AtomBombing Zero-Day exploit: Ερευνητές ασφαλείας της Ensilo ανακάλυψαν ένα νέο zero-day exploit στα Windows που οι επιτιθέμενοι μπορούν να χρησιμοποιήσουν για inject και εκτέλεση κακόβουλου κώδικα.
The investigations called the AtomBombing exploit from the Windows operating system called Atom Tables.
What is particularly interesting about this zero-day exploit is that it does not use vulnerabilities in the Windows security, but in native Windows functions.
This means, according to the researchers, that Microsoft will not be able to fix the problem.
"Unfortunately, this issue cannot be fixed, as it is not based on any corrupt or defective code, but on how the system mechanisms are designed to work.
Of particular concern is the fact that the issue affects all versions of Windows, and that the security programs that work with the system – firewall or antivirus for example – they will not be able to stop the exploit from running.
How the technique works:
Any malicious code, of course, must first be executed to offend a system.
This code is usually blocked by virus protection software or some operating security policies.
In the case of AtomBombing, the malicious program writes the malicious code into an Atom table (which is a legitimate Windows operation and can not stop it from a security policy or antivirus).
He then uses legitimate procedures through the Async Procedure Calls (APC), a web browser for example, to retrieve passwords from the table without locating any security software.
“What we found is that a malicious user can write malicious code to an Atom table and force a legitimate program to fetch the malicious code from that table. We also found that the legitimate program, which contains the malicious code, can be managed to execute the code.”
Investigators have released a PoC which explains how AtomBombing works. If you are interested in details, you can check it, as it can answer all of your questions.
Ensilo's security team reports that running malicious code on a Windows computer was one of the many ways the attackers can use AtomBombing.
Attackers could use the technique to get screenshots, extract sensitive information, even encrypted passwords.
Agreement with research, Google Chrome encrypts stored passwords using the Windows Data Protection API. So any attack on a process running in the context of the active user could gain access to the sensitive data in plain text.
Ensilio believes Microsoft can not repair AtomBombing exploit. Microsoft, on the other hand, has not issued an announcement.