Microsoft Secure Boot Security Feature Bypass Vulnerability (CVE-2022-21894) Exploited by Threat Actors Using the BlackLotus Bootkit

On 11 April 2023, Microsoft released guidance for investigating attacks leveraging the Microsoft Secure Boot Security Feature Bypass Vulnerability (CVE-2022-21894) via a Unified Extensible Firmware Interface (UEFI) bootkit, BlackLotus. The UEFI bootkit is available for sale on dark web forums can enable an attacker to achieve remote code execution (RCE) on vulnerable OS systems.

Threat actors can leverage the BlackLotus bootkit post-infiltration to establish persistence and evade detection. The malware uses CVE-2022-21894 to bypass Windows Secure Boot and subsequently deploy malicious files to the ESP which are then executed by the UEFI firmware.

We recommend organisations running vulnerable Windows versions conduct a threat hunting exercise to identify any potential indicators of compromise. Given the BlackLotus bootkit interferes with various OS security mechanisms (e.g. BitLocker, HVCI, Defender Antivirus), the vendor has provided guidance on alternative detection opportunities that can be leveraged to identify potential indicators of compromise.

https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/