NSA Issues Guidance on Mitigating BlackLotus Bootkit Infections

The National Security Agency (NSA) has published technical mitigation guidance to help organizations harden systems against BlackLotus UEFI bootkit infections.

The NSA’s recommendations provide a blueprint for defenders to protect systems from BlackLotus, a stealthy malware that emerged on underground forums in late 2022 with capabilities that include user access control (UAC) and secure boot bypass, unsigned driver loading, and prolonged persistence.

To disable secure boot, the bootkit exploits a year-old vulnerability in Windows (CVE-2022-21894) and deploys an older, vulnerable Windows boot loader to exploit the bug.

In April, Microsoft shared information on how threat hunters can identify BlackLotus infections in their environments, underlining that the bootkit can only be deployed on already compromised systems. In May, the company released optional mitigations to prevent the roll-back to vulnerable boot loaders.

The NSA mitigation document notes that BlackLotus can be executed on fully-patched systems, because the vulnerable boot loaders it targets have not been added to the Secure Boot DBX revocation list.

According to the NSA, although bootkit targets the earliest software stage of boot, “defensive software solutions can be configured to detect and prevent the installation of the BlackLotus payload or the reboot event that starts its execution and implantation.”

The agency urges system administrators within the Department of Defense and other networks to take action, as the available security patches may provide a false sense of security.


“Because BlackLotus integrates Shim and GRUB into its implantation routine, Linux administrators should also be vigilant for variants affecting popular Linux distributions,” the NSA added.

Organizations are advised to keep their Windows systems always updated, to configure security software to monitor for EFI boot partition changes and, if such changes are identified, to prevent devices from rebooting, and to update Secure Boot with DBX deny list hashes preventing the execution of older and vulnerable boot loaders.

“Adding boot loader hashes to the DBX may render many Windows install and recovery images, discs, and removable media drives unbootable. Microsoft provides updated install and recovery images for Windows 11 and 10. Only update the DBX after acquiring install and recovery media with the January 2022 or later patch assortment applied,” according to the NSA.

Linux system administrators, the agency’s guidance explains, can remove the Microsoft Windows Production CA 2011 certificate from the Secure Boot database, thus eliminating the need to add DBX hashes.

Leave a Reply

Your email address will not be published. Required fields are marked *