The NSA has urged infrastructure owners to “take action” to harden their estates against the use of Black Lotus UEFI bootkit malware – warning that patches from Microsoft for Windows vulnerabilities exploited in the wild in recent attacks “could provide a false sense of security” and would not root out the persistent malware from bootkit-infected systems.
The bootkit has been sold on underground forums since at least October 6, 2022, for around $5,000. It has a tiny on-disk size of around 80kb, can disable HVCI, Windows Defender, BitLocker, and bypass UAC and features an HTTP downloader that runs under the SYSTEM account within a legitimate process, winlogon.exe, security researchers at ESET confirmed.
