Examining how BlackLotus wreaks havoc on Windows Secure Boot
While source code leaks are often a bad thing, in this case they can only be considered wonderful. BlackLotus, which we covered earlier, has been horrifying security professionals and IT workers since it was first revealed. It is able to prevent the Secure Boot and TPM features from irrevocably infecting the drive’s EFI system partition, thus allowing it to launch boot-time malware that is completely invisible to the operating system and virus protection. The one fix found so far is quite complex to install and has to be done manually on every single machine you want to protect. Even better, getting even slightly wrong will not only crash your local drive, but also ensure that you can’t use any tools to recover your lost data.
The release of the BlackLotus source code on GitHub, or at least most of it, will allow bad actors to design new types of bootloaders to invisibly infect machines without having to fork over the several thousand dollars the designers charged for access. There’s really no good news to go with this, as what’s leaked was already discovered by security researchers and doesn’t add to their knowledge. What it does is make it much easier for us to use this code in conjunction with other bootloader viruses to create new versions of BlackLotus-like attacks, which we have no way to detect let alone provide protection against.
At least it’s early on the weekend?