When I present to customers and mention that there are many UEFI BIOS firmware attacks in the wild, I often get a quizzical look because most MSPs don’t know much about them. On the Phoenix website we maintain a list of such attacks and some of the more recent ones come with names such as PixieFail, BlackLotus and Moon Bounce. Though these names may sound funny, they are certainly no laughing matter.
While many UEFI attacks don’t get much press, BlackLotus is one that Microsoft has talked about extensively because it can be very destructive.
BlackLotus is a bootkit that bypasses Windows Secure Boot and deploys malicious files to the EFI system partition that are launched by the UEFI firmware.
One thing that BlackLotus does is disable Secure Boot which is a mechanism to ensure that only an authenticated version of Windows can be launched by the UEFI firmware. This is something a hacker would clearly like to do because without Secure Boot enabled, the hacker can launch any rogue operating system and thereby turn the endpoint into a personal playground. This is where FirmGuard comes into the picture. If an endpoint has FirmGuard installed on it and Secure Boot is disabled because of BlackLotus, or any other reason, the MSP admin is immediately alerted via the dashboard and can then use SecureConfig to take corrective action–stopping an attack in its tracks.
One final point to note about UEFI malware is that it can be so devastating because of persistence. This means that even if you reinstall Windows on an infected endpoint or swap out the hard drive, you still won’t solve the problem. The reason is because the UEFI firmware sits in its own dedicated flash memory on the motherboard of the endpoint. So, the only way to solve the problem is to update the firmware and the only way to know about it in the first place is with FirmGuard.
