AtomBombing Zero-Day exploit: Ερευνητές ασφαλείας της Ensilo ανακάλυψαν ένα νέο zero-day exploit στα Windows που οι επιτιθέμενοι μπορούν να χρησιμοποιήσουν για inject και εκτέλεση κακόβουλου κώδικα.
The investigations called the AtomBombing exploit from the Windows operating system called Atom Tables.
What is particularly interesting in this zero-day exploit is that it does not use vulnerabilities in Windows security, but in Windows's motherboard operations.
This means, according to the researchers, that Microsoft will not be able to fix the problem.
"Unfortunately, this issue cannot be fixed, as it is not based on any corrupt or defective code, but on how the system mechanisms are designed to work.
Of particular concern is the fact that the issue affects all versions of Windows, and that security programs running the system - firewall or antivirus for example - will not be able to stop exploit.
How the technique works:
Any malicious code, of course, must first be executed to offend a system.
This code is usually blocked by virus protection software or some operating security policies.
In the case of AtomBombing, the malicious program writes the malicious code into an Atom table (which is a legitimate Windows operation and can not stop it from a security policy or antivirus).
It then uses legitimate procedures through APC (Async Procedure Calls), a program tourς στο web για παράδειγμα, για να ανακτήσει κωδικούς από τον πίνακα χωρίς να το εντοπίσει κάποιο security software.
"What we've found is that a malicious user can write malicious code on an Atom table and force a legitimate program to get the malicious code out of that table. We also found that the legitimate program, which contains the malicious code, can be managed to execute the code. ”
Investigators have released a PoC which illustrates the way operation by AtomBombing. If you are interested in the details, you can check it out as it can answer all your questions.
Ensilo's security team reports that running malicious code on a Windows computer was one of the many ways the attackers can use AtomBombing.
Attackers could use the technique to get screenshots, extract sensitive information, even encrypted passwords.
By agreeing to research, Google Chrome encrypts saved passwords using the Windows Data Protection API. Thus, any attack on a process running within the active user could gain access to sensitive data in plain text.
Ensilio believes Microsoft can not repair AtomBombing exploit. Microsoft, on the other hand, has not issued an announcement.