Hello and welcome to the Tuesday, June 27, 2023 edition of the Sands and at Stormtunners Stormcast.

My name is Johannes Ulrich and then I'm recording from Stockholm, Germany.

The NSA has published a mitigation guide for Black Lotus.

Not sure if you remember, but this sort of was revealed last year. Black

Lotus is malware that does infect UFI firmware. In order for Black Lotus to work, it

typically needs two vulnerabilities that were patched by Microsoft in January, I believe,

early this year.

What the NSA points out in their mitigation guide is that patching these vulnerabilities

may not necessarily solve the entire Black Lotus problem.

The issue that they're pointing out is that there are vulnerable firmware images that are still valid,

meaning they're still validly signed, they have not been revoked.

So an attacker could do something, well, as we sort of seen sometimes with the

Bring Your Own driver kind of attacks, for an attacker is first essentially downgrading

or installing a version of the bootloader that is known to be vulnerable, that is still

properly signed. So the user may not necessarily be warned that

this is a malicious bootloader, which it isn't. It is not malicious. It's just vulnerable and

then allows for the install of additional matter. That's sort of what Black Lotus is all about.

So if you're worried about this, take a look at the full NSA

mitigation guide for Black Lotus with more details about how the attack works and how you

protect yourself from it. But some of the highlights here specifically regarding this issue is

that first of all, you should monitor device integrity

measurements and the boot configuration, so detect any change whether or not it's malicious

...