Windows 11 Default Feature Could Allow the Inception of No-Code Malware
Michael Bargury, the co-founder and CTO of Zenity.io, presented "No-Code Malware: Windows 11 At Your Service" at DEFCON 30 which immediately caught the attention of CTIX analysts. Bargury explained a feature included by default in Windows 11 called "Power Automate", which is robotic process automation (RPA) software that allows users to automate tedious processes. This is done by building custom scripts through Microsoft, which "ensures they are distributed to all user machines or Office Cloud, executed successfully and reports back to the cloud." In essence, Power Automate can be used to power malware operations. Bargury demonstrated this by registering a victim machine to his own Azure Active Directory tenant. He then showed the process of creating a flow by triggering it from the cloud, setting up a connection to the end-user machine, and distributing a payload. The researcher began demonstrating the power of this method with a simple example, exfiltrating data to the cloud. He did this by using three (3) simple steps: checking if the desired file exists, reading the text from the file, and storing it in the cloud. This is conducted without writing any code and instead uses a block coding system similar to Scratch. In the next example, Bargury demonstrated how code execution is possible through Power Automate. There were some issues presented with this, however, as Windows Defender Antivirus identified the code execution attempt and prevented it. This was due to the script leaving the trusted Power Automate platform to run commands through the untrusted command prompt. With that said, there are many features of Power Automate that could be exploited in the trusted environment. The example Bargury provided is a no-code ransomware that encrypts files with AES using a custom key. While these types of attacks leave traces such as log data on the victim machine, Power Automate can be leveraged by the threat actor to clean up after themselves. Bargury developed a framework dubbed "Power Pwn" which assists red teams in conducting these attacks. Additional details can be found in Michael Bargury's GitHub and a video of the talk will be posted on YouTube in the coming weeks. CTIX analysts recommend that defenders become familiar with RPA tools such as Power Automate and their potential to be used maliciously in order to better defend against attacks abusing RPA software.
Threat Actor Activity
Russia/Ukraine Conflict: Cyberwar Rages On
During DEFCON 30, CTIX analysts observed a presentation from security specialist Kenneth Geers on the escalation of the Russia/Ukraine war and how threat actors are escalating their attacks against Ukraine and those assisting the country. Since the February invasion of Ukraine, there have been over 300 confirmed cyberattacks with no sign of slowing down in the coming months. Geers highlighted how threat actors have continuously targeted Ukrainian assets through relentless cyberattacks against communications systems, exploiting power grids, compromising financial institutions, and conducting mass text campaigns with the goal of striking fear into the Ukranian population. While the invasion of Ukraine sparked the start of the conflict, these attacks have been observed several years prior. In 2015, Russian threat actors targeted a section of the Ukrainian power grid and knocked out power services for around six (6) hours; this was followed by a similar attack a year later. Other instances show significant use of distributed denial-of-service (DDoS) attacks against Ukrainian government websites, ATM machines, banks, and several other critical assets to ensue panic into Ukrainian citizens. While the Russia/Ukraine conflict has shaken the world on the battlefield, Geers stated: "We have seen attacks in every domain: military, political, diplomatic, business, critical infrastructure, social media, etc.". CTIX continues to monitor the Russia/Ukraine conflict and will advise on future cyber threats and developments as they become available.
Critical Vulnerability in macOS Zoom Installer Allows for Escalation of Local Privileges
While attending the DEFCON 30 hacking and cybersecurity conference, CTIX analysts had the privilege of attending a talk given by macOS security researcher Patrick Wardle. The talk, titled "You're Muted and Rooted," detailed the successful exploitation of a macOS auto-update security vulnerability within the popular Zoom video conferencing application. Over the course of his talk, Wardle detailed how exploiting this flaw allowed him to abuse the Zoom installer to escalate his local privileges from a low-privileged user to root, ultimately taking full control of the target system. The flaw, tracked as CVE-2022-28756, affects Zoom Client for Meetings for macOS versions 5.7.3 to 5.11.4, and was mitigated on August 13, 2022. A few days later, another CVE was patched, tracked as CVE-2022-28757; this is the same exact flaw, but the patch for this vulnerability fixes version 5.11.5. This flaw exists even though manually installing or uninstalling the Zoom client requires a user password. This is due to the fact that the auto-update function bypasses the verification checker as root with a signed package called “Zoom Video … Certification Authority Apple Root CA.pkg". After gaining initial access, attackers could exploit this flaw by giving the updater a file with the same naming convention as Zoom's signed certificate, allowing it to bypass the verification checker. This means that attackers could potentially install any kind of malware, named in the correct certificate signing convention, and the compromised system would execute those files with root user privileges. Once the escalation of privileges attack is successful, threat actors could add, remove, or modify any files on the machine, as well as conduct follow-on malicious behavior. Since the beginning of the COVID-19 pandemic, Zoom's popularity has grown exponentially, and thus has become a popular target for attacks. This flaw has been fixed by Zoom, and CTIX analysts recommend all macOS Zoom users ensure that their client is running the most recent secure version.
Hackers Can Now Inject Malware Using Emojis
In a DEFCON 30 talk presented by Hadrien Barral and Georhes-Axel Jaloyan, the researchers presented a novel way of using emojis to inject shellcode into vulnerable applications. Emojis are the faces, flags, and tiny images included in the UTF-8 text encoding standard that are made up of a string of bytes. Since assembly code, the machine code that is run by the computer, is just a sequence of bytes, code can be expressed as a set of characters, or in this case, emojis. Shellcode is the set of characters that, when executed as code, runs a program that often grants a "shell," or a command line interface, to the attacker. Typically, this character sequence uses single letter assembly instructions to create the malicious program, though it is not so simple most of the time. The researchers set a goal of compiling assembly code using emojis to a constrained instruction set that does not have single character instructions or other helpful features. When creating shellcode with letters, the character "A", 0x41 in hexadecimal, represents the assembly instruction "inc %eax" (increment the EAX register). Emojis, on the other hand, are much larger. For example, the "Red Question Mark" emoji "❓" is 0xE29D93 in hexadecimal and does not represent any one instruction. The researchers discovered that two (2) emojis, when placed next to each other in a pair, represent one (1) or multiple instructions creating a "gadget" that can be reused. By building all of the possible gadgets ahead of time, the researchers have a library of code snippets used to create malicious shellcode. The emoji gadgets are chained together to create a malware packer, code that contains an arbitrary encoded payload and executes it. Using this framework, the researchers were able to successfully inject emoji-based shellcode into a vulnerable C application in a demo environment. While this technique may not be used in many circumstances today, many programs do not handle emojis well, potentially leading to new vulnerabilities being discovered. The researchers themselves experienced many issues working with and displaying emojis in popular applications while creating this new technique. Both the target computer, and a printer that the researchers deployed their emoji shellcode to, suffered catastrophic failures. According to Hadrien and Georhes-Axel, the printer was so negatively impacted that it required a factory reset. More information can be found in the article below, as well as the researcher's GitHub repository. A video of their talk will be uploaded to YouTube in the coming weeks. This attack vector represents yet another novel approach that threat actors may take in accomplishing their objectives.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cutting-edge cyber threat intelligence topics identified during the CTIX team's trip to Las Vegas to attend the DEFCON 30 hacking conference in mid-August. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed and the CTIX team (email@example.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.