Date: 11 May 2023

Threat Actor

BlackLotus

Description

Microsoft has released security updates to address a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware to infect fully patched Windows systems.

Secure Boot is a security feature that blocks bootloaders untrusted by the OEM on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip to prevent rootkits from loading during the startup process.

According to a Microsoft Security Response Center blog post, the security flaw (tracked as CVE-2023-24932) was used to bypass patches released for CVE-2022-21894, another Secure Boot bug abused in BlackLotus attacks last year.

This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.

All Windows systems where Secure Boot protections are enabled are affected by this flaw, including on-premises, virtual machines, and cloud-based devices.

To determine if Secure Boot protections are enabled on your system, you can run the msinfo32 command from a Windows command prompt to open the System Information app. Secure Boot is toggled on if you see a "Secure Boot State ON" message on the left side of the window after selecting "System Summary."

Reference

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932 https://www.bleepingcomputer.com/news/microsoft/microsoft-issues-optional-fix-for-secure-boot-zero-day-used-by-malware/