Two of the most common misunderstandings that we encounter when discussing how Eclypsium can help protect client PCs is that 1) an EDR solution can protect against all types of malware, and 2) built-in Windows security features are sufficient to protect against low-level attacks.
Neither of these things are true in the case of malware such as the BlackLotus that the NSA issued a warning about in June 2023. Read the NSA BlackLotus Mitigation Guide for the full details, but the gist is that attacks such as BlackLotus are difficult to protect against because they target the earliest phase of software boot to take control of an endpoint. The NSA points out that even fully patched systems are still vulnerable due to the delicate nature of updating the Secure Boot Deny List Database (DBX).
As EDR products improve, attackers are targeting lower-level mechanisms to evade detection. In the demonstration video below, we show how malware similar to BlackLotus can take control over an up-to-date Windows system while evading EDR and bypassing Windows security features such as Secure Boot and BitLocker.
Eclypsium is expert in understanding and developing defenses against this type of attack, including the BlackLotus malware. Examples of our previous research include:
- One Bootloader to Rule Them All that uncovered three CVEs in signed bootloaders
- Everyone Gets a Rootkit describing weakness in Microsoft WPBT (Windows Platform Binary Table)
- The BootHole vulnerability that subverts Secure Boot
- Screwed Drivers research that uncovered insecure 40 drivers from at least 20 different vendors—all certified by Microsoft
The post Demo Video: Why UEFI Malware Is the Next Frontier of Endpoint Security appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.