WebProNews

Tag: ESET

  • BlackLotus Malware Is the First to Bypass Secure Boot

    BlackLotus Malware Is the First to Bypass Secure Boot

    Computer security became a little more challenging, with the BlackLotus malware becoming the first to bypass Secure Boot.

    Secure Boot is a method of signing the kernel and various boot components, ensuring that no malicious software can be inserted into the boot process and compromise a machine. While there have been many claims of malware that can bypass secure boot, BlackLotus is the first.

    According to ESET malware analyst Martin Smolár, “the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality.”

    Smolár goes on to discuss ESET’s findings, including the fact that BlackLotus can compromise even “the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.”

    The malware uses a vulnerability that was patched more than a year ago because “the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.”

    In many ways, a bootkit like BlackLotus is the Holy Grail of exploits because the bootkit has “full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages.”

    Because the bootkit hijacks the process early on, attackers can even enroll their own keys in the system so that the malware can have unfettered access without tripping any security measures.

    ESET’s research is disturbing on many levels, not the least of which is the fact that BlackLotus can be delivered both off and online. This means an attacker does not need physical access to a device in order to compromise it.

    To make matters worse, it appears the vulnerability BlackLotus exploits is not the only one.

    “UEFI Secure Boot stands in the way of UEFI bootkits, but there are a non-negligible number of known vulnerabilities that allow bypassing this essential security mechanism,” writes Smolár. “And the worst of this is that some of them are still easily exploitable on up-to-date systems even at the time of this writing – including the one exploited by BlackLotus.”

    At this point, there are not absolute mitigation measures, only a combination of things that can reduce the likelihood of a compromise. Once a computer is compromised, the safest thing to do is to reinstall it and use the mokutil utility to delete the signed key BlackLotus deposits that enables it to bypass Secure Boot.

  • Hive Ransomware Now Targets Linux and FreeBSD

    Hive Ransomware Now Targets Linux and FreeBSD

    Linux and FreeBSD are being targeted by the latest version of Hive ransomware.

    Hive ransomware was first observed in June 2021, with the FBI warning about it in late August. Initially the ransomware targeted Windows only, but the creators are looking to expand that.

    According to security firm ESET, the hackers behind Hive have been working on a Linux and FreeBSD version.

    For the time being, the Linux and FreeBSD versions are not very effective. The ransomware tries to run as root but, unless it has root privileges, it fails to trigger encryption.

    While it’s good news that the Linux and FreeBSD versions of Hive don’t effectively work yet, “yet” is the operative word. It’s likely only a matter of time until the bugs are worked out, opening the Linux and FreeBSD communities to attack.