https://arstechnica.com/information-technology/2023/03/unkillable-uefi-malware-bypassing-secure-boot-enabled-by-unpatchable-windows-flaw/
Unkillable UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw

The world's first-known instance of real-world malware that can hijack a
computer's boot process even when Secure Boot and other advanced
protections are enabled and running on fully updated versions of Windows.

Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These
sophisticated pieces of malware infect the UEFI (short for Unified
Extensible Firmware Interface) the low-level and complex chain of firmware
responsible for booting up virtually every modern computer. As the
mechanism that bridges a PC's device firmware with its operating system,
the UEFI is an OS in its own right. It's located in an SPI-connected flash
storage chip soldered onto the computer motherboard, making it difficult to
inspect or patch.

Because the UEFI is the first thing to run when a computer is turned on, it
influences the OS, security apps, and all other software that follows.
These traits make the UEFI the perfect place to run malware. When
successful, UEFI bootkits disable OS security mechanisms and ensure that a
computer remains infected with stealthy malware that runs at the kernel
mode or user mode, even after the operating system is reinstalled or a hard
drive is replaced.

As appealing as it is to threat actors to install nearly invisible and
unremovable malware that has kernel-level access, there are a few
formidable hurdles standing in their way. One is the requirement that they
first hack the device and gain administrator system rights, either by
exploiting one or more vulnerabilities in the OS or apps or by tricking a
user into installing trojanized software. Only after this high bar is
cleared can the threat actor attempt an installation of the bootkit.

The second thing standing in the way of UEFI attacks is UEFI Secure Boot,
an industry-wide standard that uses cryptographic signatures to ensure that
each piece of software used during startup is trusted by a computer's
manufacturer. Secure Boot is designed to create a chain of trust that will
prevent attackers from replacing the intended bootup firmware with
malicious firmware. If a single firmware link in that chain isn't
recognized, Secure Boot will prevent the device from starting.

While researchers have found Secure Boot vulnerabilities in the past, there
has been no indication that threat actors have ever been able to bypass the
protection in the 12 years it has been in existence. Until now.