NSA warns over “false sense of security” on Black Lotus UEFI bootkit risk
The bootkit has been sold on underground forums since at least October 6, 2022. It has a tiny on-disk size of around 80kb, can disable HVCI, Windows Defender, BitLocker, and bypass UAC
The NSA has urged infrastructure owners to “take action” to harden their estates against the use of Black Lotus UEFI bootkit malware – warning that patches from Microsoft for Windows vulnerabilities exploited in the wild in recent attacks “could provide a false sense of security” and would not root out the persistent malware from bootkit-infected systems.
The bootkit has been sold on underground forums since at least October 6, 2022, for around $5,000. It has a tiny on-disk size of around 80kb, can disable HVCI, Windows Defender, BitLocker, and bypass UAC and features an HTTP downloader that runs under the SYSTEM account within a legitimate process, winlogon.exe, security researchers at ESET confirmed.