Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware

Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware
By Sergiu Gatlan March 17, 2020 03:30 PM 0






Microsoft says that Windows 10 Secured-core PCs can successfully defend their users against malware designed to take advantage of driver security flaws to disable security solutions.

"Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example, CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines," Microsoft says.

However, according to Microsoft, endpoint devices can be defended against such attacks if you are using a Secured-core PC that comes with built-in protection against firmware attacks that have been increasingly used by both state-sponsored hacking attacks and commodity malware.

Secured-core PCs were released as a solution to the number of increasing firmware security issues that attackers can exploit to bypass a Windows machine's Secure Boot, as well as to the lack of visibility at the firmware level commonly present in today's endpoint security solutions.
Malware abusing vulnerable firmware and drivers

"In addition to vulnerable drivers, there are also drivers that are vulnerable by design (also referred to as 'wormhole drivers'), which can break the security promise of the platform by opening up direct access to kernel-level arbitrary memory read/write, MSRs," Microsoft adds.

"In our research, we identified over 50 vendors that have published many such wormhole drivers. We actively work with these vendors and determine an action plan to remediate these drivers."

One instance of a threat actor abusing firmware vulnerabilities is the Russian-backed APT28 cyber-espionage group (also tracked as Tsar Team, Sednit, Fancy Bear, Strontium, and Sofacy) who used a Unified Extensible Firmware Interface (UEFI) rootkit dubbed LoJax during some of its 2018 operations.

More recently, the operators behind the RobbinHood Ransomware exploited a vulnerable GIGABYTE driver to elevate privileges and install malicious unsigned Windows drivers that allowed them to terminate antivirus and security software processes on compromised systems.
RobbinHood Ransomware attack chain (Microsoft)

"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos researchers explained at the time.

"This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference."

This tactic enabled the attackers to circumvent anti-ransomware defenses by killing the antivirus software before deploying the ransomware executable used to encrypt the victim's documents.

Sophos was unable to fully analyze this ransomware sample so far therefore the processes and services that are being targeted are currently unknown.
Secured-core PCs feature built-in protection

As Microsoft says, however, Windows 10 comes with hardware and firmware protection features that can successfully fight against attacks such as the one that infected victims with Lojax and RobbinHood Ransomware.

Moreover, Secured-core PCs introduced by Microsoft in October 2019 in partnership with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac can block firmware-level attacks as they come with these hardware-backed security features enabled by default removing the need for users to make the required BIOS and OS settings changes manually.

"Because both BIOS settings and OS settings are enabled out of the box with these devices, the burden to enable these features onsite is removed for customers," Microsoft adds, with the following features being turned on all Secured-core PCs:

Security promise Technical features
Protect with hardware root of trust TPM 2.0 or higher
TPM support enabled by default
Virtualization-based security (VBS) enabled
Defend against firmware attack Windows Defender System guard enabled
Defend against vulnerable and malicious drivers Hypervisor-protected code integrity (HVCI) enabled
Defend against unverified code execution Arbitrary code generation and control flow hijacking protection [CFG, xFG, CET, ACG, CIG, KDP] enabled
Defend against limited physical access, data attacks Kernel DMA protection enabled
Protect identities and secrets from external threats Credential Guard enabled


However, users of other devices can also take advantage of similar protection if they configure their hardware and Windows security features correctly.

"Specifically, the following features need to be enabled: Secure boot, HVCI (enables VBS), KDP (automatically turned on when VBS is on), KDMA (Thunderbolt only) and Windows Defender System Guard," Microsoft explains.

"With Secured-core PCs, however, customers get a seamless chip to cloud security pattern that starts from a strong hardware root of trust and works with cloud services and Microsoft Defender ATP to aggregate and normalize the alerts from hardware elements to provide end-to-end endpoint security."

CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware

Tarik SalehSenior Security Engineer & Malware Researcher


Cybercriminals like to exploit people when they are at their most vulnerable. They use dramatic events that cause people to be emotional or fearful to drive their profits. Any time there are major news cycles happening on a topic that stirs a strong reaction, cybercriminals will not be far behind.

The Coronavirus is no different. Shortly after the first cases were confirmed, DomainTools’ researchers observed a minor uptick in domain names leveraging Coronavirus and COVID-19. These registrations have peaked significantly in the past few weeks and many of them are scams.

The security research team has continuously been monitoring these suspicious domains. The DomainTools security research team discovered a domain (coronavirusapp[.]site) that claims to have a real-time Coronavirus outbreak tracker available via an app download.
Malicious Website (coronavirusapp[.]site)





The domain prompts users to download an Android App that will give them access to a Coronavirus map tracker that appears to provide tracking and statistical information about COVID-19, including heatmap visuals.
Malicious COVID19 Tracker App





In reality, the app is poisoned with ransomware. This Android ransomware application, previously unseen in the wild, has been titled “CovidLock” because of the malware’s capabilities and its background story. CovidLock uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware.
COVID-19 Tracker App Ransom Note





The ransomware requests $100 in bitcoin in 48 hours on the ransom note. It threatens to erase your contacts, pictures and videos, as well as your phone's memory. It even claims that it will leak your social media accounts publicly.

Since Android Nougat has rolled out, there is protection in place against this type of attack. However, it only works if you have set a password. If you haven't set a password on your phone to unlock the screen, you're still vulnerable to the CovidLock ransomware.

The DomainTools security research team has reverse engineered the decryption keys and will be sure to post the key publicly. The team also has the BTC wallet and is monitoring its transactions. Further technical details will be released soon.
How To Increase Your Ransomware Immunity


Be sure to only use trusted information sources from government and research institution’s websites. Don’t click on anything in your email that’s health related. In general, be sure to follow all of the basic phishing recommendations—be aware that people are trying to capitalize on fear here.
Ensure that you download Android applications only from the Google Play store. There is a much higher risk of downloading malware from untrusted 3rd party stores.
Research Conducted By:

Chad Anderson, Senior Security Researcher

Tarik Saleh, Senior Security Engineer & Malware Researcher

Ψεύτικο app ανίχνευσης κορωνοϊού εγκαθιστά το “Covidlock” Ransomware

16 Μαρτίου, 2020, 10:52 πμ by Absenta Mia




Η πανδημία του κορωνοϊού, συνεχίζει να εξαπλώνεται ραγδαία. Μέχρι τώρα ο ιός έχει μολύνει 153.000 ανθρώπους και έχει στοιχίσει τη ζωή σε 5.800 άτομα παγκοσμίως. Κι ενώ η κατάσταση έχει σπείρει τον τρόμο, οι κακόβουλοι παράγοντες προσπαθούν να εκμεταλλευτούν το κλίμα ανασφάλειας που επικρατεί, για να μολύνουν συσκευές smartphone με το Covidlock ransomware.

Σύμφωνα με την εταιρεία ασφαλείας DomainTools, ένας ιστότοπος υπόσχεται ότι προσφέρει έγκυρη πληροφόρηση σχετικά με τα περιστατικά του κορωνοϊού, μέσω της Android εφαρμογής του, αλλά στην πραγματικότητα εγκαθιστά το Covidlock ransomware.

Ο ιστότοπος, γνωστός ως “coronavirusapp [.] Site” παρουσιάζει πιστοποιήσεις από τον Παγκόσμιο Οργανισμό Υγείας (WHO) και από τα Κέντρα Ελέγχου και Πρόληψης Νοσημάτων (CDC). Επιπλέον, υποστηρίζει ότι η εφαρμογή του έχει πάνω από 6 εκατομμύρια κριτικές και βαθμολογία 4,4 αστέρων.

Η εφαρμογή υπόσχεται να στείλει ειδοποιήσεις στον χρήστη, όταν εντοπίζει κάποιο κρούσμα κορωνοϊού που βρίσκεται κοντά στην περιοχή του. Μόλις όμως ο χρήστης εγκαταστήσει την εφαρμογή και δώσει έγκριση για διάφορα δικαιώματα στη συσκευή του, δέχεται επίθεση από το Covidlock, το οποίο τον αναγκάζει να αλλάξει το κλείδωμα οθόνης του.


Στη συνέχεια το θύμα λαμβάνει ένα μήνυμα που του δίνει διορία 48 ώρες, για να πληρώσει τα λύτρα που του ζητάει. Το μήνυμα απειλεί το χρήστη ότι αν δεν πληρώσει έγκαιρα, θα σβήσει όλα τα δεδομένα από τη συσκευή του και επιπλέον θα διαρρεύσει τους λογαριασμούς των social media του. Το ποσό που ζητούν οι hacker είναι $100 σε bitcoin.

Μέχρι τώρα δεν έχει γίνει γνωστή κάποια περίπτωση που να έχουν καταβληθεί τα λύτρα. Εν τω μεταξύ, η εταιρεία ασφαλείας ισχυρίζεται ότι χρησιμοποίησε αντίστροφη μηχανική και ανακάλυψε τα κλειδιά αποκρυπτογράφησης και σκοπεύει να τα δημοσιεύσει σύντομα.

Φυσικά δεν είναι το μόνο περιστατικό που εκμεταλλεύεται την κατάσταση τρόμου που επικρατεί. Πριν λίγες μέρες κυκλοφόρησε ένας ψεύτικος χάρτης εντοπισμού του κορωνοϊού που εγκαθιστούσε ένα malware στους υπολογιστές για να κλέψει κωδικούς.

Η DomainTools σημειώνει ότι ένας ανησυχητικός αριθμός domain, καταχωρείται γύρω από τον κορωνοϊό. “Αυτές οι καταχωρήσεις έχουν αυξηθεί σημαντικά τις τελευταίες εβδομάδες και πολλές από αυτές είναι απάτες”.

Ένα παρόμοιο περιστατικό συνέβη πρόσφατα στο Ιράν, όπου ένα app υποσχόταν να ενημερώνει τους ανθρώπους σε περίπτωση που έχουν προσβληθεί από τον κορωνοϊό. Όμως στην πραγματικότητα αυτό που έκανε ήταν να συλλέγει τα δεδομένα τοποθεσίας των πολιτών του Ιράν.

Coronavirus COVID-19 Global Cases by the Center for Systems Science and Engineering (CSSE) at Johns Hopkins University (JHU)

 Professor Lauren Gardner, a civil and systems engineering professor at Johns Hopkins University, built the dashboard with her graduate student, Ensheng Dong. It is maintained at the Center for Systems Science and Engineering at the Whiting School of Engineering, with technical support from ESRI and the Johns Hopkins University Applied Physics Laboratory. Gardner is co-director of the CSSE.

CSSE : PC version  

 

Coronavirus COVID-19 Global Cases by Johns Hopkins CSSE Mobile Version  

Microsoft Bing team launches COVID-19 tracker

Microsoft's COVID-19 tracker is located at bing.com/covid.

 By Catalin Cimpanu for Zero Day | March 15,

The Microsoft Bing team launched today a web portal for tracking coronavirus (COVID-19) infections across the globe.

"Lots of Bing folks worked (from home) this past week to create a mapping and authoritative news resource for COVID19 info," said Michael Schechter, General Manager for Bing Growth and Distribution at Microsoft.

The website, accessible at bing.com/covid, is a basic tracker. It shows up-to-date infection statistics for each country around the globe and all the US states.

Data is aggregated from authoritative sources like the World Health Organization (WHO), the US Centers for Disease Control and Prevention (CDC), and the European Centre for Disease Prevention and Control (ECDC).

Users can click countries or US states on the map and see the latest infection stats, along with the latest COVID-19 news coverage for that specific country or state.

Microsoft announced the website tonight, two days after President Trump said Google began working on COVID-19-related portal for US citizens.

According to reports, Google's websites will be more than just an infection tracker and news portal, and will also include information on COVID-19 symptoms, risks associated with the disease, and info on local testing centers.


Google's website is being built by Verily, a subsidiary of Alphabet focused on healthcare services. More than 1,700 engineers are currently working on the site, President Trump said.

The COVID-19 outbreak, which started in late December 2019 in China, has now infected more than 168,000 people and killed nearly 6,500.

Earlier this week, the WHO officially declared COVID-19 a global pandemic. The last time when a global pandemic was declared was in 2009, for the H1N1 influenza virus.