In its latest Windows preview, Microsoft adds a feature — Administrator Protection — designed to prevent threat actors from easily escalating privileges and restrict lateral movement.

Source: Mundissima via Shutterstock

Microsoft has introduced a significant security upgrade in its latest preview edition of Windows that aims to lock down local administrator privileges, making it much harder for cyberattackers to exploit privilege escalation issues.

The feature, Administrator Protection, changes the ability to elevate privileges from a free-floating capability to a "just-in-time" event that is much more limited in scope. The coming feature shifts the way Windows handles administrator permissions, moving from a split-token model gated by the User Account Control (UAC) prompt to an isolated, shadow environment managed by the system. This shadow administrator account disappears as soon as the designated task is completed, making it much harder for a cyberattacker to abuse the administrator's elevated privileges for malicious actions.

The feature will limit the scope of an elevation of privileges for administrator-enabled accounts, says Rudy Ooms, a technical content creator at Patch My PC, who published a technical analysis of the feature.

"The old legacy concept is that you have a split token, and it's not that secure," Ooms says. "With the new Administrator Protection, things change, and it completely reimagines this approach by eliminating the direct use of the split tokens and replacing it with a hidden system, managed account."

The feature should make it much harder for cyberattackers using living-off-the-land techniques to elevate their privileges and co-opt administrator access on compromised systems. Post-compromise, most attackers use common applications — such as PowerShell and system services — paired with administrative privileges to move laterally.

The Administrator Protection feature is the latest tactic in software firms' push toward eliminating poor trust models in their software. It's also a dramatic improvement from the days of pass-the-hash attacks, where attackers could gain elevated privileges without knowing the administrator's credentials. With this new feature, attackers can still use the administrator's credentials to try to escalate privileges, but the window to do so is much smaller.

"Attackers have to rethink all their old tricks," says Jason Soroko, a senior fellow at certificate management firm Sectigo. "It impacts the ability for an attacker to be able to walk around as the administrator, and so living off the land is \[less of a threat\] because organizations have a lot of tools that are installed that are of great usage to the attacker."

**Administrators' Split Personalities on Windows**

Microsoft's current approach to handling elevated privileges is to give administrator accounts a "split token." The user account will by default be treated as a standard user — and with the same token, "TokenElevationTypeDefault" — limiting privileges. When a user attempts an action requiring administrative privileges, they must use the UAC feature to elevate their token to "TokenElevationTypeFull."

The split-token concept is a good approach, but it has problems, says Ooms.

"The problem here is this approach keeps admin rights relatively hidden but not inaccessible," he says. "Once the elevated admin token is activated, any malware running in the background can potentially hijack it and perform malicious actions. Essentially, while split tokens are better than running as an 'always-on' admin, they are still vulnerable to those kinds of attacks."

If Administrator Protection is enabled, users who elevate their privilege will switch to an isolated, managed system administrator account that protects the administrator token, according to Ooms's technical analysis.

"In my opinion, it will increase the security posture a lot because it reduces the attack surface," he says.

**Purpose-Built Accounts, Better Monitoring**

Microsoft declined to comment on the feature, but a spokesperson says the company plans to share more information at its Microsoft Ignite technology conference in November.

In the release notes for its Windows Preview, the company stated: "Administrator protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy."

While the feature will significantly improve system security, the instantiation and destruction of a shadow administrator account for specific tasks is also a boon to companies monitoring account activity, says Sectigo's Soroko.

"If you're monitoring privileged accounts, then your ability to monitor these short-lived privileged accounts and make sure they're not walking around doing something that they shouldn't \[is much better\]," he says. "You are able to contextualize what that account was created for, there's now new opportunities for people who are defending."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Microsoft Previews New Windows Feature to Limit Admin Privileges

Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach.

Thursday, October 10, 2024 14:00

Say goodbye to the days of using the “@” symbol to mean “a” in your password or replacing an “S” with a “$.” 

The U.S. National Institute of Standards and Technology (NIST) recently announced new guidelines for the ways website and organizations should handle password creation and management that will do away with many of the “common sense” things we’ve thought about passwords for years now.  

Here is a tl;dr version of what these proposed guidelines say: 

*   Passwords need to be at least eight characters long, and sites should have an additional recommendation to make them at least 15 characters long. 
*   Credential service providers (CSPs) should allow users to make their passwords as long as 64 characters. 
*   CSPs should allow ASCII and Unicode characters to be included in passwords. 
*   Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach. 
*   There should not be requirements to implement a certain number of numbers or special characters into passwords. (Ex., “Password12345!”) 
*   Do away with knowledge-based authentication or security questions when selecting passwords. (Think: “What was the name of your college roommate?”) 

Now, we should make a few things here clear. Just because NIST is proposing these doesn’t mean anyone \*has\* to abide by them, these are merely guidelines that some of the larger tech companies in the U.S. can choose to adopt. And these are proposed rules for the time being, meaning the public and tech companies have time to weigh in on the matter before they are codified in any way. 

While these proposals may seem counterintuitive, it should make traditional text-based login credentials more manageable for users and admins. Studies have shown that requiring a mixture of special characters and numbers has led users to create easier-to-guess passwords like “$ummer2024!” or “P@ssword”.  

And policies that require users to change their passwords often have led them to create passwords that are neigh-impossible to remember, so users end up storing these passwords in easy-to-locate places near their computers, like on a physical piece of paper or saved to a .txt file on their desktop.  

The hope from NIST is that enforcing longer passwords will make it harder for adversaries to guess and less intimidating for users to manage their passwords. 

Of course, using a third-party password manager is usually the most secure option for anyone. But what NIST is proposing is still a step in the right direction, and if nothing else will make those of us who are more security-minded have a better time when creating a new account.  

**The one big thing **

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings. October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities. The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.   

**Why do I care? **

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability. The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.   

**So now what? **

Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041. 

**Top security headlines of the week  **

**Chinese state-sponsored actors are suspected to have breached several U.S. telecommunications providers to spy on U.S. government phone calls.** AT&T, Verizon and Lumen may have all been victims of the alleged counter-spying operation from the newly named APT Salt Typhoon. The actor potentially accessed information from systems that the U.S. government uses for court-authorized network wiretapping requests, all in the name of trying to steal government secrets. Though it’s still unclear how long Salt Typhoon had access to these networks, it’s clear they at least spent a few months on these networks, commonly used to cooperate with lawful U.S. requests for communication data. The attackers may have also accessed large amounts of other generic internet traffic through this operation. A separate Chinese APT known as Volt Typhoon became a major topic of conversation earlier this year for allegedly trying to infiltrate networks at U.S. military bases and other critical infrastructure sites. (Wall Street Journal, Washington Post) 

**Microsoft and the U.S. Department of Justice announced they had deactivated more than 60 domains and other attacker infrastructure associated with the Russian state-sponsored ColdRiver group.** ColdRiver is believed to be connected to Russia’s Federal Security Bureau (FSB) and recently has targeted non-governmental organizations, think tanks, military officials and intelligence officials in Ukraine and NATO countries. "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," U.S. Deputy Attorney General Lisa Monaco stated during the announcement of the disruption. ColdRiver (aka Callisto Group, Seaborgium and Star Blizzard) has been active since at least 2017. The U.S. State Department is now also offering up to a $10 million reward for any information that could help locate or identify any individual members of ColdRiver. (Security Magazine, Bleeping Computer) 

**With genetic testing company 23AndMe floundering, customers are left wondering what could happen to their personal information if the company goes bankrupt or goes out of business altogether.** 23AndMe, known for collecting DNA samples from customers and then providing them with a report about their ancestry, has lost millions of dollars in its valuation and stock price over the past few years.  However more than 15 million individuals have submitted their DNA to the company since it was founded in 2006, and privacy advocates are warning them to manually delete their data now before anything happens to the company. The company also has several data-sharing agreements with other private companies, which use 23AndMe data to conduct other studies and research. And because 23AndMe’s services do not fall under health care in the U.S., the company does not have to adhere to traditional HIPAA rules. Last year, the company was hit with a massive data breach that it said affected 6.9 million customer accounts, including 14,000 people who had their passwords stolen. U.S. law enforcement has also tried to access the company’s data in the past (requests that have been declined), and it is unclear if those requests would be allowed should the company no longer exist. (NPR, Business Insider) 

**Can’t get enough Talos? **

*   Cisco Talos: Advanced intelligence for global cyberthreats 
*   New MedusaLocker Ransomware Variant Deployed by Threat Actor 
*   MedusaLocker ransomware variant paired with ‘paid\_memes’ toolkit 
*   Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG

**SHA 256:** c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a   
**MD5:** 3bc6d86fc4b3262137d8d33713ed6082   
**Typical Filename:** 8c556f0a.dll   
**Claimed Product:** N/A   
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3   
**MD5:** 0d849044612667362bc88780baa1c1b7   
**Typical Filename:** CryptX.dll   
**Claimed Product:** N/A    
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814   
**MD5:** f23b90fc9bc301baf3e399e189b6d2dc   
**Typical Filename:** B.dll   
**Claimed Product:** N/A     
**Detection Name:** Gen:Variant.Lazy.605353

What NIST’s latest password standards mean, and why the old ones weren’t working

CVE description:

Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.


----- original report -----
# Cause
authd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned.

`authd` only checks for uniqueness [within its local cache](https://github.com/ubuntu/authd/blob/4946962aa4ac6e5b7d2b53503026659581c73907/internal/users/cache/update.go#L67-L71), which
- may be inconsistent across multiple systems within the same domain ;
- may be purged, due to being stored in `/var/cache` ;
- automatically removes entries of users who have not logged into that specific system within the last 6 months.

The current `GenerateID` method, authored in September 2024 (commit a6c85ed24b8d17a2d11c859e8d70f5a52fa69690),
repeatedly hashes the user name until the 4 leading bytes fall into the interval [60 000; 2³¹[ :
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/users/manager.go#L425
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/services/nss/nss.go#L188

Previous versions are affected by similar issues, though without the use of a cryptographic hash in `GenerateID`, making exploitation computationally-easier.


# Impact

Since GenerateID is a pure function with no secret input, and the set of UIDs is small, an adversary which can register users with chosen names can
- register multiple users with colliding IDs, or
- register a single user whose ID collides with a target user's, whether one managed by `authd`, or a system user whose well-known ID is in a range which [overlaps `authd`'s].

In the latter case, as all access control performed by the Linux kernel (and other Unices' kernels) is based on IDs and not usernames, if the attacker can sign into a system, they will have the same privileges as the target user.  The attacker can bypass the uniqueness check in (at least) the following ways:
- engineer a situation where the system administrator purges `/var/cache` ;
- target a system account [whose UID is in `authd`'s range](https://github.com/ubuntu/authd/issues/547) ;
- target an account which hasn't logged into a specific system in more than 6 months.
  Note that this isn't limited to inactive accounts *within the entire domain*, and impersonation on a given system can potentially be leveraged to compromise the target account on other systems; for example:
  - user `alice` is known to log into `1.example.com` ;
  - the attacker computes a preimage (a username which yields the same UID), let's call it `bob` ;
  - the attacker creates the account `bob` and logs into `2.example.com`, succeeding if alice hasn't (recently) logged into that system ;
  - the attacker can now manipulate resources exposed on `2` as if they were alice; assuming `/home` is shared, they could manipulate `~alice/.ssh/authorized_keys`, `~alice/.config`, alice's shell's initialization file, etc.
    Note: NFSv4's `idmap` mechanism may prevent this, but isn't enabled by default (unless Kerberos is used, which isn't the case in an `authd` deployment)
  - at that point, gaining code execution as alice on `1.example.com` is usually trivial.

Since the necessary computation can be performed entirely offline, this wouldn't be affected by any rate-limits, and the only audit trail would be a single user registration. This would require on average less than 2³¹ computations of `GenerateID`: assuming SHA-256's cost is 25 cycles-per-byte, a clock speed of 3GHz, and short (≤32B) generated usernames, this is less than 10 minutes of a single core's time.

[overlaps `authd`'s]: https://github.com/ubuntu/authd/issues/547

# Remediation

The simplest and likely-best remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range.
In OIDC, this is commonly communicated through a claim, though its name would need to be configurable as there's no real standard:
- CERN uses `cern_person_id`: https://auth.docs.cern.ch/user-documentation/oidc/config/ ;
- Okta, Zitadel, and many other IdPs, require the realm's administrator to define a custom attribute, conventionally called `uid` or `uidNumber` ;
- etc.

This is also supported by other commonplace identity providers, such as LDAP and Active Directory:
https://learn.microsoft.com/en-us/windows/win32/adschema/a-uidNumber

MS Entra presumably supports this as well.


If that is not possible for some reason, architectural changes to authd would likely be required:
assigning user IDs from a small space (such as Linux's 32b UIDs) requires mutable state to ensure uniqueness, whereas authd's design currently assumes no mutable state is held, aside from some transient, local cache.
Moreover, that mutable state may need to be synchronised across multiple machines as uniform UIDs are often necessary, for instance when accessing a common networked filesystem.


# Acknowledgements

Thanks to Michael Gebetsroither for assisting with the writeup, and Jamie Bliss for the same as well as investigating when the issue was introduced in authd.

CVE description:

Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.

\----- original report -----

**Cause**

authd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned.

authd only checks for uniqueness within its local cache, which

*   may be inconsistent across multiple systems within the same domain ;
*   may be purged, due to being stored in /var/cache ;
*   automatically removes entries of users who have not logged into that specific system within the last 6 months.

The current GenerateID method, authored in September 2024 (commit a6c85ed24b8d17a2d11c859e8d70f5a52fa69690),  
repeatedly hashes the user name until the 4 leading bytes fall into the interval \[60 000; 2³¹\[ :  
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/users/manager.go#L425  
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/services/nss/nss.go#L188

Previous versions are affected by similar issues, though without the use of a cryptographic hash in GenerateID, making exploitation computationally-easier.

**Impact**

Since GenerateID is a pure function with no secret input, and the set of UIDs is small, an adversary which can register users with chosen names can

*   register multiple users with colliding IDs, or
*   register a single user whose ID collides with a target user's, whether one managed by authd, or a system user whose well-known ID is in a range which overlaps authd's.

In the latter case, as all access control performed by the Linux kernel (and other Unices' kernels) is based on IDs and not usernames, if the attacker can sign into a system, they will have the same privileges as the target user. The attacker can bypass the uniqueness check in (at least) the following ways:

*   engineer a situation where the system administrator purges /var/cache ;
*   target a system account whose UID is in authd's range ;
*   target an account which hasn't logged into a specific system in more than 6 months.  
    Note that this isn't limited to inactive accounts _within the entire domain_, and impersonation on a given system can potentially be leveraged to compromise the target account on other systems; for example:
    *   user alice is known to log into 1.example.com ;
    *   the attacker computes a preimage (a username which yields the same UID), let's call it bob ;
    *   the attacker creates the account bob and logs into 2.example.com, succeeding if alice hasn't (recently) logged into that system ;
    *   the attacker can now manipulate resources exposed on 2 as if they were alice; assuming /home is shared, they could manipulate ~alice/.ssh/authorized_keys, ~alice/.config, alice's shell's initialization file, etc.  
        Note: NFSv4's idmap mechanism may prevent this, but isn't enabled by default (unless Kerberos is used, which isn't the case in an authd deployment)
    *   at that point, gaining code execution as alice on 1.example.com is usually trivial.

Since the necessary computation can be performed entirely offline, this wouldn't be affected by any rate-limits, and the only audit trail would be a single user registration. This would require on average less than 2³¹ computations of GenerateID: assuming SHA-256's cost is 25 cycles-per-byte, a clock speed of 3GHz, and short (≤32B) generated usernames, this is less than 10 minutes of a single core's time.

**Remediation**

The simplest and likely-best remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range.  
In OIDC, this is commonly communicated through a claim, though its name would need to be configurable as there's no real standard:

*   CERN uses cern_person_id: https://auth.docs.cern.ch/user-documentation/oidc/config/ ;
*   Okta, Zitadel, and many other IdPs, require the realm's administrator to define a custom attribute, conventionally called uid or uidNumber ;
*   etc.

This is also supported by other commonplace identity providers, such as LDAP and Active Directory:  
https://learn.microsoft.com/en-us/windows/win32/adschema/a-uidNumber

MS Entra presumably supports this as well.

If that is not possible for some reason, architectural changes to authd would likely be required:  
assigning user IDs from a small space (such as Linux's 32b UIDs) requires mutable state to ensure uniqueness, whereas authd's design currently assumes no mutable state is held, aside from some transient, local cache.  
Moreover, that mutable state may need to be synchronised across multiple machines as uniform UIDs are often necessary, for instance when accessing a common networked filesystem.

**Acknowledgements**

Thanks to Michael Gebetsroither for assisting with the writeup, and Jamie Bliss for the same as well as investigating when the issue was introduced in authd.

**References**

*   GHSA-4gfw-wf7c-w6g2
*   https://nvd.nist.gov/vuln/detail/CVE-2024-9312
*   https://www.cve.org/CVERecord?id=CVE-2024-9312

GHSA-4gfw-wf7c-w6g2: Authd allows attacker-controlled usernames to yield controllable UIDs

Palo Alto Networks GlobalProtect versions 5.1.x, 5.2.x, 6.0.x, 6.1.x, 6.3.x and versions less than 6.2.5 suffer from a local privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20241009-0 >  
=======================================================================  
              title: Local Privilege Escalation via MSI installer  
            product: Palo Alto Networks GlobalProtect  
 vulnerable version: 5.1.x, 5.2.x, 6.0.x, 6.1.x, <6.2.5, 6.3.x  
      fixed version: >=6.2.5, all other versions are not patched yet  
         CVE number: CVE-2024-9473  
             impact: high  
           homepage: https://docs.paloaltonetworks.com/globalprotect  
              found: 2023-11-16  
                 by: Michael Baer (Office Fürth)  
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"GlobalProtect enables you to use Palo Alto Networks next-gen firewalls or  
Prisma Access to secure your mobile workforce."

Source: https://docs.paloaltonetworks.com/globalprotect

Business recommendation:  
------------------------  
The vendor provides a patched version v6.2.5 which should be installed immediately.  
Further affected branches will be patched by the vendor in the future, except  
branch 5.2.x which is EOL. Users are urged to upgrade to the most recent versions.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
The configuration of the GlobalProtect MSI installer file was found to  
produce a visible conhost.exe window running as the SYSTEM user when using   
the repair function of msiexec.exe. This allows a local, low-privileged  
attacker to use a chain of actions, to open a fully functional cmd.exe  
with the privileges of the SYSTEM user. 

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
For the exploit to work, GlobalProtect has to be installed via the MSI file.  
Afterwards, any low-privileged user can start the repair of GlobalProtect by  
double-clicking the installer and trigger the vulnerable actions  
without a UAC popup. The installer, if deleted from it's original location,  
can be found in C:\Windows\Installer with a randomized name.

During the repair process, the subprocess PanVCrediChecker.exe gets  
called with SYSTEM privileges and performs a read action on the file   
"C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll".

This can be used by an attacker by simply setting an oplock on the file.  
As soon as it gets read, the process is blocked until the lock is released.  
To do that, one can use the 'SetOpLock.exe' tool from  
"https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll" x  
See figure 1 [lock.webp]

During the repair process, the locked file is accessed several times. The lock  
has to be released by pressing ENTER five times before the conhost.exe  
window opens. For the sixth request, the lock should not be released to keep the  
window open. The conhost window that gets opened when PanVcrediChecker.exe is  
executed doesn't close and can then be interacted with.

The attacker can then perform the following actions to   
spawn a SYSTEM shell:  
- Right click on the top bar of the window  
- Click on properties [ see figure 2 openbrowser.webp]  
- Under options, click on the "new console features" link [see figure 2  
    openbrowser.webp]  
- Open the link with e.g. firefox or chrome [see figure 2 openbrowser.webp]  
- In the opened browser window press the key combination CTRL+o  
- Type cmd.exe in the top bar and press Enter [see figure 3 cmd.webp]

Note that this does not work using a recent version of the Edge Browser.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the only versions  
available to SEC Consult at the time of the test. SEC Consult was not  
entirely sure, which exact version the product was:  
- ProductVersion as stated by the PropertyTable: 5.2.10  
- Version as stated by Windows after installing: 5.1.5  
- 6.1.2 is affected as well

The vendor confirmed that versions <6.2.5 are affected. Furthermore,  
all other branches 5.1.x, 5.2.x, 6.0.x, 6.1.x and 6.3.x are affected  
as well. Branch 5.2.x is end of life according to the vendor and will  
not be patched.

Vendor contact timeline:  
------------------------  
2023-11-17: Contacting vendor through PSIRT@PaloAltoNetworks.com  
            asking for most recent software version  
2023-11-21: Vendor confirms receipt of contact  
2023-11-23: Vendor denies providing most recent version and asks for  
            full technical report via their online form:  
            https://security.paloaltonetworks.com/report  
            Note: Submitting the advisory draft via online form  
            repeatedly results in server errors  
2023-11-23: Sending the advisory via PSIRT@PaloAltoNetworks.com  
2024-01-11: Contacting vendor through PSIRT@PaloAltoNetworks.com  
            asking for confirmation of receiving the advisory and  
            status of their triage.  
2024-01-12: Vendor confirms receiving the advisory.  
            The issue is tracked internally.  
2024-03-06: Contacting vendor through PSIRT@PaloAltoNetworks.com   
            asking for update of the vulnerability.  
2024-04-02: The vendor notifies that the product team is working  
            on the report.  
2024-04-08: Asking vendor to notify about updates and the timeline  
            of a fix.  
2024-04-24: Vendor was able to reproduce the issue, but not in the  
            most recent versions. 5.1.5 is affected, but not 5.2.10  
            nor 5.1.12, nor 6.2.2.  
2024-05-23: Asking vendor about affected/fixed versions and regarding  
            CVE number.  
2024-05-30: Vendor apologizes for version confusion, following up with team  
            internally. Vendor plans to publish an advisory with CVE, but  
            no date yet, asks us to wait/coordinate our advisory with theirs.  
2024-06-03: Answering that we will wait for their release & advisory.  
2024-06-17: Asking for a status update regarding the version numbers &  
            advisory release.  
            Vendor: no ETA/timeline yet, no version information.  
2024-09-25: Asking for a status update regarding the vendor advisory and for  
            confirmation of the available fixes.  
2024-09-27: Vendor investigated further and previous versions are unfortunately  
            affected as well. Product team works on a fix, advisory & CVE  
            release scheduled for 9th October 9 AM PT.  
2024-09-27: Acknowledging the coordinated advisory release for 9th October.  
2024-10-03: Vendor communicates further information regarding affected versions  
            and their advisory draft.  
2024-10-07: Vendor confirms 5.2.x as affected as well, but is EOL without fix.  
2024-10-09: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides an updated version v6.2.5 which fixes the issues for this  
specific branch. Other versions are not yet patched and will be fixed in future  
releases.

Further information can be found at the vendor's website.  
https://security.paloaltonetworks.com

Users are urged to upgrade to the latest version and remove old versions  
of the MSI installer, especially users of v5.2.x as this branch is EOL and won't  
receive an update.

SEC Consult has also released a blog post on 12th September 2024 regarding MSI  
installer security issues tracked as CVE-2024-38014 and a general fix by  
Microsoft. We have contacted Microsoft to have a more general solution for  
every affected vendor. For further details check out the blog post:  
https://r.sec-consult.com/msi

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer, Johannes Greil / 2024

Palo Alto Networks GlobalProtect Local Privilege Escalation

Boston and London, U.S. and U.K., 10th October 2024, CyberNewsWire

**Boston and London, U.S. and U.K., October 10th, 2024, CyberNewsWire**

The agreement has marked over 600,000 fraudulent domains for takedown in just two months through automated defense and proactive prevention. Abusix and Red Sift to hold exclusive webinar sharing insights on transforming cyber attack mitigation.

Abusix, an organization specializing in internet abuse prevention, and Red Sift, a leader in misconfiguration and exposure management, have announced a new partnership aiming to transform how organizations can navigate from a reactive to a proactive approach for managing security risk.

Cyber threats such as email phishing, business email compromise (BEC), and brand impersonation remain persistent challenges for organizations globally. Addressing these issues requires both visibility and automation to enable faster detection and mitigation of such attacks.

Addressing these challenges head on, Abusix and Red Sift’s partnership aims to offer security teams visibility and action to neutralize risks preemptively. Since the agreement was enabled in August 2024, over 630,000+ domains have been marked for takedown. This outcome is attributed to Abusix’s real-time reporting capabilities for the swift identification of potential threats, and Red Sift’s ability to transform data into actionable defenses and real-time value for its customers. This is enabled through Red Sift leveraging Abusix’s data in both Red Sift OnDMARC and Red Sift Brand Trust. 

> **Rahul Powar, CEO and Co-Founder of Red Sift said:** “We find ourselves in an ever changing landscape where new attacks and methods for cyber abuse are ever prevalent. Working together with Abusix, we are harnessing new innovation and knowledge sharing to offer increased visibility to a wider remit of large enterprises and small businesses that are vulnerable to cyber threat. This in turn allows us to provide real-time solutions to mitigate against costly reputational damage and shift the industry’s approach from reactive to proactive.” 

> **Tobias Knecht, CEO and Founder of Abusix said:** “It’s not just about sharing data—it’s about sharing it with the right organizations. 95% of all attacks on enterprises originate from service provider and hosting provider networks. Enabling rapid takedowns by sharing actionable intelligence with service providers and hosting providers is a crucial step in reducing overall attack volume at its core. Through our partnership with Red Sift and their unique data solutions, we are taking a significant step forward in safeguarding the internet and improving network security overall.”

The newly formed collaboration is a move to raise the effectiveness and application use of email threat data for cybersecurity across the board and to upgrade the industry’s approach to attack mitigation. Together, the two companies are addressing ongoing critical gaps in the cybersecurity landscape by addressing crucial business needs for increased domain security and prevention of brand abuse. 

Those interested can join an exclusive webinar to learn how Abusix and Red Sift are transforming cyber attack mitigation — readers can reserve a spot today and hear about proactive strategies to protect organizations from email phishing, brand impersonation, and other emerging threats.

Readers can also learn more about the partnership’s Success Story here.

****About Abusix****

Abusix transforms vast amounts of real-time data into actionable insights, helping organizations protect against cyber threats. Its unique data ecosystem enables security teams across all sectors to proactively mitigate attacks by pinpointing the origins of cyber abuse. By enabling collaboration between enterprises, security vendors, and service providers, Abusix works to reduce the overall volume of attacks, driving a more secure internet. 

Abusix serves a global client base, including Cloudflare, Amazon Web Services (AWS), Vodafone, Digital Ocean, and multiple government organizations worldwide. Dedicated to enhancing the global security ecosystem, Abusix continues to make threat intelligence accessible and impactful across industries. Readers can learn more at abusix.com

****About Red Sift****

Red Sift aims to enable organizations to anticipate, respond to, and recover from cyber attacks while continuing to operate effectively. The award-winning Red Sift Pulse Platform is an integrated solution that combines four interoperable applications, internet-scale cybersecurity intelligence, and innovative generative AI that intends to put organizations on a path to cyber resilience. 

Red Sift is a global organization supported by a diverse team across 15 countries. It boasts an international client roster that includes Capgemini, Domino’s, ZoomInfo, Athletic Greens, and several leading law firms. Red Sift is the official DMARC provider for Cisco and a trusted partner for Microsoft and Entrust, among others. Readers can learn more at redsift.com

**Contact**

**Head of Marketing**  
**Serena Li**  
**Abusix**  
**\[email protected\]**

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The average higher education institution is getting hit once a week now, and as one University of Oregon attack shows, the sector often lacks the resources to keep pace.

Source: Simon Turner via Alamy Stock Photo

The education sector is facing thousands of cyberattacks per week these days — especially universities, a good portion of which experience at least one incident per week.

Education was the third most targeted industry in second quarter of 2024, according to Microsoft's latest "Cyber Signals" report. This finding corroborates data from Check Point Software, indicating that the education and research sectors now face more than 2,500 attacks weekly, up 15% over the past couple of years.

The US has it the worst, but schools and related organizations across the world face the same sorts of risks. In Europe, for example, 43% of institutes of higher education report experiencing a cyber incident at least once a week, if not more often. Schools for earlier age groups faced significantly less frequent attacks (13% to 16%).

As Microsoft explained, education makes for a uniquely soft target, combining the vulnerabilities, blind spots, and legacy infrastructure issues endemic to various other major industries, but all in one package.

**Education Sector Is an "Industry of Industries"**

Schools — in particular, universities — tend to combine the functions of many kinds of organizations in one package.

A university is also a financial institution with lending capabilities (sometimes even more the latter than the former), and a healthcare and housing provider to its students and faculty. Schools at every level host payment processing systems, websites and email domains, and networks that, especially since the COVID-19 pandemic, can resemble Internet service providers. They employ food service and athletics staff, and host events. They might be in possession of potentially sensitive research data, and all of them have to manage the full spectrum of personally identifiable information (PII) belonging to usually thousands of people at once.

It follows, then, that educational institutions enjoy all of the cybersecurity challenges any other industry faces. New and legacy technologies commingle. Public schools struggle with funding. Cybersecurity talent is tough to find and retain. Students and teachers bring their own devices on and off campus every day, each one potentially carrying malware. And virtual learning extends the attack surface outward.

In some ways, these issues affect schools to a greater degree than they do other industries. For instance, bring your own device (BYOD) risk is one thing in a corporate environment, where employees can be educated in cyber-risk, but it's an entirely different beast at schools, where those devices belong to children.

Or, consider QR codes. According to Microsoft's telemetry, more than 15,000 malicious phishing and spam messages are directed to educational institutions every day, with so-called "quishing" on the rise.

In open and collaborative environments like schools, "defenses that typically would be in place to help reduce the noise and create more effective defenses don't always work," explains Corey Lee, security chief technology officer (CTO) for Microsoft's M365 Security.

Schools tend to pass around lots of QR codes, but lack the same rigor in vetting the messages they travel with. "A lot of that has to do with the fact that email filters are not the same in education environments. Post-detection and response capabilities aren't always the same in education environments. So when we have business email compromise attacks that use advanced lures like QR codes, it becomes very hard to detect and respond to," Lee says.

**Taking Hackers to School**

In 2021, Oregon State University experienced a cyberattack "unlike anything before," Microsoft wrote. In the aftermath, it established its own security operations center.

A number of universities have done the same, or more. Louisiana State University (LSU), the University of Cincinnati, and California Polytechnic State University all operate SOCs. In Texas, the state's Department of Information Resources (DIR) oversees a Regional Security Operations Center in collaboration with Angelo State University in San Angelo.

"Education, as a sector, doesn't necessarily have lots of advanced personnel just sitting around, not doing anything. Oftentimes, \[security staff\] wear multiple hats, and they're limited," Lee explains. Luckily, universities have a significant, untapped pool of potential talent waiting to be activated.

"The challenge oftentimes is being addressed by scaling through students — being able to activate students to help them join in on the fight and be effective and efficient security defenders for the school."

Student-staffed SOCs serve multiple functions at once: not only helping to protect universities, but also other nearby educational, government, or even private organizations, all while training a new generation of cybersecurity talent. As Lee says, "They're helping to address the security skill shortage, while defending home base."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft: BYOD, QR Codes Lead Rampant Education Attacks

Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types.

Thursday, October 10, 2024 06:00

While reverse-engineering Windows drivers with Ghidra, it is common to encounter a function or data type that is not recognized during disassembly.  

This is because Ghidra does not natively include the majority of the definitions for data types and functions used by Windows drivers.  

Thankfully, these problems can usually be solved by importing Ghidra data type archive files (.gdt) that contain the relevant definitions.  

However, it is not uncommon that the definitions in question aren’t available in a preexisting .gdt file, meaning a new definition must be created manually. Additionally, in some cases, the function or data type may be undocumented by Microsoft, making the process of creating a new definition a more tedious process.  

To aid analysts in reverse engineering Windows drivers, Cisco Talos is releasing a GDT file on GitHub that contains various definitions for functions and data types that have been created as needed during our analysis of malicious drivers, as they were not present in the commonly used data type archives.  

It is important to note that this archive is not intended to contain all undocumented Windows functions or serve as a replacement for other available data type archives, but as a supplement to them. This is a long-term project that will continue to grow when new definitions are created by our analysts and added to the public release.  

The archive can be found here on our GitHub repository.

Ghidra data type archive for Windows driver functions

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

129.0.2792.89

10/10/2024

129.0.6668.100/.101

CVE-2024-9603: Chromium: CVE-2024-9603 Type Confusion in V8

CVE-2024-9602: Chromium: CVE-2024-9602 Type Confusion in V8

The tack highlights bad actors' interest in trusted development and collaboration platforms — and their users.

Source: Tada Images via Shutterstock

Trusted and widely used software development and collaboration platforms like GitHub and GitLab have become both targets of and vehicles for a growing range of malicious activity.

The latest manifestations of that trend include a malware distribution campaign involving legitimate GitHub repositories and the availability this week of an exploit for a vulnerability that allows an attacker to gain access as any user of GitLab.

The first is an example of how attackers are exploiting the trusted reputation of platforms like GitHub to try and sneak malware past endpoint detection mechanisms. The GitLab vulnerability, meanwhile, highlights the growing exposure to organizations from exploits that give attackers access to code repositories and exfiltrate secrets and data, modify or inject code into software, and manipulate the CI/CD pipeline.

**Hosting Malware on Trusted GitHub Repos**

Researchers at Cofense this week reported a phishing campaign where a threat actor is attempting to direct targeted victims in the insurance and finance sectors to malware hosted on trusted GitHub repositories. The campaign involves the attacker sending victims tax-themed phishing emails containing a link to a password-protected archive containing Remcos, a remote access Trojan that cybercriminals and state-backed groups alike have used in various cyber-espionage and data theft attacks over the years.

What makes the campaign noteworthy, according to Cofense, is how the threat actor has managed to sneak the archive files containing the Remcos RAT into legitimate GitHub repositories belonging to trusted entities. Examples of such entities include His Majesty’s Revenue & Customs (HMRC), the UK's national tax authority; New Zealand's counterpart, InlandRevenue; and UsTaxes, an open source tax-filing platform.

In each instance, the attacker used GitHub comments to upload a malicious file containing Remcos RAT to the repositories of the respective entities.

Many GitHub repositories allow developers to comment on ongoing and collaborative software projects. The comments can cover a wide range of topics, including proposed code changes, documentation and bug-related issues, task creation clarification requests, task management and progress updates, and merge conflict resolution.

"GitHub comments are useful to a threat actor because malware can be attached to a comment in a GitHub repository without having to upload it to the source code files of that repository," Cofense security researcher Jacob Malimban wrote in a blog post. "This means that any organization's legitimate GitHub repository that allows comments can contain unapproved files outside of the vetted code." Unsanctioned files that someone might submit via GitHub comments end up in a subdirectory that is separate from the one containing the repository's vetted files, Malimban said. What is especially troubling is the fact that the link to the malicious file will continue to work even if the comment itself gets deleted.

**Multiple Incidents**

Other threat actors have noticed the opportunity as well. A recent case in point is the purveyor of the Redline Stealer, who earlier this year was spotted using no less than Microsoft's own GitHub repository to host the information stealing malware. In that campaign — as with the new Remcos RAT attacks that Cofense spotted — the threat actor uploaded the malware as a comment to Microsoft's GitHub vcpkg repository.

Emails with links to domains such as GitHub are effective at skirting secure email gateways because of their trusted reputation. Attackers can, in fact, directly link to their malware in such domains without the need to redirect users to other sites, or without requiring them to use other security bypass techniques like scanning QR codes, Cofense said.

The threat actor behind the new Remcos RAT could easily have targeted victims in other sectors as well. But they likely deliberately kept their focus narrow to test how effective the strategy of hosting malware on the GitHub repositories is before attacking others, Malimban surmised.

**Growing Threat Actor Interest**

Meanwhile, the new exploit for GitLab targets a critical authentication bypass vulnerability (CVE-2024-45409) affecting the Ruby-SAML and OmniAuth-SAML libraries that GitLab uses to enable SAML-based single sign-on. The exploit script gives attackers a way to abuse the vulnerability to access GitLab in the context of any user. The vulnerability affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) below 16.11.10. The flaw is also present in multiple 17.x.x versions of GitLab.

The exploit is another sign of the growing researcher and threat actor interest in repositories like GitHub and GitLab and their users. Over the past year there have been multiple instances of attacks targeting repos on GitHub, like one involving cyber-extortion that Chilean cybersecurity firm CronUp reported in June and another involving the use of ghost accounts on GitHub to distribute malware. GitLab users have had their share of security scares to deal with as well, like CVE-2024-45409 and two other recent vulnerabilities (CVE-2024-6385 and CVE-2024-5655) that posed a major threat to the integrity of CI/CD pipelines.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#microsoft