Windows Defender Exploit Guard replaced the Enhanced Mitigation Experience Toolkit (EMET) in Windows 10. Microsoft Defender vs ransomwareĬontrolled Folder Access (CFA) was added to Windows 10 in the Fall Creators Update to protect users’ files in the event of a ransomware attack. First by getting access to networks using brute force attacks against RDP and then introducing a vulnerable kernel driver that lets hackers take full control of systems.
And more recently, malware in the RobbinHood family has been used to target large organizations.
WannaCry and NotPetya may be distant memories but the vulnerabilities they rely on are still exploited. Microsoft intends to improve file protection in future versions to address the reported bypass method.Ransomware has rarely been out of the headlines over the past few years and it is the most prevalent threat in 2020. In a screenshot of the email he received from Microsoft, Jesus documents that the manufacturer of the operating system did not classify the problem as a security vulnerability. The security researcher informed Microsoft about the problem he has discovered, but is dissatisfied with the manufacturer's reaction. While the first example is only destructive, the other two examples of Ransomware work to demand ransom payment from the victim to unlock the password/encryption code. These can be used to overwrite the contents of other Office documents stored in protected folders, to password-protect the same files or to insert their contents into files outside the CFA folder, encrypt them and delete the originals. Jesus published three examples of manipulated Office documents (which could be distributed by spam email). This means that Office applications can change (and bypass CFA protection) files located in a protected folder, whether the user likes it or not. So these programs could make changes in protected folders without restrictions. This is possible, because Office executables are included by default in a whitelist.
Spanish security researcher Yago Jesus, from SecurityByDefault, published this report, showing how to bypass Microsoft's Controlled folder access (CFA) via OLE. (Source Microsoft) Bypassing Controlled folder access via OLE
0 kommentar(er)
