A few days ago, via its July Patch Tuesday, Microsoft rolled out the second-phase hardening for the BlackLotus secure boot vulnerability. Safe OS dynamic updates for both Windows 11 and Windows 10 were released to address the issue. The first phase happened around four months ago in March 2023.
For those unaware, BlackLotus was infamous for its ability to bypass various Windows security measures like Secure Boot (which is obvious as it is a secure boot flaw), as well as Microsoft Defender, Virtualization-based Security (VBS) or HVCI (Hypervisor-Protected Code Integrity), BitLocker, and UAC (user account control), even on patched Windows systems of that time.
Meanwhile, the source code for BlackLotus also leaked almost at the very same time. It was uploaded to GitHub by a user Yukari who removed the Baton Drop vulnerability (CVE-2022-21894) that was initially used by the malware devs.
Alex Matrosov, the CEO and Co-founder of security research firm Binarly expressed concern over its leak and provided the following statement to Neowin explaining the potential implications:
The leaked source code isn’t complete and contains mainly the rootkit part and bootkit code to bypass Secure Boot. Most of these tricks and techniques are previously known for years and don’t present significant impact. However, the fact that it’s possible to combine them with new exploits like the BlackLotus campaign did was something unexpected to the industry and shows the real limitations of the current mitigations below the operating system.
The BlackLotus leak shows how old rootkit and bootkit tricks, combined with new Secure Boot bypass vulnerabilities, can still be very effective in blinding a lot of modern endpoint security solutions. In general, it shows the complexity of the supply chain on the Microsoft end, where the fix has been more syntactic and not mitigating the entire class of related problems below the operating system. And to be clear BlackLotus was adopting an already publicly known BatonDrop exploit.
Even after the vendor fixes the secure boot bypass vulnerabilities related to BatonDrop, the vulnerabilities can present long-term, industry-wide supply chain impact. Using CVE-2022-21894 as an example shows how such vulnerabilities can be exploited in the wild after one year, even with a vendor fix available.
Enterprise defenders and CISOs need to understand that threats below the operating system are clear and present dangers to their environments. Since this attack vector has significant benefits for the attacker, it is only going to get more sophisticated and complex. Vendor claims about security features can be completely opposite to the reality.
The concerns are certainly justified as malware developers are getting better at their jobs. Recently, security firm Cisco Talos praised the ability of RedDriver devs noting that the driver stability was almost impeccable as it never once BSOD'd (Blue screen of death).