Preparing for UEFI bootkits. ESET discovery shows the importance of cyber intelligence

Next story
Roman Cuprik

Some threats bypass standard security tools. In such cases, security operators capable of deep analysis are needed. 

Last year, ESET Research confirmed rumors concerning BlackLotus, the first publicly known UEFI bootkit capable of bypassing a UEFI Secure Boot, being sold on underground forums. This means that malware preying upon fundamental weaknesses in the UEFI security model is in-the-wild and experts are expecting more bootkits like BlackLotus in the near future.

“Bootkits are no longer just a threat to legacy systems, but a real threat to the majority of modern UEFI firmware systems,” said ESET Researcher Martin Smolár, who discovered this previously undocumented real-world UEFI bootkit and presented his finding at the 2024 RSA conference.  

This threat creates a challenge for businesses: How to take a prevention-first approach and secure their devices against attacks that cannot be fully prevented simply by following the standard recommendations and using default system settings because there are known vulnerabilities that still haven’t been fixed and might never be fixed? 

Despite businesses holding the short end of the stick right now, they are not without hope. In fact, these are the situations where cyber intelligence platforms such as ESET Threat Intelligence shine.

Confirmed myth

In a nutshell, UEFI bootkits are serious threats targeting Windows that gain full control over the operating system (OS) boot process. With this level of capability, they can disable various OS security mechanisms and are able to operate very stealthily and with high privileges.

The initial attack vector is unknown, but UEFI bootkit starts with the execution of an installer deploying the bootkit’s files to the EFI  System Partition. This abbreviation stands for Extensible Firmware Interface System Partition, which stores files needed for booting operating systems. 

Using this installer, attackers can disable the first two layers of defense: Hypervisor-protected Code Integrity (HVCI) and BitLocker encryption. Then they reboot the host.

After the first reboot, the malware abuses the known vulnerability CVE-2022-21894, allowing attackers to enroll their own Machine Owner Key (MOK). An MOK allows owners of devices running non-Windows OSes to generate keys that sign non-Microsoft components during the boot process, thus allowing only approved OS components and drivers to run. By abusing this boot security feature, attackers achieve persistence.

The computer now thinks that the system is booted using trusted software, which means that attackers have bypassed another layer of protection, UEFI Secure Boot, and the machine is then again rebooted.

In the next stages, the self-signed UEFI bootkit is executed and deploys the kernel driver, having access to the Kernel, a computer program at the core of a computer’s operating system, which generally has complete control over everything in the system. It also deploys a user-mode HTTP downloader responsible for communication with the C&C. The abused device can now receive and execute commands from C&C and download additional user-mode or kernel-mode payloads.

Businesses are not powerless

Looking at this cascade for the hijacking of a compromised computer, and knowing that there is no effective fix for older devices due to their outdated security mechanisms, one may feel as if their hands are tied. 

But businesses can protect themselves and apply a prevention-first approach even in these cases. 

  • First of all, businesses need to keep their system and security products up to date, decreasing options for attackers. 
  • IT staff should learn possible risks and procedures concerning how to decrease them. Microsoft released a threat description and a guidance for investigating UEFI attacks. 
  • If needed, set up a custom secure boot policy. This, however, requires an experienced admin and is manageable only with a handful of devices due to its complexity. 
  • Deploy reliable monitoring solutions and configure their integrity-scanning tools to monitor the composition of the EFI boot partition. 
  • Block any attempts of modifying all or specific files on EFI System partition by untrusted processes to prevent bootkits installation.
  • Track developments with UEFI malware across Threat Intelligence platforms and resources.

ESET solutions such as ESET Enterprise Inspector and ESET UEFI Scanner, which is part of the ESET Host-based Intrusion Prevention System (HIPS), can detect signs that something suspicious is happening with a device and alert IT admins. While ESET UEFI Scanner checks and enforces the security of the pre-boot environment, HIPS combines advanced behavioral analysis with the detection capabilities of network filtering to monitor running processes, files, and registry keys. 

For more information, check the RSA presentation by ESET Researcher Martin Smolár, via the ESET research podcast, and the NSA BlackLotus Mitigation Guide

Be one step ahead of threat actors

Since the discovery of the in-the-wild UEFI bootkit, Microsoft has released several patches, and experts across the world provided some guidance. But how to protect a business from the start, before all of this can happen?

To identify such new threats and customize their solutions to deal with them, global leaders in cybersecurity such as ESET invest a lot in research. ESET Threat Intelligence turns this effort into a service, providing businesses with curated global knowledge about threat actors’ activities, gathered by ESET analysts and experts.

Thanks to ESET Threat Intelligence, security engineers, analysts, or incident responders can learn about new threats ASAP, anticipating them and making better, faster decisions. This allows them to deploy a proactive defense, customize their security, and fight increasingly sophisticated cyberattacks. 

Moreover, ESET APT Reports give businesses access to private, in-depth technical analysis together with threat mitigation tips. Every user with the APT Reports PREMIUM package will also have access to an ESET analyst for up to four hours each month. This provides the opportunity to discuss topics in greater detail and help resolve any outstanding issues.   

Facing a challenge

UEFI Bootkits represent a challenge that is hard to tackle, however that is why it is so important for businesses and enterprises to have reliable cyber intelligence.  

With a globally distributed network of security centers, ESET research labs never sleep and have immediate access to threat intelligence like no one else, thanks to the number and distribution of devices protected around the world. Combined with more than three decades of experience in cybersecurity research and product development, ESET can provide businesses with vital intel and use this knowledge to continuously innovate threat-defense techniques.