Rewterz Threat Advisory – Multiple Adobe Experience Manager Vulnerabilities
January 3, 2024Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs
January 3, 2024Rewterz Threat Advisory – Multiple Adobe Experience Manager Vulnerabilities
January 3, 2024Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs
January 3, 2024Severity
High
Analysis Summary
A new variant of a dynamic link library, or DLL for short, search order hijacking technique has been discovered that could be leveraged by cybercriminals to bypass security measures on systems with Microsoft Windows 10 and 11 to execute malicious code.
DLL search order hijacking manipulates the search order that is used to load DLLs so it can execute malicious payloads with the goals of evading detection, achieving persistence, and escalating privileges. The attacks that use this technique usually target apps that do not specify the full path of the libraries they need to use but rely on a predefined search order to find the required DLLs present on the disk.
The cybersecurity analysts said, “This method allows threat actors to circumvent high privilege requirements to execute malicious code in applications within the Windows folder, specifically WinSxS, and eliminates the need for additional binaries in the attack chain. Furthermore, it facilitates the execution of malicious code from any location, and it is compatible with both Windows 10 and 11.”
Adversaries can eliminate the need for high privileges by using this technique when they want to execute malicious code on an infected system or inject potentially vulnerable binaries into the attack chain. Attackers use the legitimate system binaries in non-standard directories that have malicious DLLs named after the legitimate ones, this way the library that contains the malicious code is chosen instead of the legitimate one. This works because the process that calls the DLL searches in the directory it is running from first before looking at other locations in a specific order. The search order is as follows:
- The directory from which the application is launched
- The folder “C:\Windows\System32”
- The folder “C:\Windows\System”
- The folder “C:\Windows”
- The current working directory
- Directories listed in the system’s PATH environment variable
- Directories listed in the user’s PATH environment variable
Researchers have devised a new twist in which it targets files that are present in the “C:\Windows\WinSxS” folder, short for Windows side-by-side. WinSxS is a critical Windows component for customizing and updating the operating system to ensure integrity and compatibility. The main idea is to search for vulnerable binaries within the WinSxS folder, such as aspnet_wp.exe and ngentask.exe, and combine them with other common DLL search order hijacking methods. This is achieved by strategically placing a custom DLL with the same name as the legitimate DLL into an actor-controlled directory to execute code.
This results in the execution of a vulnerable file in the WinSxS folder by setting the custom folder containing the malicious DLL as the current directory and doing this is enough to execute the DLL’s contents without the need to copy the executable from the WinSxS folder into it.
Researchers warn that it’s possible to have additional binaries in the WinSxS folder that could be subjected to this kind of DLL search order hijacking, making it necessary for organizations to take precautions to mitigate the threat within their environments. This can be done by examining parent-child relationships between processes and focusing on the trusted binaries. Closely monitor all the activities performed by the binaries found in the WinSxS folder and focus on file operations and network communications.
Impact
- Security Bypass
- Code Execution
Remediation
- Examine parent-child relationships between processes to mitigate the exploitation method from the environment.
- Closely monitor all the activities performed by the binaries found in the WinSxS folder.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Use web filtering tools to block access to known malicious domains and websites.
- Keep all software, including operating systems, browsers, and applications, up to date with the latest security patches.
- Monitor network traffic for unusual or suspicious activity.
- Implement the principle of least privilege to restrict user access to only the resources and data necessary for their roles.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.
- Regularly back up critical data and ensure that a robust backup and recovery plan is in place.