{"id":17499,"date":"2020-01-21T17:40:05","date_gmt":"2020-01-22T01:40:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/01\/21\/news-11234\/"},"modified":"2020-01-21T17:40:05","modified_gmt":"2020-01-22T01:40:05","slug":"news-11234","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/21\/news-11234\/","title":{"rendered":"Update: Curveball Exploit (CVE-2020-0601) Starts Making the Rounds"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><i>A FortiGuard Labs Threat Analysis<\/i><\/b><\/p>\n<h2>Introduction<\/h2>\n<p>On patch Tuesday for January 2020, Microsoft disclosed a <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-0601\">critical vulnerability<\/a> that had been discovered by the NSA, that has been dubbed CurveBall or ChainOfFools by the security research community. This vulnerability affects Windows 10, Windows 2016, and the 2019 version of the crypt32.dll that implements Windows\u2019 CryptoAPI.<\/p>\n<p> The vulnerability can be exploited by a malicious actor to spoof certificates in a way that will trick any software that leverages Windows CryptoAPI for signature validation into believing it is legitimate. For example, ransomware authors can trick Windows into believing that their samples have been signed by Microsoft.<\/p>\n<h2>Exploit PoCs Released<\/h2>\n<p>Due to the severity of this issue, a lot of effort has been invested by the security community over the past few days to understand its root cause. Surprisingly, the vulnerability is very simple to exploit and there are already several public implementations that can leverage it to spoof certificates.<\/p>\n<p>As expected, soon after the public exploits were released, malware with spoofed Microsoft certificates were uploaded to\u00a0<a href=\"https:\/\/www.virustotal.com\/gui\/file\/d6ab910259c9bc68196aeec3e9ff4864bada22738c02ecf5ada7912ced292d28\/detection\">Virus-Total<\/a>:\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/curveball-exploit-making-rounds\/_jcr_content\/root\/responsivegrid\/image.img.png\/1579621201575\/curveball-one.png\" alt=\"Figure 1. Signed Ransowmare in VirusTotal\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Signed Ransowmare in VirusTotal<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Fortinet Endpoint Protection vs CurveBall<\/h2>\n<p>As with any emerging threat, FortiEDR and <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=2018-q2-endpoint-web-page\">FortiClient<\/a> were put to the test to ensure that this new vulnerability could not bypass or impact their detection capabilities. As you can see, the signature of the VT ransomware sample appears to be a legitimately signed Microsoft file:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/curveball-exploit-making-rounds\/_jcr_content\/root\/responsivegrid\/image_656312549.img.png\/1579621179406\/curveball-two.png\" alt=\"Figure 2. Spoofed Certificate\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Spoofed Certificate<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>However, when we executed the sample against FortiEDR, the sample was immediately detected and blocked. Moreover, the file is marked as unsigned, as can be seen in Figure 3:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/curveball-exploit-making-rounds\/_jcr_content\/root\/responsivegrid\/image_359339995.img.png\/1579621241242\/curveball-threeee.png\" alt=\"Figure 3. Spoofed certificate blocked by FortiEDR\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Spoofed certificate blocked by FortiEDR<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This same sample is also detected by FortiClient, as can be seen in VirusTotal:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/curveball-exploit-making-rounds\/_jcr_content\/root\/responsivegrid\/image_166102417.img.png\/1579621283221\/curveball-four.png\" alt=\"Figure 4. FortiClient blocks spoofed certificate, as seen on VirusTotal\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. FortiClient blocks spoofed certificate, as seen on VirusTotal<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Final Thoughts<\/h2>\n<p>The CurveBall\/ChainOfFools vulnerability is extremely severe, as signed files often are considered to be \u201ctrusted\u201d by security endpoint products. This allows threat actors to fool security endpoint products and affected Microsoft Windows machines into trusting falsely signed files that contain a certificate that appears to chain appropriately. Furthermore, exploiting this vulnerability is quite simple, and now that there are working PoCs in-the-wild we predict that malware authors will leverage it extensively.<\/p>\n<p>Because of this, we urge vendors to patch their systems ASAP. It is safe to surmise that we will see more proof of concept attacks floating in the wild as well as malware incorporating these techniques. Fortunately, FortiEDR and FortiClient are not fooled by this exploit even on unpatched systems.<\/p>\n<p>For more information, please reference our recent <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/microsoft-january-2020-update-cve-2020-0601.html\">blog<\/a> on CVE-2020-0601 as well as our <a href=\"https:\/\/fortiguard.com\/threat-signal-report\/3331\/coverage-information-for-microsoft-january-2020-security-update-for-cve-2020-0601\">Threat Signal update<\/a>.<\/p>\n<h2>Solutions<\/h2>\n<p>The recently acquired FortiEDR (an Endpoint Detection and Response solution integrated into FortiGate firewalls, FortiSIEM, and FortiSandbox) and FortiClient are not affected by this vulnerability.<\/p>\n<p>Customers running the latest definition sets are also protected by the following signatures:<\/p>\n<p><b>AV<\/b><\/p>\n<p>W32\/FilecoderProt.F183!tr.ransom<\/p>\n<p><b>IPS<\/b><\/p>\n<p><a href=\"https:\/\/fortiguard.com\/encyclopedia\/ips\/48661\">MS.Windows.CryptoAPI.ECC.Certificate.Spoofing<\/a><\/p>\n<h2>IOCs<\/h2>\n<p>Avgdiagex.exe [SHA-256] &#8211; d6ab910259c9bc68196aeec3e9ff4864bada22738c02ecf5ada7912ced292d28<\/p>\n<p><i>Learn how\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0provides\u00a0unmatched security and intelligence services using integrated\u00a0<a href=\"https:\/\/twitter.com\/hashtag\/AI?src=hashtag_click\">AI<\/a>\u00a0systems.\u00a0<\/i><\/p>\n<p><i>Find out about the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>\u00a0and s<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">ign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0\u00a0<\/i><\/p>\n<p><i>Discover how\u00a0the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>\u00a0provides\u00a0security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/iIjPXKQAzq8\/curveball-exploit-making-rounds.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/curveball-exploit-making-rounds\/_jcr_content\/root\/responsivegrid\/image.img.png\/1579621201575\/curveball-one.png\"\/><br \/>Lean more about the recent Microsoft Curveball vulnerability and how FortiClient protects Fortinet customers from exploitation.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/iIjPXKQAzq8&#8243; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17499","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17499"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17499\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17499"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}