Until now.
Brandt 
