Viry a Červi

Don't be like these 900+ websites and expose millions of passwords via Firebase

The Register - Anti-Virus - 18 Březen, 2024 - 22:29
Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials

At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers.…

Kategorie: Viry a Červi

Fujitsu reveals malware installed on internal systems, risk of customer data spill

The Register - Anti-Virus - 18 Březen, 2024 - 21:30
Sneaky software slips past shields, spurring scramble

Fujitsu has confirmed that miscreants have compromised some of its internal computers, deployed malware, and may have stolen some customer information.…

Kategorie: Viry a Červi

More than 133,000 Fortinet appliances still vulnerable to month-old critical bug

The Register - Anti-Virus - 18 Březen, 2024 - 20:00
A huge attack surface for a vulnerability with various PoCs available

The volume of Fortinet boxes exposed to the public internet and vulnerable to a month-old critical security flaw in FortiOS is still extremely high, despite a gradual increase in patching.…

Kategorie: Viry a Červi

Cyber baddies leak 70M+ files online, claim they're from AT&T

The Register - Anti-Virus - 18 Březen, 2024 - 17:45
Telco reckons data is old, isn't from its systems

More than 70 million records, allegedly stolen from AT&T in 2021, were dumped on a cybercrime forum at the weekend.…

Kategorie: Viry a Červi

Cyberattack gifts esports pros with cheats, forcing Apex Legends to postpone tournament

The Register - Anti-Virus - 18 Březen, 2024 - 14:15
Virtual gunslingers forcibly became cheaters via mystery means

Updated  Esports pros competing in the Apex Legends Global Series (ALGS) Pro League tournament were forced to abandon their match today due to a suspected cyberattack.…

Kategorie: Viry a Červi

Infosec teams must be allowed to fail, argues Gartner

The Register - Anti-Virus - 18 Březen, 2024 - 08:29
But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Zero tolerance of failure by information security professionals is unrealistic, and makes it harder for cyber security folk to do the essential part of their job: recovering fast from inevitable attacks, according to Gartner analysts Chris Mixter and Dennis Xu.…

Kategorie: Viry a Červi

Filipino police free hundreds of slaves toiling in romance scam operation

The Register - Anti-Virus - 18 Březen, 2024 - 06:46
875 workers liberated after falling for promises of lucrative work, nine arrested

Filipino police rescued 875 "workers" – including 504 foreigners – in a raid late last week on a firm that posed as an online gaming company but in reality operated a forced labor camp that housed romance scam operators.…

Kategorie: Viry a Červi

Protecting distributed branch office environments from ransomware

The Register - Anti-Virus - 18 Březen, 2024 - 04:00
As ransomware becomes more sophisticated, detection tools should be upgraded to cover every site and location

Sponsored Feature  Ransomware gangs that steal and encrypt vital business data before extorting payment for its decryption and restoration are ramping up global attacks at an ever-increasing rate. In fact, cyber security experts agree that ransomware now represents one of - if not the most - serious cybersecurity threats currently facing governments, public/private sector organisations and enterprises around the world.…

Kategorie: Viry a Červi

ChatGPT side-channel attack has easy fix: Token obfuscation

The Register - Anti-Virus - 18 Březen, 2024 - 03:31
Also: Roblox-themed infostealer on the prowl, telco insider pleads guilty to swapping SIMs, and some crit vulns

Infosec in brief  Almost as quickly as a paper came out last week revealing an AI side-channel vulnerability, Cloudflare researchers have figured out how to solve it: just obscure your token size.…

Kategorie: Viry a Červi

In the rush to build AI apps, please, please don't leave security behind

The Register - Anti-Virus - 17 Březen, 2024 - 12:04
Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

Feature  While in a rush to understand, build, and ship AI products, developers and data scientists are being urged to be mindful of security and not fall prey to supply-chain attacks.…

Kategorie: Viry a Červi

As if working at Helldesk weren't bad enough, IT helpers now targeted by cybercrims

The Register - Anti-Virus - 15 Březen, 2024 - 20:00
Wave of Okta attacks mark what researchers are calling the biggest security trend of the year

IT helpdesk workers are increasingly the target of cybercriminals – a trend researchers have described as "the most noteworthy" of the past year.…

Kategorie: Viry a Červi

Cop shop rapped for 'completely avoidable' web form blunder

The Register - Anti-Virus - 15 Březen, 2024 - 12:34
Made public highly sensitive data on complaints about Metropolitan Police Service

The London Mayor's Office for Policing and Crime is being rapped by regulators for untidy tech practices that made public the personal data of hundreds of people who filed complaints against the Metropolitan Police Service.…

Kategorie: Viry a Červi

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

The Register - Anti-Virus - 15 Březen, 2024 - 00:35
Uncle Sam can use this snooping tool, too, but that's beside the point

Updated  There's another Chinese-manufactured product – joining the likes of TikTok, cars and semiconductors – that poses a national security risk to Americans: Electronic locks, such as those used in safes.…

Kategorie: Viry a Červi

FTC goes undercover to probe suspected antivirus scam, scores $26M settlement

The Register - Anti-Virus - 14 Březen, 2024 - 21:24
Imagine trying to trick folks into buying $500 of unnecessary repairs – and they turn out to be federal agents

A pair of tech support businesses accused of swindling marks out of their hard-earned cash have agreed to cough up a $26 million settlement following an undercover probe by the FTC.…

Kategorie: Viry a Červi

LockBit ransomware kingpin gets 4 years behind bars

The Register - Anti-Virus - 14 Březen, 2024 - 19:26
Canadian-Russian said to have turned to a life of cybercrime during pandemic, now must pay the price – literally

A LockBit ransomware kingpin has been sentenced to almost four years behind bars and ordered to pay more than CA$860,000 ($635,000, £500,000) in restitution to some of his victims by a Canadian court as he awaits extradition to the US.…

Kategorie: Viry a Červi

Google gooses Safe Browsing with real-time protection that doesn't leak to ad giant

The Register - Anti-Virus - 14 Březen, 2024 - 18:58
Rare occasion when you do want Big Tech to make a hash of it

Google has enhanced its Safe Browsing service to enable real-time protection in Chrome for desktop, iOS, and soon Android against risky websites, without sending browsing history data to the ad biz.…

Kategorie: Viry a Červi

Record breach of French government exposes up to 43 million people's data

The Register - Anti-Virus - 14 Březen, 2024 - 17:06
Zut alors! Department for registering and helping unemployed people broken into

A French government department - responsible for registering and assisting unemployed people - is the latest victim of a mega data breach that compromised the information of up to 43 million citizens.…

Kategorie: Viry a Červi

International effort to disrupt cybercrime moves into operational phase

The Register - Anti-Virus - 14 Březen, 2024 - 16:00
Will the WEF experiment work?

The Cybercrime Atlas, a massive undertaking that aims to disrupt cybercriminals across the globe, enters its operational phase in 2024, two years after organizers laid the groundwork at the RSA Conference.…

Kategorie: Viry a Červi

US to probe Change Healthcare's data protection standards as lawsuits mount

The Register - Anti-Virus - 14 Březen, 2024 - 15:03
Services slowly coming back online but providers still struggling

Change Healthcare is being investigated over the alleged 6 TB data theft by the ALPHV ransomware group as it continues recovery efforts.…

Kategorie: Viry a Červi

A patched Windows attack surface is still exploitable

Kaspersky Securelist - 14 Březen, 2024 - 11:00

On August 8, 2023, Microsoft finally released a kernel patch for a class of vulnerabilities affecting Microsoft Windows since 2015. The vulnerabilities lead to elevation of privilege (EoP), which allows an account with user rights to gain SYSTEM privileges on a vulnerable host. The root cause of this attack surface, according to a 2015 blog, is the ability of a normal user account to replace the original C:\ drive with a fake one by placing a symlink for the system drives in the device map for each login session. This fake drive will be followed by the kernel during impersonation instead of the original system drive. More than five months after the patches for these vulnerabilities were released, we’re still seeing some of their exploits in the wild because it’s a very easy way to get a quick NT AUTHORITY\SYSTEM and that’s why it may be favored by well-known threat actors.

We discussed these findings at the BlackHat MEA conference in November 2023, and in December 2023 and January 2024, we found two exploits that could still use this attack surface in the unpatched version of Windows. Both exploits are packed in UPX. After analyzing the first one, we saw that it was a packed version of a Google Project Zero PoC sample. The other sample was a packed version of an SSD Secure Disclosure public PoC, even using the same NamedPipe “\\\\.\\Pipe\\TyphoonPWN” without modifications. The PDB paths for both samples are:

  • C:\Users\Administrator\source\repos\exp\x64\Release\exp.pdb
  • C:\VVS-Rro\CVEs\spool\BitsPoc\src\x64\Release\PoC_BITs.pdb

Below we will highlight the key points and then focus on how to check if any of the vulnerabilities have been exploited or if there have been any attempts to exploit them, and enumerate popular CVEs included in this vulnerable surface.

Affected processes and services include native Windows services that run by default on most versions of the operating system. These include:

  • CSRSS
  • Windows Error Reporting (WER)
  • File history service
  • Background intelligence transfer service (BITS)
  • Print Spooler

Vulnerable Windows processes and services

The exploits affecting this attack surface share a common logic or pattern, including:

  • Searching for a DLL that runs with system integrity.
  • The DLL has an isolation-aware manifest file.
  • The ability to change the C:\ root to a writable directory via symlinks.
CSRSS | CVE-2022-22047

This Activation Context Cache Poisoning vulnerability leads to local privilege escalation. It’s one of the CVEs that was actively exploited by a threat actor called KNOTWEED | Denim Tsunami.

Reversing the in-the-wild exploit for the CVE-2022-22047 shows:

  • The exploit crafts a call into CSRSS.
  • The call requests an activation context for a privileged executable and specifies a malicious manifest.
  • The manifest uses an undocumented manifest XML attribute named loadFrom. This attribute allows unrestricted redirection of DLLs to any location on a disk, including locations outside of the normal search path, without even having to change the C:\ root drive.

Here is a detailed blog post by ZDI explaining CSRSS Cache Poisoning.

CSRSS | CVE-2022-37989

The second vulnerability, involving CSRSS Cache Poisoning, was a workaround for the first CVE-2022-22047. After patching the undocumented “LoadFrom” attribute, there was another attribute that could be abused to load a manifest file from a user-controlled path by declaring a dependent assembly using path traversal in the name attribute.

The patch for the CVE-2022-37989 was simple: check if the name attribute of the dependency contains any forward or backward slashes, and set a flag to stop caching this suspicious manifest if name path traversal is detected. This CVE was discovered by ZDI.

Print Spooler | CVE-2022-29104

Print Spooler is a service that runs by default in almost all versions of Windows. It’s responsible for managing paper print jobs sent from a computer to a printer or print server. Reversing in-the-wild exploits of the CVE-2022-29104 Print Spooler vulnerability shows that it’s a .NET sample that creates a symbolic link from C:\ to the fake root C:\Imprint. The sample was uploaded to VirusTotal.

Fake C:\ drive structure:

  • C:\Imprint\Windows\system32
  • C:\Imprint\Windows\WinSxS

All folders inside the Imprint folder are writable, allowing an attacker to control their contents.

Path traversal is added to “AssemblyIdentity” to point to the Imprint writable path.

The vulnerability analysis shows that:

  • An attacker can remap the root drive (C:\) for privileged processes during impersonation.
  • During impersonation, all file accesses are performed using the DOS device map of the impersonated process.
  • CSRSS uses a user-modified side-by-side manifest for generating the activation context instead of the manifest in the WinSxS folder C:\Windows\WinSxS.
  • The WinSxS folder stores multiple copies of system files and components.
  • The WinSxS folder provides a central location for storing different versions of system files that are shared by multiple applications and processes.
  • The WinSxS folder provides system stability and compatibility by allowing different applications to use the specific versions of files they need.
  • WinSxS avoids DLL hell, a problem that occurs when different applications require different versions of the same DLL.

The Windows operating system uses the application manifest to determine which version is appropriate for which app.

The application manifest is stored in XML format and describes:

  • The dependencies associated with the application.
  • What permissions the application requires.
  • What compatibility settings the application supports.

CSRSS mitigation was enabled for spoolsv.exe and printfilterpipelinesvc.exe to stop impersonation while loading external resources, and then to resume impersonation after the external resources are loaded.

Print Spooler | CVE-2022-41073

After CVE-2022-29104 was patched, another vulnerability affecting Print Spooler was discovered – CVE-2022-41073. Reversing the in-the-wild exploit of this vulnerability shows some XML manipulation using path traversal to a writable path containing a modified version of prntvpt.dll that is loaded by Print Spooler.

According to Project Zero, mitigation was added to CSRSS, the patch simply stopped any impersonation prior to the LoadLibraryExW call in winspool!LoadNewCopy, and then resumed it.

After that the LoadLibraryExW call returned:

+ if (RevertToProcess(&TokenHandle, x) >= 0) { lib = LoadLibraryExW(arg1, 0, dwFlags); + ResumeImpersonation(TokenHandle); + }

NtOpenFile is called with the OBJ_IGNORE_IMPERSONATED_DEVICEMAP flag. It will stop impersonation when loading any external resources while using the LoadNewCopy API. Stopping impersonation means that privileged processes will not use the fake root implemented with the medium integrity process, and instead it will use the original C:\ drive root to avoid loading untrusted or malicious resources.

Windows Error Reporting | CVE-2023-36874

Windows Error Reporting (WER) is a privileged service that analyzes and reports various software issues in Windows. The root cause for the exploitation of the CVE-2023-36874 vulnerability is CreateProcess API when a crash happens, because CreateProcess API can be tricked into following the fake root and creating the process from this writable fake root in the context of the privileged WER service, leading to privilege escalation.

CVE-2023-36874 was exploited in the wild and has several published PoCs. The exploit interacts with the IWerReport COM interface and calls SubmitReport, then UtilLaunchWerManager is called, which calls CreateProcess. CreateProcess API is then vulnerable to DoS device modification.

Once the exploit to submit a fake crash report is executed, it will end up calling the vulnerable CreateProcess API.

File History Service | CVE-2023-35359

File History Service can be used to automatically back up personal folders and files such as documents, pictures and videos. Reversing the in-the-wild exploit shows that when File History Service starts, it impersonates the current user and then loads a DLL called fhcfg.dll under impersonation. This DLL has an “application aware manifest config” that attempts to load another resource called msasn1.dll. The exploit starts with the usual technique of changing the C:\ root to a fake writable root.

Windows Error Reporting – 2nd exploit | CVE-2023-35359

After patching the first Windows Error Reporting vulnerability, which used the CreateProcess API inside the privileged WER service and follows the fake root to create a process. The patched WER service started using CreateProcessAsUser instead of CreateProcess API. However, after that patch, adversaries found another way that could lead to the use of CreateProcess again under certain conditions, which was considered a new vulnerability. For example, if the WER service was marked as disabled on a system and there was a privileged process impersonating a medium-integrity user on that system, and an unhandled exception occurs during impersonation that results in a crash, that crash tries to enable the WER service for reporting. The detailed analysis for this CVE shows that it does not appear to be exploitable.

The exploitation of CVE-2023-35359

BITS | CVE-2023-35359

The Background Intelligence Transfer Service (BITS) is responsible for facilitating the asynchronous and prioritized transfer of files between a client and a server. BITS operates in the background, which means it can perform file transfers without interrupting a user or consuming all of the available network.

You may notice that the number CVE-2023-35359 has not changed for the last three CVEs because Microsoft decided in the last patch to assign the same CVE to all vulnerabilities of this type. So there are different vulnerabilities in different processes/services but with the same CVE number.

Timeline for the bypassing/patching process from 2015 to August 2023

How was the patch for this attack surface applied?

The patch was applied to ObpLookupObjectName to check if the loaded resource is a file object and the call to ObpUseSystemDeviceMap succeeds. It then ignores the impersonation and uses SystemDevice.

ObpLookupObjectName checks FileObjectType followed by a call to ObpUseSystemDeviceMap.

The ObpUseSystemDeviceMap function checks for the SystemDevice to be used instead of the impersonated device.

How to check if a vulnerability was exploited or any attempts were made to exploit it?

When analyzing most of the exploits targeting this attack surface, we observed a common behavior that could be used as an indicator of whether there were any attempted exploits:

  • Most of the in-the-wild exploits create a writable folder inside the C:\ drive, and the structure of this folder mimics the structure of the original C:\ drive, for example:
    • C:\Windows\System32 → C:\FakeFolder\Windows\System32
    • C:\Windows\WinSxS → C:\FakeFolder\Windows\WinSxS
  • So finding a writable folder that mimics the C:\ drive folder structure may be an indicator of an exploitation attempt.
  • Copying the manifest files from the original WinSxS folder in C:\Windows\WinSxS to a writable directory and modifying them could be a good indicator of an exploitation attempt.
  • Manifest files that contain undocumented XML attributes such as “LoadFrom” or manifest files that contain path traversal in the “name” attribute could be a valid sign of an exploitation attempt.
  • Creating a symbolic link from the original system drive to a writable directory, especially from processes with medium integrity using the \RPC Control\ object directory.
Syndikovat obsah