Notes from the Field • 3 Mins READ
PoC Exploit of Windows CryptoAPI Vulnerability with Global Scale Spoofing Actively Discussed
by Eleanor Barlow • Jan 2020
Dubbed as CurveBall or ChainOfFools, Microsoft’s latest ‘Patch Tuesday’ revealed a critical vulnerability (CVE-2020-0601) affecting Windows server 2019, 2016 and Windows 10.
How it Works
This spoofing vulnerability is exploited by using a certificate of code-signing to interact and inject malicious executable code, which emulates a trusted file and legitimate code. This vulnerability can be utilised by a malicious actor to trick any software that uses Windows CryptoAPI validation. As a result, the user and the protection solution, such as anti-malware, may be tricked as the malicious file appears to be digitally signed by a trusted provider, such as Microsoft.
The Effects
CurveBall or ChainOfFools is a serious threat, in that any/all signed files using this vulnerability may be regarded as genuine by the security endpoint solutions. Which, in turn, allows the threat to deceive security endpoint detection products and, with it, all contaminated windows machines.
The key issue, however, is in how quickly and effortlessly this vulnerability has, and is, being exploited. Proof-of-concept exploits for CurveBall is being actively followed and discussed within the dark web and is manipulated extensively by malware authors.
Mitigation Recommendations
- Update operating systems with current released patch level by Microsoft.
- Update your anti-virus solutions with the latest virus definitions.
- Monitor your EDR and Anti-malware tools and solutions 24/7 for potential malicious activities.
The Solution
SecurityHQ ensures that this, and any other emerging threat or vulnerability, cannot and will not influence or evade our detection.
For additional support, reach out to one of our specialists here, and learn how to safeguard your data, business and people from the latest attacks.
Related Content
Critical Zero-Day Vulnerability Found in Zoom Video Conferencing
Due to the current COVID-19 situation, the majority of organisations around the world are now working remotely. This means that remote collaboration tools used for conferences and meetings are in high demand. In response, bad actors are taking advantage of the situation by identifying new ways to exploit these tools, in the form of phishing […]
Vulnerability Management as a Service (VMaaS)
iew and act on all vulnerabilities across your digital platforms, including internet, applications, systems, cloud and hardware. Download SecurityHQ's Vulnerability Management Datasheet to learn about its benefits at a more granular level.
Notes from the Field. A Scan a Day Keeps the Exploits at Bay
Over 1020 new security vulnerabilities have been published since the start of November. Which means that this month alone, there are now over 1020 new ways for an attacker to compromise an environment. This number is growing by the day, and only includes the number of actually identified vulnerabilities. There are, of course, many more […]
