How can I protect myself?
\nDevice manufacturers and wireless service providers need to provide a security update that would fully protect your device from vulnerabilities like Certifi-gate. Until an update is received, Check Point recommends taking several steps to mitigate the risk:
What other solutions are available to help mitigate these risks?
\nAlso announced Thursday was Check Point Mobile Threat Prevention, an innovative mobile security solution enterprises can use to battle today’s mobile threat environment effectively, including new and previously unknown threats like Certifi-gate. The solution delivers a complete platform for stopping mobile threats on iOS and Android, and delivers real-time threat intelligence into an organization’s existing security and mobility infrastructures for even greater visibility.
Learn more about Mobile Threat Prevention at http://www.checkpoint.com/mobilesecurity.
\nHow can I learn more about Certifi-gate?
\nThe Check Point mobile threat research team has compiled a report that includes a detailed analysis of Certifi-gate, how it works, and how you can protect your data. Click here to download the report.
The post Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned appeared first on Check Point Blog.
\n","status":"PUBLISHED","fileName":"223485133","link":"http://blog.checkpoint.com/2015/08/06/certifigate/","tags":["Android"],"score":0.006338830571621656,"topStoryDate":null},{"id":"RS-21635","type":"Research_Publications","name":"Microsoft Management Console (MMC) Vulnerabilities","author":null,"date":1560310628000,"description":"Research by: Eran Vaknin and Alon Boxiner The goal of Microsoft Management Console (MMC) is to provide a programming platform for creating and hosting applications that manage Microsoft Windows-based environment, and to provide a simple, consistent and integrated management user interface and administration model. Recently, Check Point Research discovered several vulnerabilities in the console… Click to Read More","content":"Research by: Eran Vaknin and Alon Boxiner
\n\n
The goal of Microsoft Management Console (MMC) is to provide a programming platform for creating and hosting applications that manage Microsoft Windows-based environment, and to provide a simple, consistent and integrated management user interface and administration model.
\nRecently, Check Point Research discovered several vulnerabilities in the console that would allow an attacker to deliver a malicious payload.
\nMicrosoft has granted CVE-2019-0948 to this vulnerability and patched it in their June 11th Patch Tuesday release.
\n\n
Vulnerability Description:
\n1) Multiple XSS vulnerabilities due to misconfigured WebView.
\nMMC has an integrated Snap-In component which in turn contains several mechanisms such as ActiveX Control, Link to Web Address, etc.
\n2) XXE Vulnerability due to misconfigured XML parser.
\nA victim opens the MMC and chooses the event viewer snap-in and clicks on Action and then on Import Custom View. As soon as a malicious XML file is chosen (containing an XXE payload) any file from the victims host is sent to the attacker.
\nThis is possible due to a misconfigured XML parser defined within the MMC custom view functionality.
\n
Proof of Concept
\n1) Link to Web Address snap-in Cross-Site Scripting (XSS):
\nThe attacker adds a new snap-in:
\n\n\n
The victim chooses a Link to Web Address snap in:
\n\n\n
The attacker then types the path to his server containing the malicious payload:
\n\n\n
The attacker saves the .msc file and sends it to the victim:
\n\n\n
The malicious .msc file contains the path to the attacker’s server:
\n\n\n
As the victim opens the malicious .msc file VBS code is executed:
\n\n\n
2) ActiveX Control snap-ins: (Adobe Acrobat DC Browser example):
\n
\nThe attacker adds a new snap-in:
\nThe attacker chooses an ActiveX Control snap-in:
\n
The ActiveX Control mechanism is then chosen (Adobe Acrobat DC Browser as an example):
\n\n\n
The attacker saves the .msc file and sends it to the victim:
\n\n\n
The malicious .msc file containing the path to the attacker’s server:
\n\n\n
As the victim opens the malicious .msc file VBS code is executed:
\n\n\n
3) XXE Vulnerability Due to Misconfigured XML Parser:
\n\n\n
The attacker chooses the event viewer snap-in:
\n\n\n
The victim selects ‘Action’ and then clicks on the ‘Import Custom View’ option:
\n\n\n
The victim selects the malicious XML sent by the attacker
\n\n\n
The malicious XML containing the XXE payload will read the c:\\windows\\win.ini file content and send it to the remote server via HTTP/GET request:
\n\n\n
\n
Which in turn will call to xml.dtd:
\n\n\n
The desired file content is sent from the client console application to a remote server:
\n\n\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/","tags":[],"score":0.0056027877144515514,"topStoryDate":null},{"id":"RS-23279","type":"Research_Publications","name":"Breaking through Windows’ defenses: Analyzing mLNK Builder","author":null,"date":1585245630000,"description":"Introduction Launching an attack does not always require high technical aptitude on the part of a threat actor, especially when there are ready-made tools available for every stage of the infection chain. Delivery document builders and MaaS (Malware-as-a-Service) providers are just some of the services that thrive in hacking forums, and save attackers the trouble… Click to Read More","content":"Launching an attack does not always require high technical aptitude on the part of a threat actor, especially when there are ready-made tools available for every stage of the infection chain. Delivery document builders and MaaS (Malware-as-a-Service) providers are just some of the services that thrive in hacking forums, and save attackers the trouble of developing a payload or socially engineering a document.
\nHowever, making those tools easily accessible and available in bulk has its downsides, since security solutions and Anti-Virus products are usually quite proficient at protecting against them. To overcome this problem, underground sellers have started providing services to make malicious files more evasive and less detectable. A prime example of this is the mLNK Shortcut Builder.
\nWe first encountered an advertisement for the mLNK Shortcut Builder in a Discord channel called “NativeOne Products”, which is managed by a user under the name “Ren and Stimpy:”
\n\n\n
mLNK enables payloads to bypass security solutions such as Windows Defender, Windows 10 Smart Screen and UAC by converting the payloads to LNK shortcuts:
\n\n“LNK” or “LiNK” files are shortcuts used by the Windows operating system to point to a file, and are most commonly used in the Desktop directory. LNK files can be leveraged to run PowerShell, and since the displayed icon does not have to match the file type the shortcut points to, victims are less likely to realize exactly what type of file they’re about to open.
\nDespite the developers’ claim that this tool was created for educational purposes, our collected evidence suggests the tool’s actual use is to deliver malicious files to victims. In one such case, an LNK file was sent to a target in the United States from an e-mail address belonging to a UAE-based company called “Bin Rashed Transporting and General Contracting.”
\n\nThe message contained a malicious attachment called Doc001.png.lnk
, which downloads an HTA payload from s-c[.]live.
The final payload is packed with CypherIT, an AutoIt packer used to encrypt executables, which we discussed in a previous report.
\nThe mLNK developers endorsed CypherIT and even recommended using it alongside their own tool:
In addition to file conversion, other features by mLNK Shortcut Builder include delaying the execution of the payload, or opening a decoy document at the same time, making it even harder for a victim to detect any suspicious activity:
\n\nSurprisingly, those features did not come with a hefty price; the cheapest support plan for the mLNK Shortcut Builder costs only $50 and gives the attacker access to the builder for one month, more than enough time to add another layer of protection:
\n\nDespite the relatively small fee, our analysis of mLNK showed that its creators managed to generate at least $11,000 in revenue, while enabling nearly 230 customers to make their payloads less detectable in less than a year.
\nmLNK was promoted in the Discord channel alongside other products that were developed by “NativeOne Exploits”, including tools that convert malicious attachments to IMG or ISO files, allowing them to bypass e-mail protections:
\n\nHowever, the marketing efforts were not restricted to the specific Discord channel. The products were also promoted in various hacking forums by a user with the same “Ren and Stimpy” avatar, as well as by a user called “Qismon:”
\n\nInterestingly, in June 2018, the same users were observed querying other forum members for technical information:
\n\nAnswers to these questions, for example about converting .NET executables to native ones, later led to the development and release of new products that the mLNK authors sold on their website:
\n\nSimilarly, some of the features in the mLNK Shortcut Builder itself, like the Windows 10 UAC bypass, were ones that the authors inquired about earlier:
\n\nThe threads about mLNK in online forums gave away some information about the authors. For example we noticed that they mentioned the CCC (Chaos Computer Club) Jabber server, jabber.ccc[.]de, in their contact details:
\n\nMoreover, the demo video for the mLNK Shortcut Builder shows that the authors’ operating system is in German:
\n\nA post shared by an anonymous user on Discord included the order confirmation received after purchasing mLNK:
\n\nAccessing native-one[.]com:8020/token shows a registration page asking the user to set up credentials and enter the token received in the above e-mail:
\n\nSurprisingly, after entering information in all the fields and pressing the “Register” button, an executable approximately 10KB in size is immediately downloaded. Opening the downloaded executable in a disassembler shows that it starts by running a PowerShell script:
\n\nThe executed PowerShell script downloads a file from native-one[.]com:8020/client_auth. Then, it decodes this file using base64 and decrypts it using AES256:
\n\nThe end result of this is another PowerShell script, which was version 2.2 of the mLNK Shortcut Builder:
\n\nThe builder starts by checking the following registry key to determine if it was previously executed on the same system:
\nIf this is the builder’s first run, it creates this registry key and sets the “Driver” value to “0”. Afterwards, the Terms of Service window is displayed:
\n\nInterestingly enough, the terms of service claim that the mLNK Shortcut Builder is a legitimate service used “for educational purposes” only. However, the feedback shows a different picture, with some users claiming that they managed to infect their victims with the help of mLNK:
\n\nAfter accepting the terms, the main mLNK Builder window appears, where the user can enter the payload’s URL, the displayed icon of the LNK, and the features to include:
\n\nWhile it is not really common to come across a GUI application written with the help of PowerShell, the authors of the mLNK builder expressed their enthusiasm for this scripting language on more than one occasion in an online forum:
\n\n\nWhenever a payload is built using mLNK, its filename, hash (SHA256), and the system hardware ID are POSTed to the address hxxp://193.37.212[.]15:8020/hash_add with the User-Agent ‘ERSW6XIZWGR2JXX7MR1PWHX6OVRF9KCO’.
\n\nThis was probably so the builder’s authors could track the customers’ payloads and view their names and hashes, but the mechanism did not work as intended. When analyzing mLNK, the IP address 193.37.212[.]15 did not accept any connections. Therefore, its presence in the code is strange, and it seems as if the authors forgot to update this value.
\nBefore creating the LNK, the user’s file (EXE, DLL, JS, VBS) can be converted to a PowerShell, MSHTA, or RegSVR32 payload. The MSHTA payload is an HTML page with a VisualBasic script:
\n\nIf the customer has a public mLNK license, the VisualBasic script simply runs a PowerShell command that downloads the original payload from a provided URL and executes it. If a private license is used, the PowerShell command is stored in hexadecimal values:
\n\nIn the case of a custom license, the same command is stored as a binary encoded string:
\n\nMore protective layers are added when private and custom licenses are used. For example, all of the URLs in the VisualBasic script are encoded using base64, and a “System” attribute can be added to the payload in addition to the “Hidden” one.
\nAs for the RegSVR32 payload, the outcome is an SCT (Script Component) file with an XML extension and embedded JavaScript, which has the following format:
\n\nThe JavaScript decodes a PowerShell command and runs it. Similar to the MSHTA payload, the code is encoded using hexadecimal or binary values if private or customer licenses are used:
\n\nOne of the available features in the mLNK builder is UAC Bypass:
\n\n\n
Depending on the Windows version, there are two techniques that are used by the builder :
\nIf the Windows OS version is earlier than Windows 10, the Event Viewer technique is used, where the payload’s path is written to the “Default” value of the HKCU\\Software\\Classes\\mscfile\\shell\\open\\command
registry key:
The EventViewer tool is then started. When EventViewer is launched, it spawns the assigned default application for the “mscfile” type, which in this case is the payload:
\n\nThis allows the payload to bypass UAC and run with high privileges. More about this technique can be found here.
\nThe Fodhelper technique is used in Windows 10 or newer versions. The payload’s path is set as the “Default” value in the HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command registry key. Similar to the previous technique, when Fodhelper is launched, the payload is executed and the UAC bypass is triggered. More information about this technique can also be found here.
\n\nThe mLNK Shortcut Builder shows how well-known and off-the-shelf payloads that are usually removed immediately by Windows Defender or stopped from running by UAC can bypass those protections and infect a victim easily.
\nCheck Point SandBlast successfully intercepts those attacks and is able to block all of the malicious techniques described in this report.
\nSandBlast Protection:
\n\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2020/breaking-through-windows-defenses-analysing-mlnk-builder/","tags":[],"score":0.005489588249474764,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};