NSA Releases Guide to Mitigate BlackLotus Bootkit Infections

The US National Security Agency (NSA) has released a comprehensive mitigation guide to address the BlackLotus malware.

According to the document, BlackLotus exploits a boot loader flaw, known as “Baton Drop,” (CVE-2022-21894) to take control of endpoints during the early phase of software boot. It shares similarities with the BootHole malware from 2020.

While Microsoft issued patches to correct the boot loader flaw, the NSA said the tech giant did not revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX). This means that boot loaders vulnerable to Baton Drop are still trusted by Secure Boot, making the threat persist even after patching.

To circumvent these issues, the agency recommended several mitigation actions for infrastructure owners. 

These include hardening user executable policies, monitoring the integrity of the boot partition, updating recovery media and enabling optional software mitigations.

They should also customize UEFI Secure Boot by adding DBX records to Windows endpoints or removing the Windows Production CA certificate from Linux endpoints.

Read more on attacks targeting UEFI firmware: New Lenovo Notebook Models Affected By UEFI Firmware Vulnerabilities

The NSA guidelines also stated that it is essential for system administrators to be vigilant, as BlackLotus is not a firmware threat but targets the early stage of the boot process. 

Additionally, the agency said that, while the published patches may provide some level of security, system admins should not rest in a false sense of security and advised them to implement the recommended mitigation measures.

For more information and detailed instructions, administrators can refer to the NSA’s BlackLotus Mitigation Guide and consult the resources provided by Microsoft and security researchers.

The agency concluded that it is crucial for organizations to take immediate action to protect their infrastructure from the BlackLotus malware and ensure the security of their endpoints.

The guidelines come weeks after the NSA and the Cybersecurity and Infrastructure Security Agency (CISA) released joint guidance on hardening Baseboard Management Controllers (BMCs).