Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Boot Configuration. Show all posts

Secure Boot Vulnerabilities Impact Bootloaders, Systems Compromised


About Secure Boost Bugs

Bootloaders that were in majority of the systems made in the last 10 years have been impacted by Secure Bost bypass vulnerabilities. 

Secure Boot is a mechanism made to prevent a device's boot process from threats, to bypass it will allow an attacker to execute arbitrary code before the operating system can load. 

It allows installation of stealthy and persistent malware. The Secure Boot vulnerabilities were found in the Eurosoft (CVE-2022-34301) CVE-2022-34303, New Horizon Datasys (CVE-2022-34302), and CryptoPro Secure Disk for BitLocker (CVE-2022-34303) bootloaders. 

As per Eclypsium (company) bootloaders are found in almost every device made in the past 10 years, this includes ARM and x86-64 devices.

How does the bugs work?

The CryptoPro Secure Disk and Eurosoft bootloader bugs contain signed UEFI shells, the hackers are able to bypass Secure Boot by exploiting built-in capabilities. For these security loopholes, one can easily exploit automated startup scripts. 

According to Eclypsium the bootloader contains a built-in bypass for Secure Boot that leaves Secure Boot on but disables the Secure Boot checks. This bypass can further enable even more complex evasions such as disabling security handlers. 

In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code. To exploit any of these bugs, a hacker must have admin or root privileges on the targeted Linux and Windows system. 

But the company said that there are many ways to get these permissions on a device. The flawed bootloaders are signed by Microsoft. As per an advisory issued by the CERT/CC at Carnegie Mellon University, the tech giant has been working with vendors to address the flaws and it has restricted the certificates linked with the affected bootloaders. 

"In 2020, Eclypsium disclosed the existence of a vulnerability named BootHole, which affected all operating systems that used the GRUB2 bootloader with Secure Boot. Some vendors rushed to release patches in response to BootHole, but they caused many systems," says Security Week. 


Identifying Ransomware’s Stealthy Boot Configuration Edits

 

The research by Binary Defense entails the various threat hunting techniques and detections for a regularly reported Ransomware-as-a-Service (RaaS) methodology. Using the built-in Windows programme bcdedit.exe (Boot Configuration Data Edit),  threat actors have been spotted changing boot loader configurations to: 
  • Modify Boot Status Policies 
  • Disable Recovery Mode 
  • Enable Safe Mode 
Threat actors (such as Snatch and REvil) may not need to utilise bcdedit to adjust boot loader configurations if they implement code that directly modifies the Windows registry keys that define such configurations, according to the hypothesis employed by Binary Defense to construct the hunting queries. Last year, the researcher am0nsec published a proof-of-concept code that showed how to do exactly this on Windows 10 PCs. Binary Defense wanted to make sure that they could detect such behaviour not only on Windows 7, 8.1, and 11 computers but also on systems where the necessary registry key is stored under a different Globally Unique Identifier (GUID). 

The research builds on the work of Specter Ops researcher Michael Barclay, who published an in-depth blog about hunting for such activities on Windows 10 earlier this year. Below are the bcdedit.exe commands that attackers employ to change boot configuration. Other tools, such as the Windows System Configuration Utility (msconfig.exe), can be used to change the boot configuration data as well. Alternatives, on the other hand, are not described in the study because they are not command-line apps and hence cannot be utilised without a user interface.

Boot Status Policy: The usual way to edit the boot status policy is to use bcdedit with these command line arguments:
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
If there is a failed shutdown, boot, or other error during the startup process, this will change the "boot status policy" settings and compel the system to boot normally rather than entering Windows Recovery Environment (Windows RE). Threat actors deactivate this to prevent system administrators from using the Windows RE's System Image Recovery tool.

Recovery Mode: The usual method for disabling recovery mode with bcdedit is like this:
bcdedit.exe /set {default} recoveryenabled no
This command completely eliminates the Windows RE. Using the prior command to change the boot status policy will prevent the boot loader from loading the recovery environment when there are starting difficulties, but it will also prohibit system administrators from manually loading it.

Safeboot: To change the Safeboot options, bcdedit is used with these command line arguments:
bcdedit.exe /set {default} safeboot minimal

This command modifies the configuration that decides whether or not the system will restart in Safe Mode the next time it is powered on. Since not all Endpoint Detection and Response (EDR) solutions and Anti-Virus (AV) software will be running in Safe Mode, this is being changed to prevent identification rather than recovery. Windows Defender, for example, does not work in Safe Mode. As a result, any activities taken by a threat actor (for example, file encryption) will not be tracked, and thus will not be prevented.

Prior study into similar approaches revealed that the registry keys storing these boot loader configuration items were Windows version-specific, with only Windows 10 detections. Binary Defense simply set up VMs running Windows 7, 8.1, and 11 and ran the three aforementioned bcdedit.exe commands while doing a capture with the Windows SysInternals tool Procmon to figure out what those registry keys were for other Windows versions. The logs created by this tool are notoriously noisy, but by adding two filters, one excluding any process not named bcdedit.exe and the other excluding any operation not named RegSetValue, it was simple to filter down to the necessary logs.

In a 60-day period, the following queries were evaluated across different enterprise environments with zero false positives. Because changes to these parameters are uncommon, all of these inquiries can be surfaced to a SOC as detections.

Detections
  • Carbon Black
Windows 7:

regmod_name:(*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0* OR *BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009* OR *BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080*)

Windows 8.1:

regmod_name:(*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0* OR *BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009* OR *BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080*)

Windows 10:

regmod_name:(*BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\250000E0* OR *BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\250000E0* OR *BCD00000000\\Objects\\\{9f83643f\-4a91\–11e9\–9501\-b252ac81e352\}\\Elements\\16000009*)

Windows 11:

regmod_name:(*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0* OR *BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009* OR *BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080*)

  • CrowdStrike
Windows 7:

(event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080*”)

Windows 8.1:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080*”)

Windows 10:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\25000080*” OR RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\250000E0*” OR RegObjectName=”*BCD00000000\\Objects\\{9f83643f-4a91–11e9–9501-b252ac81e352}\\Elements\\16000009*”)

Windows 11:

event_simpleName=AsepValueUpdate OR event_simpleName=SuspiciousRegAsepUpdate OR event_simpleName=RegistryOperationDetectInfo) AND (RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0*” OR RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009*” OR RegObjectName=”*BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080*”)

  • Microsoft Sentinel and Defender for Endpoint
Windows 7:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0″, @”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009″, @”BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080″)

Windows 8.1:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0″, @”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009″, @”BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080″)

Windows 10:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\25000080″, @”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\250000E0″, @”BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\16000009″)

Windows 11:

DeviceRegistryEvents
| where TimeGenerated > ago(90d)
| where ActionType == “RegistryValueSet”
| where RegistryKey has_any (@”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0″, @”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009″, @”BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080″)

  • SentinelOne
Windows 7:

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\250000e0”, “BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\16000009”, “BCD00000000\Objects\{8c07be1f-21bb-11e8-9c5d-d181d62e5fbf}\Elements\25000080”)

Windows 8.1: {303a1187-f04f-11e7-ae97-d7affdbdc5e9}

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\250000e0”, “BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\16000009”, “BCD00000000\Objects\{303a1187-f04f-11e7-ae97-d7affdbdc5e9}\Elements\25000080”)

Windows 10:

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\25000080”, “BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\250000E0”, “BCD00000000\Objects\{9f83643f-4a91–11e9–9501-b252ac81e352}\Elements\16000009”)

Windows 11: {ea075dc0-83af-11ec-9994-82f1525d1096}

EventType = “Registry Value Modified” and RegistryKeyPath In Contains Anycase (“BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\250000e0”, “BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\16000009”, “BCD00000000\Objects\{ea075dc0-83af-11ec-9994-82f1525d1096}\Elements\25000080”)