2 min read

NSA Publishes Guidance on Mitigating BlackLotus UEFI Malware Attacks


June 23, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
NSA Publishes Guidance on Mitigating BlackLotus UEFI Malware Attacks

The National Security Agency (NSA) has issued a detailed guide on protecting systems from the notorious BlackLotus UEFI bootkit malware, which has been causing havoc since October 2022. Perceived initially as a firmware threat, the NSA clarifies that BlackLotus targets the earliest software stage of the boot process, making it extremely efficient and persistent.

The NSA advisory arrives after Microsoft released a series of security updates to address the zero-day Secure Boot vulnerability (CVE-2023-24932), which had been exploited to bypass a previously known flaw, CVE-2022-21894.

The latter was exploited in the initial waves of BlackLotus attacks last year. However, as the fix for the former is not activated by default, it cannot remove the loophole used to launch the malware.

BlackLotus, infamous for exploiting a vulnerability known as Baton Drop (CVE-2022-21894) in older bootloaders, allows perpetrators to bypass Secure Boot protection and compromise system security. By disabling the Secure Boot policy, they can replace the system's bootloader with a vulnerable version, letting them deploy the malware on compromised systems.

NSA Security Analyst Zachary Blum noted that, while BlackLotus is a significant threat, it can be mitigated on fully updated Windows systems, Linux endpoints, and devices customized for Secure Boot. Blum explained the criticality of applying the latest security updates and manually updating bootable media to thwart malware installation attempts.

"BlackLotus is very stoppable on fully updated Windows endpoints, Secure Boot customized devices, or Linux endpoints," reads the NSA's security advisory. "Microsoft has released patches and continues to harden mitigations against BlackLotus and Baton Drop."

Furthermore, the NSA advises system administrators to properly configure their endpoint security software to prevent BlackLotus from establishing a foothold. Users are also encouraged to customize their UEFI Secure Boot to block older (pre-January 2022) signed Windows bootloaders, further limiting the attack surface of the malware.

Firmware monitoring tools are another critical tool in this fight, allowing users to detect suspicious activities, monitor device integrity, and keep a watchful eye on boot configuration. These utilities are invaluable for identifying potential threats before they compromise the system.

For those looking to protect their systems, the NSA's guide on mitigating BlackLotus attacks is available here. The guide provides comprehensive steps for system administrators to shield their systems from this persistent threat.

Using specialized software such as Bitdefender Ultimate Security can protect you against BlackLotus and other digital threats. Key features include:

  • Continuous, comprehensive detection and protection against viruses, worms, rootkits, Trojans, spyware, ransomware, zero-day exploits, and other e-threats
  • Vulnerability assessment module that scans your system for weak points such as outdated, vulnerable software, missing Windows security patches, and unsafe settings and indicates the best fix
  • Behavioral detection technology that closely monitors active apps and takes instant action upon detecting suspicious activity
  • Rescue environment module that protects you against sophisticated malware like rootkits, which needs to be removed before Windows starts




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like