In the latest round-up from SafeBreach’s Hacker’s Playbook, the focus is on emerging threats identified through original research conducted by the SafeBreach Labs team. Customers of SafeBreach can leverage these insights to run simulations against these advanced threats, ensuring robust security measures are in place.
Windows Downdate Attacks – What You Need to Know
Downgrade attacks, also referred to as version-rollback attacks, are designed to revert fully updated software to older versions. This tactic allows malicious actors to exploit previously patched vulnerabilities, thereby compromising systems and gaining unauthorized access.
The latest findings, presented by SafeBreach Labs researcher Alon Leviev at Black Hat USA 2024 and DEF CON 32, delve into the state of downgrade attacks on Windows. Leviev’s research led to the development of Windows Downdate, a tool capable of commandeering the Windows Update process, enabling attackers to execute undetectable and irreversible downgrades on critical operating system components. This alarming revelation underscores how a determined attacker can render a fully patched Windows machine vulnerable to thousands of past exploits, effectively nullifying the concept of being “fully patched.”
These vulnerabilities were disclosed to Microsoft in February 2024, resulting in the issuance of two CVEs: CVE-2024-21302 and CVE-2024-38202. Microsoft has since provided additional security guidance through their Security Update Guide ADV24216903. For further inquiries, stakeholders are encouraged to reach out to the Microsoft communications team directly at communications@microsoft.com.
Quick Share Vulnerability Exploit – What You Need to Know
Google’s Quick Share, a peer-to-peer data transfer utility for Android, Windows, and Chrome, utilizes various communication protocols to facilitate file sharing between nearby devices. Recent research by SafeBreach Labs, presented at DEF CON 32, sought to uncover potential vulnerabilities within this relatively new file-sharing solution.
This investigation identified ten unique vulnerabilities, some of which could be combined into an innovative remote code execution (RCE) attack chain against Quick Share for Windows. The findings emphasize that even seemingly minor features can be exploited by motivated attackers to orchestrate advanced attacks.
The vulnerabilities were disclosed to Google in January 2024, leading to the issuance of two CVEs: CVE-2024-38271 and CVE-2024-38272. The identified vulnerabilities include:
- Remote Unauthorized File Write in Quick Share for Windows
- Remote Unauthorized File Write in Quick Share for Android
- Remote Forced WiFi Connection in Quick Share for Windows
- Remote Directory Traversal in Quick Share for Windows
- Remote DoS in Quick Share for Windows – Endless Loop
- Remote DoS in Quick Share for Windows – Assert Failure
- Remote DoS in Quick Share for Windows – Unhandled Exception
SafeBreach Coverage of Windows Downdate Attacks and Quick Share Vulnerabilities
SafeBreach has incorporated individual attacks related to the identified vulnerabilities into its Hacker’s Playbook, allowing organizations to validate their security controls:
- Downdate attacks – Two attacks that enable an attacker to potentially take over the Windows Update process and downgrade Windows to a vulnerable version:
- #10341 – Windows Downdate – Windows update takeover
- #10342 – Windows Downdate – TrustedInstaller elevation
- Quick Share attacks – Attacks that allow an attacker to force a victim to download any file of their choice on a vulnerable QuickShare version:
- #10334 – QuickShare download file accept bypass (Bluetooth)
- #10335 – QuickShare download file accept bypass (Wifi)
Other Threats We Added Coverage for in August 2024
While the original research from SafeBreach Labs was a highlight in August 2024, additional coverage was also added for various threats to enhance customer protection:
- MagicRAT – A remote access trojan developed by the Lazarus APT group, primarily distributed through vulnerabilities like Log4j in VMware Horizon. It allows hackers to execute commands and steal sensitive data.
- #10419 – Write MagicRAT (0c0ee6) RAT to disk (HOST_LEVEL)
- #10420 – Pre-execution phase of MagicRAT (0c0ee6) RAT (Windows) (HOST_LEVEL)
- Hesperbot Trojan – A banking trojan with functionalities such as keystroke logging and remote proxy setup, used to obtain login credentials and access bank accounts.
- #10364 – Write Hesperbot trojan to disk (HOST_LEVEL)
- #10365 – Email Hesperbot trojan as a compressed attachment (LATERAL_MOVEMENT)
- Timitator Trojan – A trojan used by the Vietnam-based APT32 group to conduct sophisticated attacks on various targets, particularly in Southeast Asia.
- #10358 – Write Timitator (8ae286) trojan to disk (HOST_LEVEL)
- #10359 – Transfer of Timitator (8ae286) trojan over HTTP/S (LATERAL_MOVEMENT)
Interested in Protecting Against Advanced Ransomware?
SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, designed to provide unparalleled visibility into your security ecosystem’s response at each stage of the defense process. This assessment includes:
- Training: Learn about the methodologies behind ransomware attacks and persistent threats.
- Assessment: Review goals and ensure simulation connections to the management console are complete.
- Attack Scenario: Execute safe-by-design, real-world ransomware attacks on a device of your choice.
- Report: Receive a custom-built report with simulation results and actionable remediation insights.
Empower your team to understand ransomware attacks through the lens of the attacker by requesting your complimentary RansomwareRx assessment today.
