AtomBombing Zero-Day exploit: Security researchers of Ensilo ανακάλυψαν ένα νέο zero-day exploit στα Windows που οι επιτιθέμενοι μπορούν να χρησιμοποιήσουν για inject και εκτέλεση κακόβουλου code.
The investigations named the exploit AtomBombing after the mode of Windows that it exploits and is called Atom Tables.
Αυτό που είναι ιδιαίτερα ενδιαφέρον σε αυτό το zero-day exploit είναι ότι δεν χρησιμοποιεί τρωτά points in Windows security, but in native Windows functions.
This means, according to the researchers, that Microsoft will not be able to fix the problem.
"Unfortunately, this issue cannot be fixed, as it is not based on any corrupt or defective code, but on how the system mechanisms are designed to work.
Of particular concern is the fact that the issue affects all versions of Windows, and that security programs running the system - firewall or antivirus for example - will not be able to stop exploit.
How the technique works:
Any malicious code, of course, must first be executed to offend a system.
This code is usually blocked by virus protection software or some operating security policies.
In the case of AtomBombing, the malicious program writes the malicious code into an Atom table (which is a legitimate Windows operation and can not stop it from a security policy or antivirus).
He then uses legitimate procedures through the Async Procedure Calls (APC), a web browser for example, to retrieve passwords from the table without locating any security software.
"What we've found is that a malicious user can write malicious code on an Atom table and force a legitimate program to get the malicious code out of that table. We also found that the legitimate program, which contains the malicious code, can be managed to execute the code. ”
Investigators have released a PoC which explains how AtomBombing works. If you are interested in details, you can check it, as it can answer all of your questions.
Ensilo's security team reports that running malicious code on a Windows computer was one of the many ways the attackers can use AtomBombing.
Attackers could use the technique to get screenshots, extract sensitive information, even encrypted passwords.
According to research, Google Chrome encrypts stored passwords using the Windows Data Protection API. So any attack in a process running under the active user could access the sensitive data in plain text.
Ensilio believes Microsoft can not repair AtomBombing exploit. Microsoft, on the other hand, has not issued an announcement.
