A couple of weeks back, researchers from cybersecurity firm Eclypsium revealed that almost all the major hardware manufacturers have a flaw that can allow malicious applications to gain kernel privileges at the user level, thereby gaining direct access to firmware and hardware.
The researchers released a list of BIOS vendors and hardware manufacturers which included Toshiba, ASUS, Huawei, Intel, Nvidia and more. The flaw also affects all the new versions of Windows which includes Windows 7, 8, 8.1 and Windows 10. While Microsoft has already released a statement confirming that Windows Defender is more than capable of handling the issue, they didn’t mention that users need to be on the latest version of Windows to take benefit of the same. For older versions of Windows, Microsoft noted that it will be using HVCI (Hypervisor-enforced Code Integrity) capability to blacklist drivers that are reported to them. Unfortunately, this feature is only available on 7th generation and later Intel processors; so older CPUs, or newer ones where HCVI is disabled, require the drivers to be manually uninstalled.
If this wasn’t enough bad news, hackers have now managed to use the flaw to exploit the users. Remote Access Trojan or RAT has been around for years but recent developments have made it more dangerous than ever. The NanoCore RAT used to sell on Dark Web for $25 but was cracked back in 2014 and the free version was made available to the hackers. After this, the tool got sophisticated as new plugins were added to it. Now, researchers from LMNTRX Labs have discovered a new addition that allows hackers to take advantage of the flaw and the tool is now available for free on the Dark Web.
In case you were underestimating the tool, it can allow a hacker to remoting shutdown or reboot the system, remotely browse files, access and control the Task Manager, Registry Editor, and even the mouse. Not only that, but the attacker can also open web pages, disable the webcam activity light to spy on the victim unnoticed and capture audio and video. Since the attacker has full access to the computer, they can also recover passwords and obtain login credentials using a keylogger as well as lock the computer with custom encryption that can act like ransomware.
The good news is that NanoCore RAT has been around for years, the software is well known to the security researchers. LMNTRX team (via Forbes) broke down detection techniques into three main categories:
- T1064 – Scripting: As scripting is commonly used by system administrators to perform routine tasks, any anomalous execution of legitimate scripting programs, such as PowerShell or Wscript, can signal suspicious behaviour. Checking office files for macro code can also help identify scripting used by attackers. Office processes, such as winword.exe spawning instances of cmd.exe, or script applications like wscript.exe and powershell.exe, may indicate malicious activity.
- T1060 – Registry Run Keys / Startup Folder: Monitoring Registry for changes to run keys that do not correlate with known software or patch cycles, and monitoring the start folder for additions or changes, can help detect malware. Suspicious programs executing at start-up may show up as outlier processes that have not been seen before when compared against historical data. Solutions like LMNTRIX Respond, which monitors these important locations and raises alerts for any suspicious change or addition, can help detect these behaviours.
- T1193 – Spearphishing Attachment: Network Intrusion Detection systems, such as LMNTRIX Detect, can be used to detect spearphishing with malicious attachments in transit. In LMNTRIX Detect’s case, in-built detonation chambers can detect malicious attachments based on behaviour, rather than signatures. This is critical as signature-based detection often fails to protect against attackers that frequently change and update their payloads.
Overall, these detection techniques apply for organizations and for personal/home users, the best thing to do right now is to update every piece of software to make sure it’s running on the latest version. This includes Windows drivers, 3rd party softwares and even Windows Updates. Most importantly, don’t download or open any suspicious email or install any 3rd party software from an unknown vendor.