Monday, January 30, 2023
HomeScience/TechnologyMicrosoft Patches Zero-Day Magniber Ransomware Hackers Used

Microsoft Patches Zero-Day Magniber Ransomware Hackers Used

Endpoint security, governance and risk management, patch management

SecureScreen treated malformed signature the same way as a valid signature

Prajeet Nair (@prajeetspeaks) •
December 14, 2022

Image: efex/Pixabay

A fix for a zero-day vulnerability exploited by ransomware hackers is part of this month’s patch dump of the Microsoft operating system.

Also see: Find a password management solution for your business

Operators of a ransomware variant known as Magniber have exploited CVE-2022-44698 to bypass a Windows security feature intended to prevent malicious files from running on a desktop.

The patch is one of 52 fixes published by Microsoft in the last patch Tuesday of 2022. Six are rated critical, 43 important, and three moderate in severity.

HP security researchers characterize Magniber as “single-client ransomware” targeting individual computers rather than fleets of devices. Operators have been known to demand $2,500 to unlock data.

As described by 0Patch’s Mitja Kolsek, Magniber ransomware attackers were able to bypass the Windows SmartScreen feature by creating a malformed, unparsable Authenticode signature. SmartScreen is a security component of the Windows operating system that inspects files downloaded from the Internet for matches against a database of malicious files. It looks for Authenticode’s digital signature to determine if the executable is from a trusted publisher and hasn’t been tampered with since it was published.

the mistake, discovers by security researcher Will Dormann, is that Windows treated a malformed Authenticode signature the same way as a trusted signature and allowed the file to run without triggering the SmartScreen warning.

“And so a new 0 day – already exploited in the wild – was revealed,” Kolsek wrote.

Since Dormann discovered the zero-day in mid-October, some researchers have questioned the speed with which Microsoft developed a patch. Ransomware, and malware in general, relies heavily on convincing users to bypass the security measures designed to prevent automatic file execution that Microsoft has built into Windows over the past few decades.

“Considering how much phishing attacks rely on people opening attachments, these safeguards are vital in preventing malware and other attacks,” said Dustin Childs, a security analyst with the Zero Day Initiative, a software vulnerability initiative by cybersecurity firm. TrendMicro.

Other crucial solutions

Microsoft is also patching a DirectX Graphics Kernel elevation of privilege vulnerability, CVE-2022-44710, which is also listed as public. In this case, the attacker must win a race condition on Windows 11.

Ashley Leonard, founder and CEO of cybersecurity firm Syxsense, says an attacker who successfully exploited this vulnerability could gain system privileges.

“If they could do that, the vulnerability has a jump point, meaning they could break out of the vulnerable part and move to another part of the operating system. Since there are no known countermeasures, the only option is to implement this .” patch,” said Leonard.

Microsoft also fixed 16 remote code execution bugs, including multiple Office bugs.

Another defect addressed by Microsoft is a PowerShell Remote Code Execution Vulnerability with a CVSS score of 8.5, tracked as CVE-2022-41076. This critical bug allows authenticated users to escape the PowerShell Remoting Session Configuration firewall and run unapproved commands.

Mike Walters, vice president of vulnerability and threat research at Action1, says the powerful bug could affect Windows operating systems, starting with Windows 7 and Windows Server 2008 R2, PowerShell 7.2 and 7.3.

Another critical vulnerability with a CVSS score of 8.8 affects the Microsoft SharePoint Server. Tracked as CVE-2022-44693, it allows an authenticated attacker to remotely execute code on SharePoint servers.

To exploit it, attackers only need to access the basic user account with Manage List permissions, which most companies grant to all SharePoint users by default. This vulnerability requires no user interaction; once attackers have the correct credentials, they can remotely execute code to carry out.” on a target SharePoint server,” says Walters.

See also  Black Friday smartwatches and fitness trackers deals


Please enter your comment!
Please enter your name here

Most Popular

Recent Comments