NSA warns of ‘false sense of security’ against BlackLotus malware

The National Security Agency said Thursday that organizations should think twice about whether they’re protected against the BlackLotus “bootkit” malware that cybersecurity experts first warned about in March.

BlackLotus is designed to dodge UEFI Secure Boot, which watches for malicious software as a Microsoft Windows machine starts up the firmware that controls basic hardware functions. The NSA said it’s possible that some network administrators could have “a false sense of security” about their protection against the malware.

“NSA recognizes significant confusion regarding the threat posed by BlackLotus. Some organizations use terms like ‘unstoppable,’ ‘unkillable,’ and ‘unpatchable’ to describe the threat,” the agency said. “Other organizations believe there is no threat due to patches that Microsoft released in January 2022 and early 2023 for supported versions of Windows. The risk exists somewhere between both extremes.”

Microsoft patched one flaw — tracked as CVE-2022-21894 — that allows attackers to take control of a computer from the earliest phase of booting up. Researchers labeled the bug as Baton Drop.

“However, patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX),” the NSA said. “Administrators should not consider the threat fully remediated as boot loaders vulnerable to Baton Drop are still trusted by Secure Boot.”

The agency released the guidance Thursday “as part of our mission to secure the Department of Defense, the Defense Industrial Base, and National Security Systems,” a spokesperson said Thursday.

The document lists specific actions that administrators can take beyond regular updates to Microsoft Windows, including some customizations for UEFI Secure Boot.

“Protecting systems against BlackLotus is not a simple fix,” said Zachary Blum, the NSA’s platform security analyst. “Patching is a good first step, but we also recommend hardening actions, dependent on your system’s configurations and security software used.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.