A few weeks ago, the FBI sounded the alarm about a formidable ransomware, Medusa. The virus has made a habit of compromising companies through popular email services, such as Gmail or Outlook. It has thus managed to hack more than 300 American companies from various critical sectors, such as education, construction, and healthcare.
Ransomware and time travel
As security researcher Boris Cipot reveals, Medusa has found a way to travel through time to achieve its ends. Questioned According to Forbes, the principal security engineer at Black Duck explains that the virus takes advantage of configuration errors in the system it is targeting.
Specifically, the attack relies on "the date or the possibility of changing it." Cybercriminals use drivers that are outdated for 13 years. That is, their security certificates are no longer valid. In this case, the certificates expired in 2012.
To get around the problem of the validity certificates, Medusa changes the date of the system it infected back in time. It reboots the system to "a time when the certificate that signed a certain driver was still valid". In fact, the system considers the certificate valid, and that the driver does not represent a threat to the integrity of the computer.
Over time, the virus can execute malicious code with the same privileges as a legitimate driver. Once in place, a malicious driver with A valid certificate is extremely difficult to detect or remove. It can survive reboots, remain invisible to traditional security tools, and even resist partial Windows reinstallations.
This is a trick that allows you to take control of a machine by circumventing Windows security measures. It is mostly used by sophisticated cybercriminals, including state-sponsored groups (such as those linked to China, Russia, or North Korea).
How to combat time travel viruses?
To stop this type of attack, it is imperative to detect system configuration changes, such as changing the clock. It is this approach that allowed Medusa to hack so many companies without triggering security of Windows.
For Boris Cipot, "organizations need a mix of top-notch endpoint protection, rigorous security policy enforcement, and proactive monitoring." Above all, "Windows should be configured to strictly enforce revocation checks for signed drivers, to block those with expired certificates.".
Finally, the researcher regrets that many security features built into Windows may not be activated, simply because they have been manuallydisabled by the user. Too many people disable features to make it easier to run old software or drivers. Cybercriminals are obviously aware of Internet users' bad habits and don't hesitate to exploit them.
Source: Forbes
0 Comments