New UEFI bootkit discovered bypassing Secure Boot

Rohde & Schwarz has reported the discovery of the first publicly known UEFI bootkit operating in the wild that bypasses a critical security feature: UEFI Secure Boot. The threat is suspected to be a bootkit called BlackLotus, which has reportedly been sold on hacker forums for approximately $5,000 since last fall.

UEFI (Unified Extensible Firmware Interface) is the interface between a computer's firmware and its operating system. Secure Boot is designed to prevent malicious software from loading during the system's startup process. The ability of the BlackLotus bootkit to circumvent this protection means it can potentially infect even current Windows 11 systems with Secure Boot enabled.

UEFI bootkits represent a significant threat as they gain complete control over the system's boot process. This allows them to disable operating system security mechanisms and embed themselves in the system's kernel early in the boot phase. Such malware remains invisible to conventional antivirus programs and can survive operating system reinstallation or even a hard drive swap. Furthermore, they can damage firmware, lock down computers, or take over entire systems.

Rohde & Schwarz offers protection against these advanced threats with its secure workstation solutions, including the R&S®Trusted Endpoint Suite. This suite features the R&S®Trusted VPN Client, an operating system-independent solution that acts as a UEFI firewall, preventing malware from infecting the firmware. It also includes the R&S®Trusted Disk full-disk encryption. Both components are approved by the German Federal Office for Information Security (BSI) for protecting classified data.