Binarly Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 28 Dec 2023 22:10:25 +0000 en-US hourly 1 https://wordpress.org/?v=84386 200474804 Researchers Found BlackLotus UEFI Bootkit Sources on GitHub https://gridinsoft.com/blogs/blacklotus-bootkit/ https://gridinsoft.com/blogs/blacklotus-bootkit/#respond Mon, 17 Jul 2023 16:05:51 +0000 https://gridinsoft.com/blogs/?p=15985 The source code for the BlackLotus UEFI bootkit, which was previously sold on the dark web for $5,000, has been discovered by Binarly analysts on GitHub. The researchers say the leaked sources are not entirely complete and contain mostly a rootkit and a bootkit to bypass Secure Boot. What is BlackLotus bootkit? BlackLotus was first… Continue reading Researchers Found BlackLotus UEFI Bootkit Sources on GitHub

The post Researchers Found BlackLotus UEFI Bootkit Sources on GitHub appeared first on Gridinsoft Blog.

]]>
The source code for the BlackLotus UEFI bootkit, which was previously sold on the dark web for $5,000, has been discovered by Binarly analysts on GitHub. The researchers say the leaked sources are not entirely complete and contain mostly a rootkit and a bootkit to bypass Secure Boot.

What is BlackLotus bootkit?

BlackLotus was first spotted in October 2022. Its seller claimed that the bootkit had a built-in Secure Boot bypass, built-in Ring0/Kernel deletion protection, and also ran in recovery mode and safe mode. The malware is equipped with anti-virtualization, anti-debugging and obfuscation, which complicates its detection and analysis. Also, according to the seller, the security software cannot detect and destroy the bootkit, since it runs under the SYSTEM account inside a legitimate process.

BlackLotus darknet ad

In addition, BlackLotus is able to disable security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypass User Account Control (UAC). The payload has a size of 80 kilobytes, is written in assembler and C, and it can determine the geofence of the victim in order to avoid infecting machines in the CIS countries. Last year, the malware was offered for sale for $5,000, with each new version priced at another $200.

Later, the threat was studied by analysts from ESET. They confirmed that the bootkit easily bypasses Secure Boot and uses the Baton Drop vulnerability (CVE-2022-21894) from a year ago to gain a foothold in the system.

How does the exploit work?

It was highlighted that Microsoft fixed this issue back in January 2022, but attackers can still exploit it because the affected signed binaries were not added to the revocation list. According to analysts, BlackLotus is the first documented case of abuse of this vulnerability.

Later, Microsoft experts, during the analysis of devices compromised with BlackLotus, identified a number of features that make it possible to detect infection and described in detail possible indicators of compromise.

They also discovered that BlackLotus exploits another vulnerability, CVE-2023-24932, which is also related to bypassing Secure Boot protection. Although the bug was fixed in May of this year, this update was disabled by default, and Microsoft required Windows users to perform a very complicated manual installation of this fix.

Since the company warned that installing the patch incorrectly could cause Windows to stop starting and could not be restored even from installation media, many people chose not to install the patches, leaving devices vulnerable to attacks.

BlackLotus UEFI Bootkit Leaked to the GitHub

As Binarly experts now say, the BlackLotus source code was leaked to GitHub by a user under the nickname Yukari. He writes that the source code has been changed and no longer exploits the Baton Drop vulnerability. Instead, BlackLotus uses the bootlicker UEFI rootkit, which is based on the CosmicStrand, MoonBounce, and ESPECTRE UEFI APT rootkits.

BlackLotus Git Repository

The source code leak is incomplete and mainly contains a rootkit and bootkit code to bypass Secure Boot.Alex Matrosov, co-founder and head of Binarly, told Bleeping Computer.

He explains that the methods used in the bootkit are no longer new, but leaking the source code would allow attackers to easily combine the bootkit with new vulnerabilities, both known and unknown.

Most of these tricks and techniques have been known for a long time and do not pose a significant danger. However, the fact that they can be combined with new exploits, as the creators of BlackLotus did, came as a surprise to the industry and showed the limitations of existing OS protections.says Matrosov.

Since the BlackLotus UEFI Bootkit source code is now available to everyone, it is possible that with its help hackers will be able to create more powerful malware that can bypass existing and future measures to counter such threats.

The post Researchers Found BlackLotus UEFI Bootkit Sources on GitHub appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blacklotus-bootkit/feed/ 0 15985
Dell, HP, and Lenovo Devices Use Older Versions of OpenSSL https://gridinsoft.com/blogs/older-versions-of-openssl/ https://gridinsoft.com/blogs/older-versions-of-openssl/#respond Thu, 01 Dec 2022 15:13:46 +0000 https://gridinsoft.com/blogs/?p=12331 Many Dell, HP and Lenovo devices use old and insecure versions of OpenSSL, as Binarly warns. Let me remind you that we also wrote that OpenSSL Fixes First Critical Vulnerability Since 2016, and also that OpenSSL Patches Released and Critical Vulnerability Turns Out to be Not So Critical. The problem lies in the EFI Development… Continue reading Dell, HP, and Lenovo Devices Use Older Versions of OpenSSL

The post Dell, HP, and Lenovo Devices Use Older Versions of OpenSSL appeared first on Gridinsoft Blog.

]]>

Many Dell, HP and Lenovo devices use old and insecure versions of OpenSSL, as Binarly warns.

Let me remind you that we also wrote that OpenSSL Fixes First Critical Vulnerability Since 2016, and also that OpenSSL Patches Released and Critical Vulnerability Turns Out to be Not So Critical.

The problem lies in the EFI Development Kit II (EDK II) open-source environment, since EDK II comes with its own cryptographic package, CryptoPkg, which, in turn, relies on OpenSSL. As a result, according to the researchers, the firmware associated with corporate Lenovo Thinkpad devices uses three different versions of OpenSSL at once (0.9.8zb, 1.0.0a and 1.0.2j), the newest of which was released in 2018.

Moreover, one of the firmware modules (InfineonTpmUpdateDxe) does rely on OpenSSL version 0.9.8zb, released on August 4, 2014.

older versions of OpenSSL

In addition to the OpenSSL versions listed, some Lenovo and Dell firmware also use an even older version (0.9.8l) that was released on November 5, 2009. The HP firmware code also used a 10-year-old version of OpenSSL (0.9.8w).

Manufacturer OpenSSL Version Release date
Lenovo, Dell 0.9.8l November 05, 2009
Lenovo, Dell, HP 0.9.8w April 24, 2012
Lenovo HP 0.9.8zb August 06, 2014
Lenovo 0.9.8zd January 08, 2015
Lenovo 0.9.8ze January 15, 2015
Lenovo 0.9.8zf March 19, 2015
Lenovo 1.0.0a June 01, 2010
Lenovo 1.0.2d July 09, 2015
Lenovo 1.0.2f January 28, 2016
Lenovo, Dell 1.0.2g March 01, 2016
Lenovo 1.0.2h May 03, 2016
Lenovo, Dell, HP 1.0.2j September 26, 2016
Lenovo, Dell 1.0.2k January 26, 2017
Lenovo, Dell, HP 1.0.2u December 20, 2019
Lenovo 1.1.0b September 26, 2016
Lenovo 1.1.0g November 02, 2017
Lenovo, Dell 1.1.0h March 27, 2018
Lenovo, Dell 1.1.0j November 20, 2018
Lenovo 1.1.1d September 10, 2019
Lenovo, Dell 1.1.1l August 24, 2021
Dell 1.1.0e February 16, 2017
Dell 1.1.1n March 15, 2022
All this clearly points to the problem of supply chains with third-party dependencies, and it seems that these dependencies never get updated even for critical problems.the experts write.

Binarly’s report highlights that the issue that was discovered clearly illustrates a situation where third-party dependencies significantly complicate the supply chain ecosystem, as in this case.

The post Dell, HP, and Lenovo Devices Use Older Versions of OpenSSL appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/older-versions-of-openssl/feed/ 0 12331