Security researchers at ESET have published what they claim to be the first analysis of a UEFI bootkit, BlackLotus, which is capable of exploiting fully patched Windows 11 PCs.
Online advertisements for BlackLotus were first noticed in October 2022, costing around $5,000 (£4,167) and the latest version is the first known toolkit of its kind that has the capability to bypass UEFI Secure Boot.
Black Lotus works by exploiting a vulnerability that’s more than a year old (CVE-2022-21894). It was originally fixed by Microsoft in January 2022 but remains exploitable because validly signed binaries haven’t been added to the UEFI revocation list.
This list is a set of revoked software signatures that were previously approved to run on booting systems.
Usually, such boot kits are stymied by UEFI Secure Boot – a firmware security feature that aims to ensure that only signed software signatures can be loaded during the boot process.