Microsoft has released guidance to help organizations identify whether their environments have been targeted by malicious actors exploiting a Windows secure boot bypass vulnerability (CVE-2022-21894) via BlackLotus UEFI bootkit.

First spotted in late 2022, BlackLotus comes with a slew of features, including anti-virtualization, anti-debugging, and code obfuscation, and can disable security applications and defense mechanisms on target machines, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The Windows bootkit can also bypass User Access Control (UAC) and secure boot mechanisms, load unsigned drivers, and can operate within an environment undetected for a long time.

The bootkit has been available for purchase on hacking forums for a price of $5,000, with additional $200 for new versions.

“UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus,” Microsoft’s Incident Response team said.

During analysis, defenders should check for the following artefacts that could indicate BlackLotus UEFI bootkit infection:

• Recently written bootloader files

• Staging directory artifacts created

• Registry key modified

• Windows Event logs entries generated

• Network behavior

• Boot Configuration log entries generated

The team recommends observing these artifacts in tandem with others to reduce false positives and make threat hunting more effective.

Infected devices should be removed from the network and reformatted (both the OS partition and EFI partition) or restored from a known clean backup that includes the EFI partition. To prevent infections via BlackLotus or other threats exploiting CVE-2022-21894 organizations are advised practice principle of least privilege and maintain credential hygiene.

“Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications,” Microsoft says.