HomeWinBuzzer NewsAll Windows Machines Require Security Patch to Combat Exploited “Complete Control” Attack

All Windows Machines Require Security Patch to Combat Exploited “Complete Control” Attack

Windows Defender can protect against a Complete Control flaw disclosed this month, but only through the latest Windows patches.

-

Earlier this month, cybersecurity firm Eclypsium disclosed a Complete Control flaw across just about all major hardware manufacturers. Researchers for the company said the vulnerability would allow bad actors to install malicious apps to gain kernel privileges at user level. It is now being advised that all Windows users should update their OS.

Major BIOS vendors and manufacturers such as Intel and were named as affected, as well as 's Windows. In fact, the danger to Windows was almost blanket. The Complete Control attack affects all newer versions of the OS. Eclypsium confirmed Windows 7, 8, 8.1, and could be exploited.

At the time, Microsoft reassured users by saying can easily deal with any attack based on the flaw. While the company was correct, for some reason it did not say only the latest Windows patches could protect against the flaw.

Users not on the latest security patches are left vulnerable. Microsoft said it would blacklist reported drivers through HVCI (Hypervisor-enforced Code Integrity). Again, this is good news but only has limited scope. HVCI is only supported on devices running 7th Gen Intel CPUs or newer. Those on older processors must manually uninstall affected drivers.

Hackers have already found a way to exploit the Complete Control vulnerability. An updated version of Remote Access Trojan (RAT) is being leveraged. Called the NanoCore RAT, security researchers at LMNTRX Labs have found it has been used to exploit the vulnerability. It is currently available to attackers through the Dark Web, according to Forbes.

Detection

As NanoCore RAT has been around for a while, researchers know plenty about it. LMNTRX Lab discussed how the tool can be detected:

  • T1064 – Scripting: Scripting is commonly used by system administrators to perform routine tasks. Any anomalous execution of legitimate scripting programs, such as PowerShell or Wscript, can signal suspicious behaviour. Checking office files for macro code can also help identify scripting used by attackers. Office processes, such as winword.exe spawning instances of cmd.exe, or script applications like wscript.exe and powershell.exe, may indicate malicious activity.
  • T1060 – Registry Run Keys / Startup Folder: Monitoring Registry for changes to run keys that do not correlate with known software or patch cycles, and monitoring the start folder for additions or changes, can help detect malware. Suspicious programs executing at start-up may show up as outlier processes that have not been seen before when compared against historical data. Solutions like LMNTRIX Respond, which monitors these important locations and raises alerts for any suspicious change or addition, can help detect these behaviours.
  • T1193 – Spearphishing Attachment: Network Intrusion Detection systems, such as LMNTRIX Detect, can be used to detect spearphishing with malicious attachments in transit. In LMNTRIX Detect's case, in-built detonation chambers can detect malicious attachments based on behaviour, rather than signatures. This is critical as signature-based detection often fails to protect against attackers that frequently change and update their payloads.”

For organizations and users, the best thing to do to avoid an attack is to ensure Windows is update to date.

SourceForbes
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News