NSA Issues a Black Lotus Mitigation Guide

BlackLotus is malware software that exploits a boot loader flaw known as Baton Drop (CVE-2022-21894) to bypass Secure Boot and take control of the endpoint from the earliest phase of software boot. Microsoft has issued patches for supported versions of Windows, but according to the BlackLotus Mitigation Guide published this week by the NSA; more is needed to mitigate the threat fully.

According to the NSA, BlackLotus is not a firmware threat but a software threat that targets the boot partition. It uses Shim and GRUB, two components commonly used in Linux boot, to integrate its payload and implant itself into the endpoint. Once implanted, BlackLotus can strip the Secure Boot policy and prevent its enforcement. This means that attackers can replace fully patched boot loaders with vulnerable versions to execute BlackLotus.

Here are some of the steps suggested by the NSA:

Update recovery media and activate optional mitigations
Create updated recovery media for each endpoint and enable optional mitigations such as Credential Guard, Device Guard, and Secure Launch.

Harden user executable policies
Configure user executable policies such as AppLocker or Windows Defender Application Control to prevent unauthorized executables from running on the endpoint.

Monitor boot partition integrity
Use tools such as BitLocker or VeraCrypt to encrypt the boot partition and monitor its integrity using tools such as Windows Defender System Guard or Linux Integrity Measurement Architecture.

Customize Secure Boot policy
As an advanced mitigation, customize the Secure Boot policy by adding DBX records to revoke trust in vulnerable boot loaders on Windows endpoints or remove the Windows Production CA certificate from Linux endpoints.

For more details on these mitigation steps, please refer to the BlackLotus Mitigation Guide. The guide also provides some indicators of compromise and detection methods for BlackLotus.