Malware
BrandView

Attacking your way to accurate answers with breach and attack simulation

Black Hat USA 2023 was busy for SafeBreach researchers Tomer Bar and Omer Attias, who spent lots of stage time outlining how attacks are conducted, which APT groups have been most active, and how breach and attack simulation can help security teams think like the enemy and fight back. 

Of particular interest was their presentation on how Windows Defender can be hijacked to ignore malware, falsely recognize benign files as malicious and even delete critical system files to render a machine inoperable. 

The Israeli researchers introduced an automated tool called Defender Pretender that can replicate these attacks if the version of the Microsoft Malware Protection Platform is earlier than 4.18.2303.8. The tool can be found at https://github.com/SafeBreach-Labs/wd-pretender.  

Microsoft catalogued the attack method as CVE-2023-24934 and patched the vulnerability in April. 

"The lesson is trust no one, even Microsoft's own processes,” Bar says. “Digitally signed files are not always secure, and the signature update process of security programs could be used as an attack vector." 

Bar and Attias' Black Hat presentation slides can be viewed at https://i.blackhat.com/BH-US-23/Presentations/US-23-Tomer-Defender-Pretender-final.pdf

Inspired by the Flame state-sponsored malware of 2012, Bar and Attias wondered if they too could leverage the Windows Defender virus-signature update process to subvert a Windows system. But while Flame used a cryptographic collision to spoof a Microsoft digital signature, Bar and Attias raised the bar higher (or maybe lower) and set out to subvert Defender as an unprivileged user without special access or signatures. 

To cap off their demos, they redefined the Emotet signature so that Defender would detect and remove Windows system files. Defender isn't supposed to run under DOS, but the researchers figured out a way, then showed how a command-line screen rapidly removed essential system files, after which the virtual machine tried and failed to reboot. 

After Black Hat, Bar sat down with Security Weekly host Jeff Man to discuss their Defender findings and how, in the bigger picture, the SafeBreach Labs team helps customers discover their most critical threats and security gaps by building the industry’s most current and complete playbook of attacks.  

This segment is sponsored by SafeBreach. Visit https://securityweekly.com/safebreachbh to learn more about them. 

Show Notes: https://securityweekly.com/bh23-2  

  • 00:00 - Introduction to breach and attack simulation 
  • 01:12 - SafeBreach's Breach and Attack Simulation platform 
  • 02:18 - Real-time testing to identify drifts and vulnerabilities 
  • 03:30 - Realistic simulations to mimic actual threats and attack techniques  
  • 04:45 - SafeBreach's research and vendor collaboration  
  • 06:02 - Customized attacks for comprehensive testing of customer environments  
  • 07:15 - Advantages for larger enterprises: expertise and simulation benefits  
  • 08:28 - Identifying vulnerabilities, misconfigurations and process failures  
  • 09:42 - Prioritizing and closing security gaps 
Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Related

Novel Wpeeper Android malware examined

BleepingComputer reports that hacked WordPress sites have been used as relay command-and-control servers by the novel Wpeeper Android malware, which has been spread via a pair of app stores impersonating the Uptodown App Store and is believed to have already compromised thousands of Android devices.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.