TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: On April 11, 2023, Microsoft reported (weblink below) on a malicious campaign using a Unified Extensible Firmware Interface (UEFI) bootkit, tracked as “BlackLotus”, to exploit a Windows secure boot security feature bypass vulnerability (CVE-2022-21894, also known as Baton Drop), and deploy malicious payloads to a vulnerable EFI system partition (ESP) executed by the UEFI firmware. BlackLotus has various persistence and defense evasion capabilities, including disabling security programs such as BitLocker, hypervisor-protected code integrity (HVCI), and Windows Defender.
According to ESET’s previous report (weblink below), BlackLotus has 3 main parts in its infection chain. The first part is the execution of the BlackLotus installer that deploys its components to the ESP, disabling the HVCI and BitLocker. The targeted system reboots before proceeding with the next part. The second part involves the exploitation of CVE-2022-21894 and enrollment of the adversary’s Machine Owner Key (MOK) to gain persistence before rebooting the targeted system again. Following the reboot, BlackLotus executes the kernel driver and deploys the user-mode HTTP downloader to communicate with the command and control (C2) and perform additional commands and deploy additional payloads.
Microsoft Advisory: hxxps://www.microsoft[.]com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
ESET Report: hxxps://www.welivesecurity[.]com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
NYSIC CAU Analyst Note: Microsoft’s Incident Response analyzed BlackLotus artifacts in its installation and execution process to detect infections. The artifacts include recently written and locked bootloader files in the EFI system partition (ESP), the staging directory artifacts, the modified registry keys, relevant generated Windows Event logs entries, boot configuration log entries, and even suspicious network logging.
Microsoft Security Response Center Blog: hxxps://msrc.microsoft[.]com/update-guide/en-US/vulnerability/CVE-2022-21894
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/