{"id":21701,"date":"2023-04-11T09:01:03","date_gmt":"2023-04-11T17:01:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/04\/11\/news-15432\/"},"modified":"2023-04-11T09:01:03","modified_gmt":"2023-04-11T17:01:03","slug":"news-15432","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/04\/11\/news-15432\/","title":{"rendered":"Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft Security Threat Intelligence &#8211; Editor| Date: Tue, 11 Apr 2023 17:00:00 +0000<\/strong><\/p>\n<p>This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2022-21894\">CVE-2022-21894<\/a> via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. Though this could impede investigations and threat hunting efforts, several artifacts can still be leveraged to identify affected devices. This document covers:<\/p>\n<ul>\n<li>Techniques to determine if devices in an organization are infected<\/li>\n<li>Recovery and prevention strategies to protect your environment<\/li>\n<\/ul>\n<p>It is critical to note that a threat actor\u2019s use of this bootkit is primarily a persistence and defense evasion mechanism. It is not a first-stage payload or an initial access vector and can only be deployed to a device to which a threat actor has already gained either privileged access or physical access. The malware uses CVE-2022-21894 (also known as <a href=\"https:\/\/github.com\/Wack0\/CVE-2022-21894\">Baton Drop<\/a>) to bypass Windows Secure Boot and subsequently deploy malicious files to the EFI System Partition (ESP) that are launched by the UEFI firmware. This allows the bootkit to:<\/p>\n<ul>\n<li>Achieve persistence by enrolling the threat actor\u2019s Machine Owner Key (MOK)<\/li>\n<li>Turn off HVCI to allow deployment of a malicious kernel driver<\/li>\n<li>Leverage the kernel driver to deploy the user-mode HTTP downloader for command and control (C2)<\/li>\n<li>Turn off Bitlocker to avoid tamper protection strategies on Windows<\/li>\n<li>Turn off Microsoft Defender Antivirus to avoid further detection<\/li>\n<\/ul>\n<p>For a comprehensive analysis of the BlackLotus installation process and follow-on actions, read <a href=\"https:\/\/www.welivesecurity.com\/2023\/03\/01\/blacklotus-uefi-bootkit-myth-confirmed\/\">this blog by ESET<\/a>.<\/p>\n<h2>Detection opportunities<\/h2>\n<p>Microsoft Incident Response (previously known as Microsoft Detection and Response Team \u2013 DART), through forensic analysis of devices infected with BlackLotus, has identified multiple opportunities for detection along several steps in its installation and execution processes. The artifacts analyzed include:<\/p>\n<ul>\n<li>Recently written bootloader files<\/li>\n<li>Staging directory artifacts created<\/li>\n<li>Registry key modified<\/li>\n<li>Windows Event logs entries generated<\/li>\n<li>Network behavior<\/li>\n<li>Boot Configuration log entries generated<\/li>\n<\/ul>\n<p>As threat hunters begin examining environments, it is crucial to adopt a comprehensive hunting strategy across these artifacts to down-filter false positives and surface true positives. Many of these artifacts, when observed in isolation, are low fidelity. Observing them in tandem with others, however, increases their significance in determining if a device has been infected.<\/p>\n<h3>Recently created and locked bootloader files<\/h3>\n<p>BlackLotus writes malicious bootloader files to the EFI system partition (ESP) and subsequently locks them to protect them from deletion or tampering. If recently modified and locked files are identified in the ESP on a device, especially those matching known BlackLotus bootloader filenames, these should be considered highly suspect and the devices should be removed from the network to be examined for further evidence of BlackLotus or follow-on activity.<\/p>\n<p>To determine if such files exist in the ESP, threat hunters can mount the boot partition (with the <em>mountvol<\/em> command-line utility, for example) to examine the creation dates of the files within. Files with mismatched creation times, as well as those with names matching those protected by the BlackLotus kernel driver, should be considered suspicious (Figure 1). The <em>LastModified<\/em> timestamps of the files in the ESP should be compared to each other; the timestamps and filenames can also be compared against those in the OS partition under <em>C:WindowsBootEFI<\/em>.<\/p>\n<p>The files protected by the driver include, as originally listed by ESET:<\/p>\n<ul>\n<li><em>ESP:EFIMicrosoftBootwinload.efi<\/em><\/li>\n<li><em>ESP:EFIMicrosoftBootbootmgfw.efi<\/em><\/li>\n<li><em>ESP:EFIMicrosoftBootgrubx64.efi<\/em><\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"211\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig1-1.png\" alt=\"text\" class=\"wp-image-127155\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig1-1.png 624w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig1-1-300x101.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\">Figure 1: Evidence of recent modification dates and matching filenames of BlackLotus associated files on a BlackLotus infected device.<\/figcaption><\/figure>\n<p>To further confirm if any files with matching filenames or mismatched modification times are suspect, threat hunters can leverage the local <em>CertUtil <\/em>command-line utility to attempt to calculate the hash of a suspected bootloader file in the ESP. In Figure 1, winload.efi does NOT have a mismatched modified time, yet matches the filename protected by the BlackLotus kernel driver.<\/p>\n<p>Since these protected bootloader files are locked by BlackLotus, any attempt to access these files generates an <em>ERROR_SHARING_VIOLATION<\/em> error with the message \u201c<em>The process cannot access the file because it is being used by another process\u201d<\/em>. Figure 2 depicts this error being generated when attempting to hash winload.efi on the infected device from Figure 1, further confirming that it is BlackLotus-related in this scenario.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"624\" height=\"44\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig2.png\" alt=\"\" class=\"wp-image-127156\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig2.png 624w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig2-300x21.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\">Figure 2: CertUtil reporting an ERROR_SHARING_VIOLATION message upon attempting to hash winload.efi in the ESP of a BlackLotus infected device.<\/figcaption><\/figure>\n<p>If the malware is active, <em>CertUtil<\/em> reports the sharing violation error as in Figure 2; if not, <em>CertUtil<\/em> reports the hash of the file. Files in the ESP that return this error should be considered highly suspicious, especially those matching the protected filenames listed above.<\/p>\n<h3>BlackLotus staging directory presence<\/h3>\n<p>During the installation process, BlackLotus creates a custom directory under <em>ESP:\/system32\/<\/em>. Though the files within are deleted following successful installation, the directory itself is not deleted. Additionally, forensic analysis of the ESP may reveal the historical presence of the files previously contained in this directory (Figure 3).<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"711\" height=\"123\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig3.png\" alt=\"graphical user interface, text, application, table, Excel\" class=\"wp-image-127157\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig3.png 711w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig3-300x52.png 300w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><figcaption class=\"wp-element-caption\">Figure 3: Evidence of deleted files in ESP:system32 associated with BlackLotus, in a custom staging directory still present post-installation.<\/figcaption><\/figure>\n<h3>Registry modification<\/h3>\n<p>To turn off HVCI, the installer modifies the registry key <em>HKLM:SYSTEMCurrentControlSetControlDeviceGuardScenariosHypervisorEnforcedCodeIntegrity<\/em> by setting the value <em>Enabled<\/em> to \u201c0\u201d \u2013 but only if the key already exists. Threat hunters should examine their environment for this registry key modification (Figure 4).<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"624\" height=\"175\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig4.png\" alt=\"graphical user interface, text, application, Word\" class=\"wp-image-127158\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig4.png 624w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig4-300x84.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\">Figure 4: RegEdit depiction of the modified registry key to disable HVCI<\/figcaption><\/figure>\n<h3>Event logs entries<\/h3>\n<p>BlackLotus disables Microsoft Defender Antivirus as a defense evasion method by patching its drivers and stripping the main process\u2019s privileges.<\/p>\n<p>This behavior may produce entries in the <em>Microsoft-Windows-Windows Defender\/Operational<\/em> log in Windows Event Logs. Relevant log entries will indicate that <em>Antimalware security intelligence has stopped functioning for an unknown reason<\/em> (see Figure 5).<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"559\" height=\"382\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig5n.png\" alt=\"graphical user interface, text, application\" class=\"wp-image-127174\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig5n.png 559w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig5n-300x205.png 300w\" sizes=\"auto, (max-width: 559px) 100vw, 559px\" \/><figcaption class=\"wp-element-caption\">Figure 5: Defender Event Log indicating Real-Time Protection has stopped functioning<\/figcaption><\/figure>\n<p>The disabling of Microsoft Defender Antivirus may also result in the service stopping unexpectedly, producing an Event ID 7023 in the System event log (with <em>Service Control Manager<\/em> as the Provider Name). Relevant log entries will name the <em>Microsoft Defender Antivirus Service<\/em> as the affected service (Figure 6).<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"554\" height=\"384\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig6n.png\" alt=\"\" class=\"wp-image-127175\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig6n.png 554w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig6n-300x208.png 300w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><figcaption class=\"wp-element-caption\">Figure 6: System event log entry indicating the Microsoft Defender Antivirus service has been terminated with an error<\/figcaption><\/figure>\n<h3>Network logging<\/h3>\n<p>Outbound network connections from <em>winlogon.exe<\/em>, particularly to port 80, should be considered highly suspicious. This is the result of the injected HTTP downloader function of BlackLotus connecting to the C2 server or performing network configuration discovery. Microsoft Incident Response observed this connection with Sysmon monitoring on an infected device. Figure 7 depicts <em>winlogon.exe<\/em> attempting to communicate to the <em>api.ipify.org<\/em> service to determine the public IP address of the compromised device.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"664\" height=\"500\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig7.png\" alt=\"graphical user interface, text, email\" class=\"wp-image-127161\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig7.png 664w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig7-300x226.png 300w\" sizes=\"auto, (max-width: 664px) 100vw, 664px\" \/><figcaption class=\"wp-element-caption\">Figure 7: Sysmon event entry indicating winlogon.exe attempting to communicate outbound on port 80<\/figcaption><\/figure>\n<p>This entry was captured with a simple modification to the <a href=\"https:\/\/github.com\/SwiftOnSecurity\/sysmon-config\">SwiftOnSecurity Sysmon configuration<\/a> (see Figure 8).<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"623\" height=\"365\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig8.png\" alt=\"text\" class=\"wp-image-127162\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig8.png 623w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig8-300x176.png 300w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><figcaption class=\"wp-element-caption\">Figure 8: Modified Sysmon configuration to detect winlogon.exe network connection behavior.<\/figcaption><\/figure>\n<p>Analysis of <em>netstat<\/em> output on an affected device may also reveal <em>winlogon.exe<\/em> maintaining a network connection on port 80. Given the configuration capabilities of the implant, the connection may be intermittent.<\/p>\n<h3>Boot configuration log analysis<\/h3>\n<p>Trusted Computing Group (TCG) logs, also known as <em>MeasuredBoot<\/em> logs, are Windows Boot Configuration Logs that contain information about the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/information-protection\/tpm\/how-windows-uses-the-tpm\">Windows OS boot process<\/a>. To retrieve these logs, the device must be running at least Windows 8 and have the Trusted Platform Module (TPM) enabled.<\/p>\n<p>From <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/information-protection\/tpm\/how-windows-uses-the-tpm\">How Windows uses the Trusted Platform Module<\/a>: \u201cWindows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system.\u201d \u201cFor software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM.\u201d<\/p>\n<p>The BlackLotus bootkit has boot drivers that are loaded in the boot cycle. <em>MeasuredBoot<\/em> logs list the BlackLotus components as <em>EV_EFI_Boot_Services_Application<\/em>.<\/p>\n<p>These logs are in the <em>C:WindowsLogsMeasuredBoot<\/em> directory, which contains multiple files with the extension <em>.log<\/em> \u2013 one for each reboot of the system. These logs can be compared to one another to identify deltas in components added or removed from each boot.<\/p>\n<p>In the case of BlackLotus installation, two components are added when BlackLotus becomes active on a system: the <em>grubx64.efi<\/em> driver and <em>winload.efi<\/em> driver (see Figure 9).<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"337\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig9nn-1024x337.png\" alt=\"text\" class=\"wp-image-127178\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig9nn-1024x337.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig9nn-300x99.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig9nn-768x252.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig9nn.png 1357w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 9: BlackLotus components visible in MeasuredBoot logs after parsing to XML<\/figcaption><\/figure>\n<p>The <em>MeasuredBoot<\/em> log files cannot be accessed normally on a running system; they must be acquired either through a forensic image or raw NTFS reader. The log files must then be decoded and converted to XML\/JSON. A sample script to extract and parse these logs is presented here, based on <a href=\"https:\/\/github.com\/mattifestation\/TCGLogTools\">GitHub &#8211; mattifestation\/TCGLogTools: A set of tools to retrieve and parse TCG measured boot logs.<\/a><\/p>\n<pre class=\"wp-block-preformatted\">$TCGLogBytes = Get-TCGLogContent -LogType SRTMCurrent $TCGLog = ConvertTo-TCGEventLog -LogBytes $TCGLogBytes $PCR4 = $TCGLog.Events.PCR4 foreach ($Event in $PCR4) {     if ($Event.EventType -eq \"EV_EFI_BOOT_SERVICES_APPLICATION\") {         $DevicePath = $Event.Event.DevicePath         if ($DevicePath -is [array]) {             foreach ($Device in $DevicePath) {                 if (($Device.Type -eq \"MEDIA_DEVICE_PATH\") -and ($Device.SubType -eq \"MEDIA_FILEPATH_DP\")) {                      Write-Host \"Boot application:\", $Device.DeviceInfo.PathName                 }             }         } else {             $PathName = $DevicePath.DeviceInfo.PathName             Write-Host \"Boot application:\", $PathName         }     } } <\/pre>\n<p>Example output of this script from an infected device can be seen in Figure 10.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"624\" height=\"305\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig10.png\" alt=\"text\" class=\"wp-image-127164\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig10.png 624w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Fig10-300x147.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\">Figure 10: Example output of the TCG parsing script to enumerate boot components<\/figcaption><\/figure>\n<h2>Detection details<\/h2>\n<p>Microsoft Defender Antivirus detects threat components as the following malware (note that these signatures trigger on hashes of known BlackLotus samples):<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:Win32\/BlackLotus&amp;threatId=-2147125304&amp;ocid=magicti_ta_ency\">Trojan:Win32\/BlackLotus<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:Win64\/BlackLotus!MSR&amp;threatId=-2147125210&amp;ocid=magicti_ta_ency\">Trojan:Win64\/BlackLotus<\/a><\/li>\n<\/ul>\n<p>Microsoft Defender for Endpoint alerts on known BlackLotus activity and\/or post-exploitation activity. The following alert title can indicate threat activity on your network:<\/p>\n<ul>\n<li>Possible vulnerable EFI bootloader&nbsp;<\/li>\n<\/ul>\n<p>Network protection in Microsoft Defender for Endpoint&nbsp;blocks connections to known indicators associated with BlackLotus C2 servers.<\/p>\n<h2>Recovery and prevention guidance<\/h2>\n<p>If a device is determined to have been infected with BlackLotus, the device should be removed from the network and reformatted (both the OS partition and EFI partition) or restored from a known clean backup that includes the EFI partition.<\/p>\n<p>To prevent infection via BlackLotus or other variants abusing CVE-2022-21894, organizations should:<\/p>\n<ul>\n<li>Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications.<\/li>\n<\/ul>\n<p style=\"padding-left: 80px;\">This is key to preventing threat actors looking to deploy BlackLotus, which requires either remote administrative privileges on a target machine or physical access to the device. Organizations should implement defense-in-depth strategies to minimize the risk of threat actors gaining access and an administrative foothold in the environment. This can include detection and\/or prevention at multiple stages prior to deployment of BlackLotus:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>A threat actor gaining initial access via phishing, perimeter device compromise, or other vectors<\/li>\n<li>A threat actor compromising user or service account credentials on the network<\/li>\n<li>A threat actor moving laterally through the network using unusual or unauthorized accounts, abusing remote access software, or other mechanisms<\/li>\n<li>A threat actor escalating and gaining domain or local administrative privileges<\/li>\n<li>A threat actor creating malicious files on disk, including the BlackLotus installers or EFI files<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Customers should keep antimalware products up to date. Customers utilizing automatic updates for Microsoft Defender Antivirus do not need to take additional action. Enterprise customers managing updates should select the detection build <strong>383.1029.0<\/strong> or newer and deploy it across their environments.<\/li>\n<\/ul>\n<ul>\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/information-protection\/secure-the-windows-10-boot-process?ocid=magicti_ta_learndoc#secure-boot\">Remove the Microsoft 3rd Party UEFI CA from your system\u2019s UEFI Secure boot configuration if this is not required for your system to boot.<\/a> Performing this step blocks BlackLotus from working but <strong>does not<\/strong> eliminate the vulnerability.<\/li>\n<\/ul>\n<h2>References&nbsp;<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.welivesecurity.com\/2023\/03\/01\/blacklotus-uefi-bootkit-myth-confirmed\/\">BlackLotus UEFI bootkit: Myth confirmed<\/a> (ESET)<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malware-dev-claims-to-sell-new-blacklotus-windows-uefi-bootkit\/\" target=\"_blank\" rel=\"noreferrer noopener\">Malware dev claims to sell BlackLotus new Windows UEFI bootkit<\/a> (BleepingComputer)<\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2022-21894\" target=\"_blank\" rel=\"noreferrer noopener\">Secure Boot Security Feature Bypass Vulnerability<\/a><\/li>\n<\/ul>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/11\/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign\/\">Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/11\/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft Security Threat Intelligence &#8211; Editor| Date: Tue, 11 Apr 2023 17:00:00 +0000<\/strong><\/p>\n<p>This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/11\/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign\/\">Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[29060,19069,29061,4500,23445,24237],"class_list":["post-21701","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-blacklotus","tag-bootkit","tag-cve-2022-21894","tag-cybersecurity","tag-microsoft-detection-and-response-team-dart","tag-uefi"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21701"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21701\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21701"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}