Tag Archive for: bypass

BlackLotus Secure Boot Bypass Malware Set to Ramp Up

/in


BlackLotus, the first in-the-wild malware to bypass Microsoft’s Secure Boot (even on fully patched systems), will spawn copycats and, available in an easy-to-use bootkit on the Dark Web, inspire firmware attackers to increase their activity, security experts said this week.

That means that companies need to increase efforts to validate the integrity of their servers, laptops, and workstations, starting now.

On March 1, cybersecurity firm ESET published an analysis of the BlackLotus bootkit, which bypasses a fundamental Windows security feature known as Unified Extensible Firmware Interface (UEFI) Secure Boot. Microsoft introduced Secure Boot more than a decade ago, and it’s now considered one of the foundations of its Zero Trust framework for Windows because of the difficulty in subverting it.

Yet threat actors and security researchers have targeted Secure Boot implementations more and more, and for good reason: Because UEFI is the lowest level of firmware on a system (responsible for the booting-up process), finding a vulnerability in the interface code allows an attacker to execute malware before the operating system kernel, security apps, and any other software can swing into action. This ensures the implantation of persistent malware that normal security agents will not detect. It also offers the ability to execute in kernel mode, to control and subvert every other program on the machine — even after OS reinstalls and hard drive replacements — and load additional malware at the kernel level.

There have been some previous vulnerabilities in boot technology, such as the BootHole flaw disclosed in 2020 that affected the Linux bootloader GRUB2, and a firmware flaw in five Acer laptop models that could be used to disable Secure Boot. The US Department of Homeland Security and Department of Commerce even recently warned about the persistent threat posed by firmware rootkits and bootkits in a draft report on supply chain security issues. But BlackLotus ups the stakes on firmware issues significantly.

That’s because while Microsoft patched the flaw that BlackLotus targets (a vulnerability known as Baton Drop or CVE-2022-21894), the patch only makes exploitation more difficult — not…

Source…

Apple issues patch for macOS security bypass vulnerability

/in


Apple has fixed a vulnerability in macOS that could have allowed attackers to bypass application restrictions on the tech giant’s Gatekeeper mechanism.  

The vulnerability, tracked as CVE-2022-42821 and dubbed ‘Achilles’, was first uncovered by researchers at Microsoft and shared with Apple through the Coordinated Vulnerability Disclosure (CVD) system.

Microsoft said the Achilles flaw could have enabled hackers to gain access to operating systems and download or deploy malware on Mac devices.  

Apple confirmed it patched the bug on 13 December in its raft of security updates for macOS 13, macOS 12.6.2 and macOS 1.7.2. 

Achilles exploited Apple’s Gatekeeper security mechanism used on Macs which is responsible for checking downloaded apps to ensure that they are legitimate, and works by requiring the user to confirm or authorise launching an app that might have been flagged by the mechanism.

Apple’s Gatekeeper system operates in a similar fashion to Microsoft’s own Mark of the Web (MOTW) protocols.  

“When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file,” researchers explained.  

“That attribute is named com.apple.quarrantine and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent sandbox escapes.” 

Microsoft said the Achilles flaw would allow attackers to leverage targeted payloads to abuse Access Control Lists (ACLs) – a mechanism in macOS that offers additional protection to the standard permission model.  

If exploited, the flaw meant that a malicious app downloaded by a user would launch on their system instead of being blocked by Gatekeeper.  

Apple introduced Lockdown Mode in macOS Ventura to mitigate the risk of zero-click remote code execution (RCE) exploits. However, researchers noted that this optional feature for high-risk users would not defend against Achilles.  

“End-users should apply the fix regardless of their Lockdown Mode status,” said Jonathan Bar Or of the Microsoft 365 Defender Researcher Team.  

Gatekeeper vulnerabilities 

Bar Or said that while Gatekeeper is “essential” in spotting malware on macOS, there have been…

Source…

Hacking toolkits to bypass two-factor authentication actively selling on Dark Web

/in






Two-factor authentication has become a must for online presence these days. We see every digital platform touting it as the most important security step for your account. While the claim might put you at peace, know that there are established ways of getting around this security wall. Even more concerning is the fact that there is little to nothing that you can do to prevent these hacks.

The reason why two-factor authentication is hailed as the epitome of online security is that it employs two different levels of security codes. One is the password that you have set for your account, while the other is the randomly generated code that you receive (through text or code generators) right at the time of login (or whenever required). Since it is only possible for you to know the random code, your account is presumably safe even if your password is compromised.

But hackers have found several ways over time to bypass this seemingly foolproof system. Initially, these ways relied on simple voice phishing to get the random code out of the account holder by duping him/ her on some pretext. Now, these attempts at hacking 2FA have become more sophisticated.

A new study points out that they are also becoming increasingly common in the hacker community.

Research conducted by researchers from Stony Brook University and cybersecurity firm Palo Alto Networks has found numerous “phishing toolkits” that can be used to hack 2FA setups. First spotted by The Record, the study also mentions that these toolkits are actively being sold on the dark web, to anyone wanting to hack an account using it.

Bypassing Two-Factor Authentication

As noted in the study, researchers have managed to find over 1,200 phishing toolkits online. These toolkits contain malicious codes that enable a hacker to launch sophisticated cyber attacks on a target. These attacks are specifically meant to steal 2FA authentication cookies from a system, thus allowing a hacker to bypass 2FA security.

This is done through what is called Man-in-the-Middle (MITM) attacks, wherein a hacker is able to redirect the traffic from a victim’s computer through a phishing site that employs a reverse proxy server. The attacks thus…

Source…

AvosLocker ransomware reboots in Safe Mode to bypass security tools

/in


avos-locker

In recent attacks, the AvosLocker ransomware gang has started focusing on disabling endpoint security solutions that stand in their way by rebooting compromised systems into Windows Safe Mode.

This tactic makes it easier to encrypt victims’ files since most security solutions will be automatically disabled after Windows devices boot in Safe Mode.

And their new approach appears to be quite effective since the number of attacks attributed to the particular group is rising.

Encrypting in ‘Safe Mode’

AvosLocker operators leverage PDQ Deploy, a legitimate deployment tool for automating patch management, to drop several Windows batch scripts onto the target machine, which helps them to lay the ground for the attack, according to a report from SophosLabs Principal Researcher Andrew Brandt.

These scripts modify or delete Registry keys that belong to specific endpoint security tools, including Windows Defender and products from Kaspersky, Carbon Black, Trend Micro, Symantec, Bitdefender, and Cylance.

One of the batch script files used by Avos Locker
One of the batch script files used by AvosLocker (Sophos)

The scripts also create a new user account on the compromised machine, naming it ‘newadmin’ and adding it to the Administrators user group.

Next, they configure that account to automatically log in when the system reboots into Safe Mode with Networking and disable “legal notice” dialog registry keys that could hamper the automatic login.

Finally, the scripts execute a reboot command which puts the machine into Safe Mode. Once it’s up again, the ransomware payload is run from a Domain Controller location.

If the automated payload execution process fails, the actor can assume manual control of the procedure using the AnyDesk remote access tool.

“The penultimate step in the infection process is the creation of a ‘RunOnce’ key in the Registry that executes the ransomware payload, filelessly, from where the attackers have placed it on the Domain Controller,” explains Brandt.

“This is a similar behavior to what we’ve seen IcedID and other ransomware do as a method of executing malware payloads without letting the files ever touch the filesystem of the infected computer.”

Entire operation of the dropped batch scripts
Batch scripts being dropped (Sophos)

Safe Mode used to easily…

Source…