EXPLOITING MALWARE VULNERABILITIES

BY Alexander Pace

The Classic Blue Team Perspective?

Malware exists because exploits exist – vulnerabilities in software, hardware, policy, and any other process that are abused for malicious intent. Maintaining a security defence is a constant race against odds to identify, prioritise, and implement mitigations for exploits present in an environment. This mindset is core to any Blue Team. It’s one against a million; all an attacker needs to do is find one weakness and you are compromised. The whole internet is seeking your downfall at any moment, and you need to invest significant effort and resources to defend against it.?

Exploiting the Malware Itself?

However, the work of security researcher John Page (going by the moniker hyp3rlinx) has served as a reminder that we can turn that pure defence mindset on its head. Page analysed ransomware from recently active operations including Conti, REvil, Black Basta, LockBit, and AvosLocker and discovered they are vulnerable to an exploit technique called DLL hijacking. This exploit is normally used by attackers to inject arbitrary code into a legitimate process and was used in this case to terminate the ransomware early, saving the host system from attack. A bonus of this method is it is not tied to any endpoint security that may be present on the host, so is less likely to be affected by attempts to subvert security controls in place.

?Perspective Flip?

Findings like this bring about a change in perspective for those tasked with defending environments. There are viable – and legal – ways of fighting back against attackers. Defence is not a strictly passive undertaking but can involve concerted effort to disable and disrupt malware in the same ways that malware is seeking to disable and disrupt a victim. Although defenders have been “hacking back” for years, often these actions are technically illegal or ethically dubious. Local exploits that do not touch external infrastructure (like C2s or distribution points) are legally much safer than performing actions in attacker-controlled environments.?

While malware is often swiftly patched to remediate discovered vulnerabilities, by employing the right set of resources researchers will be able to continue to discover new vulnerabilities. Just as legitimate assets are probed and tested for their weaknesses by attackers, so can malicious tools. It is a way of going on the offense as a defensive tactic while keeping play in the defender’s half of the field.

?Attackers are Human Too?

This perspective shift sheds light on a more fundamental truth: that attackers are human too. Analysis of the trove of data found in the recent Conti ransomware gang leak shows Conti is similar to a standard tech company. They have corporate structure, an HR department, an executive board, R&D, and a level of organisation and sophistication that would be found in any other similarly sized legitimate company. Workers earn a salary, have performance reviews, and engage in training opportunities. They can refer new recruits for a bonus and even have the chance to win Employee of the Month.?

Figure 1: Conti Group's corporate structure at the time of leaking in February 2022.

Attackers, especially those working in organised gangs like Conti, often only perform as well or even worse than those in the organisations they are attacking. The Conti data leak shows employees making mistakes, enduring discipline for being AWOL, and slipping up in ways that lose the organisation money. The work they do is not perfect, and their underperformance introduces vulnerabilities in their malware in the same way vulnerabilities appear in legitimate assets.?

We do not have to think of attackers as perfect, ruthless, unstoppable forces. They make mistakes, they make flawed malware, they make errors in their attacks. An IBM study last year found human error is the number one cybersecurity risk factor for businesses and was a major contributing factor in 95% of all breaches in 2020. Applying this perspective in reverse to attackers hints that defenders should be looking for the human error in the offensives they are trying to prevent. We should expect mistakes and vulnerabilities to be present in malware that can be leveraged to prevent or minimise an attack. They might only need to find one vulnerability, but the same can be true for us.?

?What’s Next??

The next step is to develop processes for systematically identifying and implementing malware exploits as a fully-fledged tool in a Blue Team’s arsenal. The Malvuln project, created and maintained by John Page, is a move in this direction. The Malvuln site and companion program Adversary3 aim to catalogue malware vulnerabilities and make the associated exploits freely available in a similar way to the familiar CVE system. While Page’s project has upset some who think vulnerabilities should remain secret, others believe an open sharing of this information will benefit defenders overall.?