Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Windows 10. Show all posts

Unveiling Vulnerabilities in Microsoft PlayReady DRM: Impact on Streaming Platforms

 

In a meticulous research endeavor, Security Explorations, a division of AG Security Research, embarked on an exhaustive analysis of Microsoft's Warbird and Protected Media Path (PMP) technologies. The culmination of this investigation has unearthed critical deficiencies within the security architecture of Microsoft's PlayReady Digital Rights Management (DRM) system, posing profound implications for content security across a spectrum of streaming platforms. 

At the core of Microsoft's content protection ecosystem lies Protected Media Path (PMP), an amalgamation of cryptographic protocols, code integrity checks, and authentication mechanisms designed to fortify content security within Windows OS environments. In tandem, Microsoft Warbird endeavors to erect formidable barriers against reverse engineering attempts, encrypting and obfuscating binaries to thwart unauthorized access. 

However, despite the multifaceted security measures embedded within these technologies, Security Explorations' research has illuminated vulnerabilities within PMP components. These vulnerabilities lay bare the underbelly of Microsoft's DRM infrastructure, allowing for the extraction of plaintext content keys essential for the decryption of high-definition content. The ramifications of such exploits extend far and wide, implicating prominent streaming platforms including Canal+ Online, Netflix, HBO Max, Amazon Prime Video, and Sky Showtime. 

Of particular concern is the vulnerability's prevalence on Windows 10 systems lacking Hardware DRM capability, a demographic constituting a significant portion of the user base due to compatibility constraints with Windows 11. The exploitation of Software DRM implementations prevalent in these environments underscores the urgent need for remedial action. While Microsoft's PlayReady team has been apprised of these findings, Security Explorations has refrained from disclosing detailed technical information through the MSRC channel, citing proprietary concerns and the imperative to safeguard intellectual property. 

Beyond the immediate ramifications for individual platforms, the research underscores broader implications for the content security landscape. With the burgeoning digital streaming industry valued at $544 billion, the imperative of ensuring robust DRM solutions cannot be overstated. The compromise of plaintext content keys not only imperils individual platforms but also undermines consumer trust and revenue streams, posing a systemic risk to the digital content ecosystem. 

Mitigating these vulnerabilities demands a concerted effort from industry stakeholders. Streaming platforms may consider transitioning to alternative DRM technologies or implementing interim safeguards to mitigate the risk of exploitation. However, the challenge lies in striking a delicate balance between security measures and user accessibility, ensuring seamless functionality without compromising content security. The research findings underscore the imperative for collaborative efforts between security researchers and industry stakeholders to fortify DRM ecosystems against evolving threats. 
Moreover, they highlight the pressing need for enhanced regulatory scrutiny and industry standards to bolster content security in the digital age. 

In light of these revelations, streaming platforms must reassess their security posture and implement robust measures to safeguard against unauthorized access and content piracy. Failure to address these vulnerabilities not only jeopardizes consumer confidence but also undermines the viability of streaming platforms in an increasingly interconnected world. As the digital landscape continues to evolve, proactive measures are indispensable to safeguarding content integrity and preserving the sanctity of digital content distribution channels. Only through collective vigilance and concerted action can the industry fortify itself against the ever-looming specter of security threats.

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.

QBot Phishing Exploits Windows Control Panel EXE to Infect Devices


Phishing messages and emails across the QBot malware are allegedly utilizing a DLL hijacking vulnerability in the Windows10 Control Panel to infect PCs, most likely in an effort to avoid being detected by security software. 

DLL hijacking is an attack method used by threat actors to take advantage of the way Windows loads dynamic link libraries (DLLs). 

During the launch of a Windows executable, it will look for any DLL dependencies present in the Windows search path. The program would instead load a malicious DLL and infect the computer if a threat actor creates a malicious DLL with the same name as one of the program's necessary DLLs and retained it in the same folder as the executable. 

QBot, also known as Qakbot, is a Windows malware that was initially a banking trojan but later emerged as a full-featured malware dropper. The malware is also utilized by renowned ransomware gangs like Black Basta, Egregor, and Prolock in order to gain initial access to corporate networks. 

In July, security researcher ProxyLife found that threat actors were using the Windows 7 Calculator's DLL hijacking vulnerability, in order to spread the QBot malware. 

Meanwhile this week, ProxyLife reported that the threat actors have switched to utilizing a DLL hijacking flaw in the Windows10 Control Panel executable, namely control.exe. 

Abusing the Windows Control Panel:  

In a phishing campaign witnessed by ProxyLife, the hackers used stolen reply- chain emails to distribute an HTML file attachment, which downloads a password-protected ZIP archive consisting an ISO file inside. 

The HTML file, named similar to 'RNP_[number]_[number].html, displays an image personating Google Drive and a password for a ZIP archive that is downloaded automatically. This ZIP archive consists of an ISO disk image that, when double-clicked will automatically be displayed in a new drive letter in Windows10 and later. 

This ISO file contains a Windows Shortcut (.LNK) file, a ‘control.exe’ (Windows 10 Control Panel) executable, and two DLL files named edputil.dll (used for DLL hijack) and msoffice32.dll (QBot malware). 

The Windows shortcut (.LNK) included in the ISO uses an icon that attempts to make it look like a genuine folder. 

The shortcut, however, opens the Windows 10 Control Panel executable, control.exe, which is kept in the ISO file, when a user tries to open this fabricated folder. 

The genuine edputil.dll DLL, which is placed in the C:WindowsSystem32 folder, will automatically be loaded when control.exe is opened. It does not, however, look for the DLL in specific folders and will load any DLL with the same name that is put in the same folder as the program control.exe. 

As the hackers are bundling a malicious edputil.dil DLL in the same folder as control.exe, instead the fraudulent DLL will be loaded by the users. Once the malicious edputil.dll DLL is loaded, it infects the device with the QBot malware (msoffice32.dll) using the regsvr32.exe msoffice32.dll command.

Security software may not recognize QBot as malicious if it is installed using a trustworthy tool, such as the Windows 10 Control Panel, allowing the malware to avoid detection. 

QBot will now covertly run in the background, accessing and stealing emails to use them later for the phishing attacks and install additional payloads like Brute Ratel or Cobalt Strike, that are post-exploitations toolkits that hackers use to acquire remote access to corporate networks. This remote access further leads to corporate data theft and ransomware attacks.  

PowerToys Releases Version 0.64 With File LockSmith and Host File Editor

 

Microsoft has recently released the latest version of the PowerToys toolset, PowerToys 0.64 to the public. The new version will aid Windows users in finding the processes using selected files and unlock the same without the use of a third-party tool. 

PowerToy 0.64 additionally comes with significant enhancements in File Locksmith and Host File Editor. The first program, File Locksmith gives File Explorer a “What’s using the file?” context menu entry. It displays which Windows processes are currently using the file. 

The primary purpose of File LockSmith is to provide users with information that Windows does not provide when activities like delete or move are being executed. In case a file is in use, certain actions may not be performed by the operating system. Windows do not provide certain important information about that to the user, but File LockSmith does so.  

The second program, the Host File tool allows a user to edit the Hosts file in Window11 (or Window10) via an appropriate editor UI, instead of the user having to use Notepad. For example, the Hosts file allows users to block access to certain domains. Having this UI should make it a little less difficult to make changes to it. 

In addition to this, the PowerToy settings now possess a new feature that allows users to export or import the current settings from a file, making it easier to migrate settings across devices as per user requirements. Users now have the option to back up and restore the settings, which is useful in case PowerToy is running on various devices, or simply for backup purposes. 

Moreover, Microsoft has also made enhancements in FancyZones that lets a user set default behaviors for horizontal and vertical screens. The improvements are done, as in some cases monitor IDs tend to get reset, additionally, FancyZones settings do not apply anymore. With the latest enhancements, even if the aforementioned situation occurs, the user layout should at least make some sense based on the orientation of his screen.

HP Bug Left Unpatched for a Year

Six high-severity software flaws have been known since July 2021, they cause a range of vulnerabilities in HP products used in enterprise settings and are not yet patched.

Firmware defects can result in malware infections that last even after an OS re-installation or allow long-term breaches that would not be detected by regular security techniques, making them extremely dangerous.

Although some of the weaknesses were made public by Binarly at Black Hat 2022 a month ago, the manufacturer hasn't delivered security upgrades for all afflicted models, leaving many customers vulnerable to attacks.

Binarly contributed to the resolution of six serious flaws that not only affect these devices but also numerous other HP product lines. This disclosure, which details arbitrary code execution flaws linked to System Management Mode, was coordinated with the HP PSIRT team (HPSBHF03806) (SMM).

SMM is a component of the UEFI firmware, which offers system-wide features including power management and low-level device control. Since this SMM sub-system has greater privileges than the operating system kernel (ring 0), vulnerabilities affecting the SMM can render security mechanisms ineffective.

According to Binarly, HP has not fixed the following six vulnerabilities for months:
  • Stack-based buffer overflow resulting in unauthorized code execution is CVE-2022-23930. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds write on CommBuffer, which permits evading some validation, is CVE-2022-31644. Score for CVSS v3: 7.5 'High'
  • Out-of-bounds write on CommBuffer due to failure to verify the size of the pointer given to the SMI handler, CVE-2022-31645. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds writing using the direct memory manipulation API feature can result in privilege elevation and arbitrary code execution, according to CVE-2022-31646. Score for CVSS v3: 8.2 'High'
  • CVE-2022-31640 - Inadequate input validation gives attackers access to the CommBuffer data and creates a conduit for unauthorized changes. Score for CVSS v3: 7.5 'High'
  • Callout vulnerability in the SMI handler that allows for arbitrary code execution is CVE-2022-31641. Score for CVSS v3: 7.5 'High'
Patch fix updates

Three security advisories have been posted by HP acknowledging the aforementioned vulnerabilities, and an equal number of BIOS updates have been released to remedy the problems for some of the vulnerable models; with the exception of thin client PCs, which received security updates on August 9, 2022. 

While CVE-2022-31640 and CVE-2022-31641 were fixed during August, the most recent update was released on September 7, 2022, and many HP workstations are still vulnerable. Furthermore, CVE-2022-23930 was patched on all impacted systems in March 2022.

The BIOS is a crucial component that guarantees compatibility between updated software and legacy hardware. Before installing Windows 10, make certain that your computer has the most recent BIOS installed.

The Windows update may fail and roll back due to an outdated graphics driver. Before beginning the update procedure, it is advised to check and make sure the most recent Graphics drivers are installed on your computer.


Magniber Ransomware Tricking Users via Fake Windows 10 Updates

 

Security analysts have unearthed a new ransomware campaign targeting Windows systems. Malicious actors are using fake Windows 10 updates to spread the Magniber ransomware strain. 

Since April 27, users around the world have been posting their stories on the BleepingComputer forum seeking a solution. According to the publication, these fake Windows 10 updates are being distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.

Aside from these files, there also are other fake knowledge-based articles on Microsoft that can install the Magniber ransomware: 

• System.Upgrade.Win10.0-KB47287134.msi 
• System.Upgrade.Win10.0-KB82260712.msi 
• System.Upgrade.Win10.0-KB18062410.msi 
• System.Upgrade.Win10.0-KB66846525.msi

Based on the submissions to VirusTotal, this malicious campaign appears to have started on April 8th, 2022 and has seen massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

Once installed, Magniber will erase shadow volume copies and then encrypt files. When encrypting files, the ransomware will append a random 8-character extension, such as .gtearevf,. The ransomware also produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called 'My Decryptor'.

The payment site allows a victim to decrypt one file for free, contact 'support,' or determine cryptocurrency address to send coins to if they decide to pay the ransom. The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer reported. 

“The only 1 way to decrypt your files is to receive the private key and decryption program,” the ransom note reads. “Any attempts to restore your files with the third-party software will be fatal for your files!”

According to security researchers, no safe decryptor exists for the ransomware. Nor any weaknesses of the malware are known to reverse its infection. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows user, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.

Microsoft Discreetly Upgrades Defender Antivirus to Patch a Major Flaw

 

Microsoft Defender, a protection software, has recently been updated to fix a severe security concern. The issue, which was traced back to 2014 and impacts Windows 10, lets users exclude some locations from antivirus scanning, in turn allowing malware to be installed. 

Due to a misconfigured registry key, this weakness, which has been present since 2014, allows users to access antivirus security safeguards. As a result, the key HKLM\Software\Microsoft\Windows Defender\Exclusions contains all spaces which aren't scanned by antivirus software. The issue is that the key is quite easy to obtain, as long as the 'Everyone' group has access to it. To change the contents of Windows, users are required to use a command prompt or a small click in the Settings menu. 

On Twitter, security researcher Antonio Cocomazzi says, Microsoft has patched the problem on Windows 10 20H2 PCs after deploying the February 2022 Patch Windows updates. Another researcher, Will Dormann of CERT/CC, validated this information, stating they acquired the privileges to change without installing any updates, implying the change might have been applied by both Windows updates and Microsoft Defender’s cybersecurity updates. 

After determining which directories were assigned to the antivirus block list, attackers might transmit and operate malware from a prohibited folder on an exploited Windows PC without danger of detection and neutralization. The permissions for Windows advanced security setups for Defender restrictions have been modified, with the 'Everyone' group deleted from the Register key's permission. 

  • The Exclusions Register key now has new permissions.
  • Access to Defender exclusions is now blocked.
  • Users with admin credentials are now required to access the database of exclusions through the command prompt or when creating exclusions using the Windows Security setup screen on Windows 10 systems in which this change has already been carried out. 
Microsoft is yet to comment on this problem, which was found as of late and has existed since the introduction of Windows 10. However, it is clear that Redmond's publisher has taken the appropriate steps. Furthermore, administrator rights are now required to view the list of locations blocked by the antivirus.

Threat Actors Exploit Chrome to Deliver Malware as Windows 10 App

 

Hackers that launched a recently discovered malware campaign are attacking Windows 10 with a malware which could infect systems with a process which evades Windows cybersecurity protections known as User Account Control (UAC). "Researchers couldn’t retrieve the payload files from the sample that they analyzed because they were no longer present when they investigated. However, they used samples from VirusTotal to peer under the hood," reports ThreatPost. Rapid7 cybersecurity experts discovered the campaign and warned the goal of hackers is to extract out personal data and steal cryptocurrency from infected victim PC.
According to experts, malware is very persistent on PC, exploiting the Windows environment variable and a local scheduled task to make sure it constantly executes with extra privileges. The attack chain initiates when a Chrome browser user opens a malicious site, followed by opening of a "browser ad service" which requests the user to take some action. However, it isn't confirmed what the experts mean by 'browser ad service.' The end goal of the hacker is to steal data using info-stealer malware, stolen data includes browser credentials and cryptocurrency. 

Besides this, other suspicious activities include stopping browser update and creating a system situation suitable for arbitrary commands execution. Hackers have been using a compromised site particularly built for to abuse a Chrome browser version (that runs on windows 10) to provide malicious payloads. The investigations of user chrome browser also showed redirects to various malicious domains and other suspicious redirect chains prior to the first stage infection. 

"Upon further analysis, researchers found that birchlerarroyo[.]com presented a browser notification requesting permission to show notifications to the user. This as well as a reference to a suspicious JavaScript file in its source code led theRapid7 team to suspect that it had been compromised, Iwamaye said.It’s unclear from the research, why or how a user would be coaxed into permitting the site to send notification requests via the Chrome browser. However, once notifications were permitted the browser user was alerted that their Chrome web browser needed to be updated," reports ThreatPost.

Chinese Threat Actors Spy On Windows 10 Users, Reports Kaspersky

 

An unknown anonymous Chinese speaking hacker has been associated with a long term evasive campaign targeted towards South East Asian victims, the campaign dates back to July 2020, deploying a kernel-mode rootkit on breached Windows devices. Attacks carried out by the group (Hackers) is termed GhostEmperor by Kaspersky cybersecurity, the group is said to have deployed a "sophisticated multi-stage malware framework" which enables persistence help and remote control over the victim host.

Kaspersky has termed the rootkit as Demodex, findings indicate infections has been spread out throughout various high-profile organizations in Malaysia, Vietnam, Indonesia, and Thailand, besides this Egypt, Afghanistan and Ethiopia outliers are also in the list. Threat actors use Demodex toolkit to cover up malware artefacts (user mode) from experts and cybersecurity agencies, meanwhile showing a surprisingly good undocumented loading program which involves kernel mode component of an open source project called Cheat Engine to evade Windows Driver Signature Enforcement feature.

Experts have observed that GhostEmperor infections leverage multiple access paths that end in the deployment of malware in memory, exploiting known vulnerabilities in open source servers like Apache, Oracle, Microsoft Exchange and Windows IIS, which includes ProxyLogon exploits that surfaced in March 2021. The purpose was to have an upper hand and then move out to other parts of target's network, including machines that run on earlier versions of Windows 10 OS. 

Aftern a successful breach, the selected infection chains which deployed toolkits were carried out remotely via different system in the same network using genuine software like PsExec or WMI, resulting in the execution of implant (in-memory) that could install additional payloads during run time. The Hacker News reports "disclosure comes as a China-linked threat actor codenamed TAG-28 has been discovered as being behind intrusions against Indian media and government agencies such as The Times Group, the Unique Identification Authority of India (UIDAI), and the police department of the state of Madhya Pradesh."

Razer Device Plug-In grants Admin Rights on Windows 10 OS

 

A zero-day vulnerability in Razer external device installation software – be it a razer mouse, a keyboard, or any other equipment using the synapse program – offers complete admin privileges to the admin using Windows 10 by plugging and installing a relevant peripheral system. 

Razer is indeed a prominent developer of gameplay mouses and keyboards and is known for providing the best computer accessories. Razer Inc. is a multinational corporation in Singapore that creates, manufactures, and sells electronics, financial services, and games consoles for consumer products. 

However, talking about windows 11, there isn’t any proof yet if it allows the same privileges to the user or not while pugging Razer peripherals. Whereas the vulnerability has nothing with it that won't allow a user to gain access but since the testing on windows 11 hasn’t been done yet, speculations cannot be made. 

In this case, the OS immediately downloads and starts the system installation of the Razer Synapse software whenever users plug a Razer hardware into Windows 10 computer system. Razer Synapse is software that enables users to set up hardware, macros, or map buttons for their hardware devices. 

Security researcher Jonhat (@j0nh4t) disclosed the flaw and tweeted about it on Twitter on Saturday 21st August, after not receiving any response from Razer initially. The tweet had been receiving attention from Razer as of Sunday 22nd August and the maker has told Jonhat that their cybersecurity team is working on a patch for this issue, to fix it at the earliest. Perhaps they gave Jonhat a bug bounty reward as well.  

In the words of the researcher, as well as Bleeping Computer too has proved in the testing itself, that Windows automatically selects an installer containing driver software and a synapse utility when a user plugs into a Razer device (or dongle if this is a wireless device). The activation of Razer Synapse Plug-and-play enables users to obtain SYSTEM permissions on the lickety-split Windows device because it displays an Explorer window as part of the set-up process, which tells users where and how to set up the driver. 

The topmost user permission level in Windows is SYSTEM Privileges: A SYSTEM account enables someone to acquire full control over the system, permitting them to see, alter or delete data; to establish new accounts having full privileges of users, and to install anything – malware included. 

The installation method for Synapse, in other terms, works with Windows 10 with the maximum privileges. The installation application Razer was given the very same administrator rights as the RazerInstaller.exe executable with SYSTEM privileges, which has been launched via a Windows process. 

Jonhat has established that a "Choose a Folder" popup will be displayed if a user decides to modify the default installation folder location. One may right-click the installation window and click the Shift key which launches a certain PowerShell terminal with the same privileges. 

Similar problems are probably identified in other products installed through Windows plug-and-play processes, as indicated by Will Dormann, a CERT/CC vulnerability analyst.

Microsoft Azure Credentials Exposed in Plaintext by Windows 365

 

Mimikatz has been used by a vulnerability researcher to dump a user's unencrypted plaintext Microsoft Azure credentials from Microsoft's new Windows 365 Cloud PC service. Benjamin Delpy designed Mimikatz, an open-source cybersecurity software that allows researchers to test various credential stealing and impersonation vulnerabilities.

Microsoft's Windows 365 cloud-based desktop service went live on August 2nd, allowing customers to rent Cloud PCs and access them via remote desktop clients or a browser. Microsoft offered free virtual PC trials, which rapidly sold out as consumers hurried to receive their two-month free Cloud PC. 

Microsoft announced their new Windows 365 cloud-based virtual desktop experience at the Inspire 2021 conference, which allows organizations to deploy Windows 10 Cloud PCs, as well as Windows 11 eventually, on the cloud. This service is built on top of Azure Virtual Desktop, but it has been modified to make managing and accessing a Cloud PC easier. 

Delpy told that he was one of the lucky few who was able to receive a free trial of the new service and began testing its security. He discovered that the brand-new service allows a malicious programme to dump logged-in customers' Microsoft Azure plaintext email addresses and passwords. The credential dumps are carried out using a vulnerability he identified in May 2021 that allows him to dump plaintext credentials for Terminal Server users. While a user's Terminal Server credentials are encrypted when kept in memory, Delpy claims he could decrypt them using the Terminal Service process. 

To test this technique, BleepingComputer used a free Cloud PC trial on Windows 365. They entered the "ts::logonpasswords" command after connecting through the web browser and started mimikatz with administrative privileges, and mimikatz promptly dumped their login credentials in plaintext. 

While mimikatz was designed for researchers, threat actors frequently use it to extract plaintext passwords from the LSASS process' memory or perform pass-the-hash attacks utilizing NTLM hashes due to the power of its different modules. Threat actors can use this technique to spread laterally across a network until they gain control of a Windows domain controller, allowing them to take control of the entire Windows domain.

To protect against this method, Delpy recommends 2FA, smart cards, Windows Hello, and Windows Defender Remote Credential Guard. These security measures, however, are not yet accessible in Windows 365. Because Windows 365 is oriented toward enterprises, Microsoft is likely to include these security protections in the future, but for the time being, it's crucial to be aware of the technique.

Microsoft Released Security Updates that Block PetitPotam NTLM Relay Attacks

 

The PetitPotam NTLM relay exploit, which allows a threat actor to take over a Windows domain, has been blocked by Microsoft security patches. Gilles Lionel, nicknamed Topotam, a security researcher, revealed a new method called PetitPotam in July that forces a domain controller to authenticate against a threat actor's server utilizing the MS-EFSRPC API capabilities. 

Gilles Lionel published a proof-of-concept (PoC) exploit for a brand new PetitPotam security flaw on July 23, 2021. This problem affected Microsoft's Active Directory Certificate Services (AD CS), which is needed to assure public key infrastructure (PKI) server functionality. 

According to the SANS Institute's Internet Storm Center, PetitPotam uses the Encrypting File System Remote Protocol (MS-EFSRPC) to start the authentication process in remote Windows instances and force them to divulge the NTLM hashes to the adversary. The attacker specifically exploits LSARPC to force any targeted server, including domain controllers (DCs), to connect to the malicious random server and perform NTLM authentication. As a result, the adversary acquires an authentication certificate that is valid for all domain services, including the DC. 

Despite the fact that the PetitPotam attack had devastating results and was simple to launch, the adversaries faced some constraints. To transfer the stolen credentials back to the DC or other internal instances, threat actors needed to achieve SYSTEM/ADMIN rights or maintain covert malicious infrastructure within the LAN, according to the researchers' findings. 

The majority of supported Windows versions, according to the researchers, are vulnerable to the PetitPotam. The technique has been successfully applied to Windows 10, Windows Server 2016, and Windows Server 2019. 

Microsoft provided a security update in August 2021 Patch Tuesday, that prevents the PetitPotam vector (CVE-2021-36942) from forcing a domain controller to authenticate against another server. "This security update blocks the affected API calls OpenEncryptedFileRawA and OpenEncryptedFileRawW through LSARPC interface," explains Microsoft in the CVE-2021-36942 advisory. 

Installing this update may damage backup software that uses the EFS API OpenEncryptedFileRaw(A/W) function, according to Microsoft. "The EFS API OpenEncryptedFileRaw(A/W), often used in backup software, continues to work in all versions of Windows (local and remote), except when backing up to or from a system running Windows Server 2008 SP2. OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2," warns Microsoft.

Microsoft Edge’s Security Bypass Vulnerability Fixed

 

Microsoft released Edge browser upgrades last week that addressed two security flaws, one of which is a security bypass flaw that may be used to inject and execute arbitrary code in the context of any website. The flaw, dubbed CVE-2021-34506 (CVSS score: 5.4), is caused by a universal cross-site scripting (UXSS) bug that occurs while using Microsoft Translator to automatically translate web pages using the browser's built-in feature.

Microsoft Edge is a cross-platform web browser that was created by the company. It was first released in 2015 for Windows 10 and Xbox One, followed by Android and iOS in 2017, macOS in 2019, and Linux in October 2020 as a preview. Edge was originally designed with Microsoft's proprietary EdgeHTML and Chakra JavaScript engines, resulting in a version known as Microsoft Edge Legacy. 

On January 15, 2020, Microsoft announced the public release of the new Edge. Microsoft began rolling out the new version via Windows Update in June 2020 for Windows 7, 8.1, and Windows 10 versions released between 2003 and 2004. From March 9, 2021, Microsoft stopped issuing security fixes for Edge Legacy, and on April 13, 2021, Microsoft delivered a security upgrade that replaced Edge Legacy with Chromium-based Edge. 

Ignacio Laurence, Vansh Devgan, and Shivam Kumar Singh of CyberXplore Private Limited are credited with finding and reporting CVE-2021-34506. "Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code," CyberXplore researchers said. "When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled."

The researchers discovered that the translation feature contained a flaw in the code that failed to sanitise input, allowing an attacker to potentially inject malicious JavaScript code anywhere on the webpage, which is then executed when the user clicks the prompt in the address bar to translate the page. The researchers demonstrated that adding a comment to a YouTube video written in a language other than English, together with an XSS payload, may activate the attack as a proof-of-concept (PoC) exploit. 

In a similar vein, a Facebook friend request with other language content and the XSS payload was discovered to run the code as soon as the recipient checked out the user's profile. Following a responsible disclosure on June 3, Microsoft corrected the problem on June 24 and gave the researchers $20,000 as part of its bug bounty programme.

Golang: A Cryptomining Malware that Maybe Targetting Your PC


Cybersecurity experts at Barracuda Networks have discovered a unique kind of crypto mining malware called "Golang." The malware can attack Windows as well as Linux systems, according to the experts. This latest malware is targeting Monero cryptocurrency with the help of Xmrig, a popular miner. The number of attacks related to the malware may be relatively low, but the cybersecurity experts have discovered 7 IP addresses associated with this malware, all originating from China.


The experts also observed that the Golang malware's primary targets are non-HTTP features like MSSQL and Redis, app servers, web apps frameworks, whereas easy to attack targets like end-users are safe. If we look back into the issue, we will find that the earlier versions of Golang only affected the Linux systems; however, the present version targets Windows and the former. The attacks are carried out using various exploits such as IoT devices, Hadoop, Drupal, ElasticSearch, and Oracle Weblogic. For instance, in a recent malware attack in China, the malware used exploits that targeted ThinkPHP app frameworks widely used in the country.

According to the experts, the Golang malware is capable of evolving every day and using more exploits as each day passes by. Golang malware works by infiltrating the system, and once it does, it uses required files to complete the task. These may include downloaded update scripts, configuration files, scanner, and a miner. It all depends on the type of platform. Whereas, when attacking Windows, the hackers can use backdoors too. In recent times, more and more hackers have shifted towards using Golang as it can't be identified by anti-virus software.

The malware is infamous for targeting vulnerable servers, making it accessible among cybercriminals looking for vulnerabilities to exploit. The only way to be safe from this malware is to keep track of the CPU usage activity (when it goes unusually high) and observe any suspicious activity at the endpoints. Any threat, similar to the likes of Golang, can be avoided by vigilante inspections and immediate responses. Awareness about crypto mining threats is also a must.

Windows 10 New Feature Hunts and Thwarts PUAs/PUPs


Per reports, Microsoft has hinted that the next main version of Windows 10 will come stacked with a fresh security feature that would allow the users to facilitate the Windows Defender’s secret feature that helps hunt and bar the installation of known PUAs (Potentially Unwanted Applications).

PUA’s are also widely known as PUPs that stands for Potentially Unwanted Programs. These aren’t as well known by the users in the cyber-crime world as all the other major threats but are a valid threat nevertheless.

Per sources, these are software that is installed on devices via fooling the targets. The term for which the PUP/PUA stands is self-explanatory with regards to applications or programs that your device may not really need.

PUPs/PUAs go around with tactics like either by employing “silent installs” to dodge user permissions or by “bundling” an unrequired application with the installer of an authentic program.

Sources mention that PUAs most commonly contain applications that alter browser history, hinder security controls, install root certificates, track users and sell their data, and display invasive ads.

As per reports, the May 2020 update is to be rolled out to the users in the last week of this month. Microsoft mentioned that it has added a fresh new feature in its setting panel that would allow users to bar the installation of any unwanted applications or programs in the form of known PUAs/PUPs.

As it turns out, researchers mention that the feature has been available in the Windows Defender for quite a lot of time, but for it to kick start it would need group policies and not the usual Windows user interface.

As per sources, to enable the feature a user must go to ‘Start’, ‘Settings’, ‘Update & Security’, ‘Windows Security’, ‘App & Browser Control’, and finally 'Reputation-based Protection Settings’. Once updated, the feature would show two settings, the above-mentioned feature is disabled by default and would need to be enabled manually. However, Microsoft suggests, enabling both the settings.

Reports mention, that the “Block Apps” feature will scan for PUAs that have already been downloaded or installed, so if the user’s using a different browser Windows Security would intercept it after it’s downloaded. However, the “Block Downloads” feature hunts the PUAs while they are being downloaded.

Windows 10 Users Beware! Astaroth Malware Campaign is Back and More Malicious!


A malware group that goes by the name of ‘Astaroth’ has re-emerged stronger and stealthier than before. This group has been known for exploiting Microsoft Windows tools to further the attack.

Microsoft had gotten aware of these methods and exposed the malware group and its “living-off-the-land” tactics. But the malware resurfaced with a hike in activity and better techniques.

Reportedly, the Windows Management Instrumentation Command-line (WMIC) is the built-in tool that got used the last time as was spotted by the Windows Defender ATP.

Per sources, the analysis done by Microsoft led to the discovery of a spam operation that spread emails with links to websites hosting a “.LNK” shortcut file which would instruct the WMIC and other Windows tools to run “fileless” malware in the memory well out of the reach of the anti-malware.

Sources indicate that having learnt from mistakes, Astaroth now entirely dodges the use of the WMIC. January and February showed a rise in activity.

According to sources, the new styled campaign still commences with a spam email comprising of a malicious website hosting link, LNK file but it the new version it employs a file attribute, “Alternate Data Streams” (ADS), that lets the attacker clip data to a file that already exists so that hiding malicious payloads gets easier.

Per source reports, the first step of the campaign which is a spam email reads, “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The link is an archive file marked as, “Arquivo_PDF_.zip”.

It manipulates the ExtExport.exe to load the payload which per researchers is a valid process and an extremely unusual attack mechanism.

Once the victim clicks on the LNK file with the .zip file in it, the malware runs an obfuscated BAT command line, which releases a JavaScript file into the ‘Pictures’ folder and commands the explorer.exe that helps run the file.

Researchers mention and sources confirm that using the ADS permits the stream data to stay unidentifiable in the File Explorer, in this version Astaroth reads and decrypts plugins from ADS streams in desktop.ini that let Astaroth to rob email and browser passwords. It also unarms security software.

Per sources, the plugins are the “NirSoft WebBrowserPassView” tool is for regaining passwords and browsers and the “NirSoft MailPassView” tool is for getting back the email client passwords.

This is not the only legitimate tool Astaroth exploits. A command-line tool that goes by the name of “BITSAdmin” which aids admins to create download and upload jobs with tracking their progress is exploited to download encrypted payloads.

Reportedly, Astaroth has previously wreaked havoc on continents like Asia, North America, and Europe.

HACKED- Windows 10, macOS, Adobe, VMware, Apple and Oracle at The Pwn2Own 2020!


Pwn2Own is a well-known computer hacking contest which is held once every year at the CanSecWest security conference. In this contest, the contestants are tested on how well they could exploit commonly used software and mobile devices with formerly unheard of vulnerabilities.

An issue as grave as the Coronavirus pandemic has clearly not affected the spirits of the Pwn2Own 2020 hacking competition which got done with its first two days.

On Day 1, security researchers and participants bagged a handsome amount of over $180,000 for exploiting the Windows 10, Ubuntu Desktop and macOS, mention sources.

Reportedly, a “team from the Georgia Tech Systems Software and Security Lab succeeded in exploiting a kernel privilege escalation to execute code on macOS” by way of Safari. The attack mechanism that ended up winning for the team $70,000 was comprised of 6 vulnerabilities.

Per the event page (thezdi.com), Georgia Tech employed a “6 bug chain to pop calc and escalate to root”.

The team that has won several preceding editions of the hacking contest, Team Fluoroacetate, won themselves a victorious $40,000 after they employed a “local privilege escalation exploit” meant for the Windows 10.

Reports mention that one of the two members of the aforementioned team also won himself a smashing amount of $40,000 for yet another privilege escalation exploit pursuing Windows 10.

As per sources, the RedRocket CTF team got themselves a win, owing to it to one of their members, Mafred Paul, who bagged an attractive amount of $30,000 for a local privilege escalation exploit focused on Ubuntu Desktop. The hack was about the manipulation of the ‘Input validation bug’.

On Day 2, The Fluoroacetate successfully targeted the Adobe Reader with a local privilege escalation by employing a pair of UAFs, mentioned sources and grabbed an amount of $50,000.

Per reports, the Synacktiv team targeted the VMware Workstation but unfortunately to no avail in the given duration of time. There also were special demonstrations of the Zero Day Initiative against the Oracle VirtualBox.

This was the very first time the organizers allowed “conditional remote participation” in the Pwn2Own hacking contest, understandably because of the increased concerns of people about traveling due to the Coronavirus outbreak.



Windows 10 Users Beware! TrickBots' Prevalence And Conveyance Escalates in Devices



Reports mention that recently attackers were found exploiting the latest version of the “Remote Desktop ActiveX” which was developed for Windows 10.

Sources say that similar to what many others are doing, the exploitation could cause the automatic execution of the “OSTAP” JavaScript downloaded on the ta
rget’s systems.

Per analyses of researchers, the ActiveX is employed to automatically execute a mal macro right after the target enables a document. The majority of the documents contained images to encourage people to enable the content.

Per reports, the catch was that the image contained a hidden ActiveX control below it; the OSTAP downloader was disguised in white text to make it seemingly invisible to eyes and readable for machines.

Trickbot attackers misuse people’s tendencies of not updating their software with the latest updates to protect the systems.

Trickbots happen to be among the most advanced versions of the malware structures. The number is increasing and so is the threat to systems with Windows 10. Not of late, researchers dug out more documents that execute the OSTAP JavaScript downloader.

It was also found out that the groups of tricksters that were exploiting the ActiveX control were not the only ones. Other groups were also into misusing them along with a few others.

According to sources, the victim documents had the following nomenclature-“i<7-9 arbitrary="" digits="">.doc”. Almost every document had in it an image that would convince the enablers to open it. What the opener wouldn’t know is that below the image is a hidden ActiveX control. The OSTAP JavaScript downloader would be disguised as white text which only the machines could read.

Per sources, the analysis of the ActiveX code exposed the use of the “MsRdpClient10NotSafeForScripting” class. The script is crafted in a way that the server field is left empty to cause an error which would aid the attackers further on.

According to researchers, the technique that kicks the ‘macro’ on is, “_OnDisconnected”. This will execute the main function, first. It doesn’t get executed instantly for it takes time to resolve the DNS to an empty string only to return an error.

The OSTAP’s execution would depend on the “error number matches” exactly to “disconnectReasonDNSLookupFailed”. The OSTAP wscript directive is relative to the error number computation.

The execution of the wscript would work with its very content. This trick is quite an old one in the book. Microsoft’s BAT would ignore the ‘comments’, along with the content and everything that comes with the syntax, while the execution’s happening.

Once the JavaScript is edited per the attackers’ needs, the obfuscation scheme gets repeated. Updating systems doesn’t work every time but it’s a pre-requisite anyway.

A defense mechanism is paramount in cases of OSTAP and the likes of it. With the technology that’s prospering with every passing minute, so is the number of attack mechanisms and attackers. Hence keep systems updates and a tight security structure in place.


Modified TrickBot Trojan can now Steal Windows Active Directory Credentials


TrickBot trojan, a strain of malware that has been around affecting users since 2016 - is now evolved to steal Windows Active Directory credentials. Today, in the cybersecurity ecosystem it is considered as one of the top threats abusing businesses, experts estimate that TrickBot is responsible for compromising more than 250 million email accounts till date. Earlier, TrickBot went a step further while targeting Windows 10 users by disabling Windows defender onto their systems rather than just bypassing the protection. Fundamentally, TrickBot is a banking Trojan and is generally deployed through spearphishing emails like invoices mailed to the accounts department. Typically, it is attached as infected Microsoft Excel or Word documents. The malware can be spread across an organization in a number of ways, one of them is via exploiting vulnerabilities in a protocol called SMB which makes the process of sharing and accessing files on other systems easy for Windows computers.

First identified by Sandor Nemes, a security researcher from Virus Total, this new module of TrickBot dubbed as "ADII" further amplifies the threat it possesses for security, it steals Windows Active Directory information by executing a set of commands.

An Active Directory database is being created and stored into the default C:\Windows\NTDS folder on the domain controller, a server here is acting as the domain controller. Now, all the information including passwords, computers, users, and groups of Windows Active Directory are saved in a file by the name "ntds.dit" in the database. As all the aforementioned information is sensitive in nature, Windows resort to a BootKey that is located in the system component of the Registry and encrypts the information with the help of it. Admins who are responsible for database maintenance use a special tool known as "ntdsutil" to work with that database. Reportedly, standard file operations cannot access the BootKey.

How TrickBot Goes About Stealing Active Directory Credentials?


Administrators use the command "install from media", also known as "ifm", to create a dump of Active Directory. The command leads to the creation of an installation media for setting up new Domain Controllers. The new module "ADII" exploits the ifm command to produce a copy of the Windows Active Directory database; after the database is dumped into the %Temp% folder, the bot collects the information and transfers it to the admin. The collected data can be effective in infecting more systems in the same network and could also be employed by various other malware in search of similar vulnerabilities.

Microsoft Enters 2020 with Two New Products


Microsoft plans to come up with two products with the advent of the New Year, Windows 10X-powered Surface Neo and Android-powered Surface Duo and this could be an indication of 2020 being the year of foldable and dual-screen devices from smartphone and PC creators.

Microsoft's new operating system, Windows 10 X, is set to power the main rush a.k.a the first wave of foldable and dual-screen equipment scheduled for holiday 2020 and Surface Neo is said to have been the primary equipment to be dispatched with Windows 10 X, however, the Redmond giant is additionally preparing the OS for dual-screen PCs from accomplices.

Windows 10 X is additionally expected to power the dual-screen PCs created by Microsoft OEM accomplices like HP, Dell, and Lenovo. A leak as of late affirmed that Windows 10 X will be coming to workstations and other customary PC form factors in the future, however apparently the operating system is as yet 'immature'.


Anyway because of the moderate-paced advancement of the operating system and inadequate adaptable panel supply as per another report, Intel probably won't promote foldable notebooks in the future.

Despite the fact that Intel's dual-screen model highlights a 17-inch display and it would run Windows 10 X, the company will postpone the unveiling which was initially planned for CES 2020 because of issues with “immature OS support”.

The report refers to 'upstream supply chain' as the source of the talk likewise including that Intel won't promote foldable notebooks until mid-2020.

Windows 10 X was announced at the October 2019 occasion and Microsoft has ever since protected it under much 'secrecy' and still hasn't uncovered when it intends to launch Windows 10 X, yet the operating system is reputed to finalize at some point in 2020, a couple of months or weeks before the launch of Surface Neo and other much-awaited foldable devices.