US CISA Urges Improvements to Key Computer Component

Governance & Risk Management , Patch Management

The U.S. federal government is urging computer manufacturers to improve the security of firmware architecture that boots up devices after a powerful bootkit spotted last year sparked heightened concerns over permanent malware infections.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

The Cybersecurity and Infrastructure Security Agency issued a call to action Thursday for the standard developers behind the Unified Extensible Firmware Interface to improve patch distribution, coding and logging practices.

UEFI is an industry standard for hardware initialization when a computer powers up, published by the UEFI Forum. A spokesperson said the forum has no comment.

The call comes after the discovery of malware known as BlackLotus, a powerful bootkit sold in hacking forums for $5,000, caused the National Security Agency in June to warn Windows systems administrators over its threat.

BlackLotus bypasses Microsoft security features meant to protect hackers from infecting the boot process that takes place before the Windows operating system assumes control. Once the malware has infected UEFI software, it can gain full control over the system. Boot loader infections are difficult to detect and any computer infected with BlackLotus must be completely re-imaged and possibly discarded.

Microsoft has released multiple patches to stymie BlackLotus, but the NSA said patching is only a first step to hardening machines against the malware (see: NSA Issues Remediation Guidance for BlackLotus Malware).

"UEFI bootkits are very powerful threats, having full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages," said Martin Smolár, a malware analyst at Eset, in a March 1 report unmasking BlackLotus. "This allows them to operate very stealthily and with high privileges."

Microsoft is phasing in fixes to revoke a vulnerable bootloader version that BlackLotus takes advantage of to bypass security protections, but it says it doesn't anticipate the rollout to be complete until the first quarter of next year. One reason for the measured pace, Microsoft said, is that older bootable media such as backup images will become unusable.

CISA also recommends that all UEFI developers implement a dedicated public key infrastructure for updates. A CISA official told Dark Reading that Microsoft's use of a single key to sign multiple files has made patching Windows computes against BlackLotus a much harder process.

The agency also recommends a software bill of materials for UEFI components and better native UEFI ability for administrators to collect event logs.