Microsoft to ‘Brick’ Unpatched Systems in 6 Months
May 15th, 2023 |
A new critical bug in all Microsoft Windows systems that use Secure Boot will require manual user intervention to patch. CVE-2023-24932 is a critical security vulnerability that allows the execution of malicious code even before the PC begins to run Windows, which means that the vulnerability is exploited even before any security tools can run.
Microsoft has now released a patch for CVE-2023-24932 in addition to one previously released in January for CVE-2022-21894, both of which are related to the Secure Boot issue. CVE-2022-21894 was being actively exploited with the BlackLotus bootkit.
The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections. It is designed to infect a computer’s boot process, allowing it to remain hidden from traditional security tools and measures, and gain persistence on the system.
Despite the release of two patches, the nature of this vulnerability is so severe and complex that it requires a multi-step manual effort to deploy. If the patch is improperly applied, the system will be bricked (no longer bootable). If Microsoft patches are applied without manual intervention in Q1 2024, the system will be bricked.
The patch Microsoft most recently issued is disabled by default because, upon activation, the existing Windows boot media will no longer be able to run, a change that cannot be reverted.
Prior to activation of the patch, a user must go through the following manual process:
-
Install Microsoft’s May 9, 2023, as per Microsoft’s Instructions HERE.
-
If you use Bootable Media, update these as per Microsoft’s Instructions HERE.
-
Manually apply and verify a pair of “Revocation Files” that update the system’s EFI Boot Partition and the Windows Registry.
The above steps will make all vulnerable versions of the Windows BootLoader not trusted.
Subsequent patches in the coming months will also not activate the SecureBoot fix, however, Microsoft warned their Q1, 2024 patch release will automatically apply and activate the updated SecureBoot. This will render all vulnerable BootLoaders non-functional, so users must apply the patches and go through the manual revocation process in the next few months.
Secure Boot has been enabled by default for over a decade on most Windows PCs, and it is required for Windows 11 PCs to meet the software’s system requirements. So all PCs should be considered susceptible to this vulnerability.
Acreto Solution
While waiting for Microsoft to release a fix for this issue, Acreto can provide help until patches are in place. Acreto combats the Secure Boot vulnerability by deploying Ecosystems described below:
-
Acreto eliminates the internal attack surface by isolating individual or groups of systems on a shared network or entire networks, limiting access to authorized Ecosystem members
-
Acreto uses micro-segmentation and nano-segmentation to limit access only to systems that need to interoperate together, making it harder for attackers to move laterally and achieve persistence on the network
-
Acreto’s Secure Scan detects malicious activity during the boot-up process by analyzing and monitoring system-level activity and behavior in real-time using advanced threat detection and machine-learning techniques.
-
Implementing these segmentation solutions greatly reduces the attack surface, enhances visibility and control, and protects critical assets and data.
-
Acreto Ecosystems secure any technology, on any network, anywhere, and can be provisioned in 5 minutes and deployed in around 2 hours without the need for products, logistics, or hard-to-find experts
Contact Acreto today for more information or to evaluate Ecosystem security for your organization.
Ecosystem Security Isolation
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
- Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
- Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Encrypted Secure Scan
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Controls
Access Control
Identity with MFA
- User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
- Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
- Credit Cards Upload / Download Controls
- Social Security Number Upload / Download Controls
- RegEx Pattern Upload / Download Controls
Threat Prevention
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
Threat Signature
Identifies and mitigates known bad exploits, malware, botnets and ransomware.
Zero-Day Behavioral Analysis
Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Simplicity
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Sustainability
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
Mechanism of Attack
- The BlackLotus bootkit is a type of malware that is designed to infect a computer’s boot process, allowing it to remain hidden from traditional security measures and gain persistence on the system.
- Once installed, the bootkit can intercept and modify low-level system components, such as the master boot record (MBR) or the boot sector of a partition, to maintain its presence on the infected system.
- This can allow attackers to gain complete control over the compromised computer, steal sensitive data, install additional malware, and perform other malicious activities without being detected.
- List of affected media:
- Windows install media like DVDs and USB drives created from Microsoft’s ISO files
- Custom Windows install images maintained by IT departments.
- Full system backups
- Network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images.
- Stripped-down boot drives that use Windows PE
- The recovery media sold with OEM PCs.
- CVE-2022-21894 – Secure Boot Security Feature Bypass Vulnerability.
- CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability.
For more details on CVEs, visit: CVE – CVE (mitre.org)
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.