The Blacklotus malware is a UEFI bootkit that targets systems at one of their earliest points of availability. During the boot process. ESET malware researcher Martin Smolár noted that this begins with executing an installer that deploys the bootkit files to the EFI system partition, disables the HVCI and BitLocker protections, and reboots the host. Legitimate binaries vulnerable to CVE-2022-21894 (Windows Hypervisor Loader, Windows Boot Manager, PE binaries) and their custom Boot Configuration Data (BCD) are then exploited and persistence on machines with UEFI Secure Boot enabled is achieved after the initial reboot by exploiting CVE-2022-21894 and installing the attacker’s Machine Owner Key (MOK). A self-signed UEFI bootkit is launched after reboot and the malicious kernel driver and an HTTP downloader are deployed. This will allow the attacker to complete the installation of the attack.
This is particularly devastating because most users are unfamiliar with the boot process, UEFI, and most of the underlying software and firmware that the system uses to support operations. This means that attackers are going to target the computer in places where the average user is neither going to know how to fix nor even identify the vulnerability. Most users are unaware of how much computing power exists below Ring 0 and lives tucked away from the user space, and this is exploited by more technically savvy attackers.
However, individuals enrolled in our cyber security program at UAT are exposed to UEFI, boot loaders, and even systems like Minix which are used at the heart of many computers today. By being exposed to these tools early on in their development as cyber security students, they are able to identify or defend against some of these attacks. The most important aspect being the identification of and ability to respond to these types of issues.
__________________________________________________
Professor Jones is the lead Cyber Instructor at the University of Advancing Technology and is a software developer who currently creates applications for law enforcement. He is also an AZ Peace Officer Standards and Training certified General Instructor as well as a public speaker. He earned a BS, in Computer Information Systems from Park University in 2013 and an MA, in Intelligence Analysis with a focus in Cyber Security in 2014. Professor Jones has been the recipient of recognition from the El Paso Police Department, State Of Texas, Texas Military Forces, Chandler Police Department, and others.
Professor Jones is also active in the community as the founder of the Phoenix Linux Users Group Cyber Security Meetup and regularly teaches members of the public a myriad of topics related to Cyber Security. His audience includes students, teachers, law enforcement, military, government officials, and concerned members of the public with a strong desire to learn what is going on in the world of technology.
Professor Jones is also active in the community as the founder of the Phoenix Linux Users Group Cyber Security Meetup and regularly teaches members of the public a myriad of topics related to Cyber Security. His audience includes students, teachers, law enforcement, military, government officials, and concerned members of the public with a strong desire to learn what is going on in the world of technology.
/UAT-Logo-new.jpg?width=151&name=UAT-Logo-new.jpg "UAT-Logo-new"){kind=logo}
Comment