{"id":160166,"date":"2023-03-13T12:28:32","date_gmt":"2023-03-13T17:28:32","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2023\/03\/stealthy-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw"},"modified":"2023-03-13T12:28:32","modified_gmt":"2023-03-13T17:28:32","slug":"stealthy-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2023\/03\/stealthy-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw","title":{"rendered":"Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/stealthy-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw.jpg\"><\/a><\/p>\n<p>Researchers on Wednesday announced a major cybersecurity find\u2014the world\u2019s first-known instance of real-world malware that can hijack a computer\u2019s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.<\/p>\n<p>Dubbed BlackLotus, the malware is what\u2019s known as a UEFI bootkit. These sophisticated pieces of malware target the UEFI\u2014short for <a href=\"https:\/\/en.wikipedia.org\/wiki\/Unified_Extensible_Firmware_Interface\">Unified Extensible Firmware Interface <\/a>\u2014the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC\u2019s device firmware with its operating system, the UEFI is an OS in its own right. It\u2019s located in an <a href=\"https:\/\/en.wikipedia.org\/wiki\/Serial_Peripheral_Interface\">SPI<\/a>-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Previously discovered bootkits such as <a href=\"https:\/\/arstechnica.com\/information-technology\/2023\/03\/unkillable-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw\/%E2%80%8B%E2%80%8B https:\/\/arstechnica.com\/information-technology\/2022\/07\/researchers-unpack-unkillable-uefi-rootkit-that-survives-os-reinstalls\/\">CosmicStrand<\/a>, <a href=\"https:\/\/arstechnica.com\/information-technology\/2020\/10\/custom-made-uefi-bootkit-found-lurking-in-the-wild\/\">MosaicRegressor<\/a>, and <a href=\"https:\/\/securelist.com\/moonbounce-the-dark-side-of-uefi-firmware\/105468\/\">MoonBounce<\/a> work by targeting the UEFI firmware stored in the flash storage chip. Others, including BlackLotus, target the software stored in the <a href=\"https:\/\/en.wikipedia.org\/wiki\/EFI_system_partition\">EFI system partition<\/a>.<\/p>\n<p>Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers on Wednesday announced a major cybersecurity find\u2014the world\u2019s first-known instance of real-world malware that can hijack a computer\u2019s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows. Dubbed BlackLotus, the malware is what\u2019s known as a UEFI bootkit. These sophisticated pieces of malware [\u2026]<\/p>\n","protected":false},"author":396,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-160166","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/160166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/396"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=160166"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/160166\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=160166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=160166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=160166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}