Attacks/Breaches

10/19/2017
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'BoundHook' Technique Enables Attacker Persistence on Windows Systems

CyberArk shows how attackers can leverage Intel's MPX technology to burrow deeper into a compromised Windows system.

Security researchers at CyberArk have developed a technique showing how attackers can exploit a feature in the Memory Protection Extension (MPX) technology on modern Intel chips to steal data from Windows 10 systems and to remain completely undetected on them.

CyberArk's new BoundHook technique is similar to the GhostHook method that the company revealed earlier this year in that it is a post-exploitation technique. In other words, for BoundHook to work, an attacker would need to already have privileged access on a Windows 10 system.

Microsoft itself, for that reason, has refused to categorize the issue as a vulnerability that merits a security patch. "The technique described in this marketing report does not represent a security vulnerability and requires a machine to already be compromised to potentially work," the company said in a statement. "We encourage customers to always keep their systems updated for the best protection."

Intel's MPX technology, introduced with the chipmaker's Skylake line in 2015, is designed to protect applications against buffer overflows, out-of-bounds access, and other memory errors and attacks. Applications running on Windows 10 systems use the feature as protection against buffer overflow attacks.

CyberArk's BoundHook technique uses a boundary check instruction in MPX to hook processes on a system, and to essentially change its behavior. "The BoundHook technique allows you to run your own code inside foreign processes and change its normal behavior, without leaving any traces inside these foreign processes," says Doron Naim, senior security researcher at CyberArk.

Hooking is about changing the behavior of certain functions in the operating system or application software on a system, he says. As one example, he points to the key input function. "If an attacker were able to hook this function, they would be able to sniff and steal your keystrokes."

Typically, to do hooking you have to write hooking code inside a target process, he says. With BoundHook, the code is not used to execute the hook itself but to cause an error, like a boundary exception error in the process. From there an attacker can take complete control of the thread execution, Naim notes. "If you control the thread execution, you can do anything you want by the name of the target process. For example, if it's Word.exe, you can steal credentials or send information to the Internet through this process." Most antivirus tools are not equipped to detect the malicious activity that is enabled via BoundHook, according to CyberArk.

While Microsoft has downplayed BoundHook just as it did with GhostHook, Naim insists CyberArk's latest technique indeed poses a threat. "The first thing to note is that this technique is most likely to be used by nation-state attackers, or very well financed criminal organizations that are looking for infiltrations that last."

In the current threat environment, gaining administrative privileges on an endpoint system is something that administrators should assume even the most basic attacker can accomplish, he says. In most cases, all it takes is for a single individual to click on the wrong link or fall for a phishing scam.

Techniques such as the one that CyberArk demonstrated this week are important because they show how attackers can improve their dwell-time on a compromised network, Naim notes. "Techniques like this are incredibly powerful in helping attackers disappear after the initial infection point — allowing them to build in backdoors and plan their attacks in de facto stealth mode."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industrys most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.