Event Details

SafeBreach Labs delivers a spoofed signed certificate and MITM simulations for US-CERT Critical Vulnerabilities in Microsoft Windows OS (AA20-014A)


January 17, 2020

Itzik Kotler, CTO, SafeBreach

SafeBreach Labs is the 1st and only Breach and Attack Simulation solution that has delivered the full set of simulations that writes a spoofed signed certificate to disk, for endpoint coverage, and simulates to test if the certificate can be remotely exploited to perform man-in-the-middle attacks (TLS), for network coverage. The new simulations help organizations understand their security posture in regards to US-CERT Critical Vulnerabilities in Microsoft Windows Operating Systems (AA20-014A) that was announced on January 14th.

The new simulation coverage tests:

Attack Simulation #3547 - Write exploit to disk using CVE-2020-0601

(Host-Level):

  • Validate patched systems as the signature check of the exploit file by sigcheck will fail as the OS will block this behavior
  • Understand how your endpoint security solutions will react to detect and prevent the attack
  • Assist security teams with endpoint investigation

Attack Simulation #3546 - Remote exploitation of the Windows certificate validation vulnerability CVE-2020-0601 (Lateral Movement):

  • Remotely trigger the API when the spoof certificate is being used to communicate over TLS
  • Understand how your endpoint security solutions will react to detect and prevent the attack
  • Understand how your network security solutions will react to detect and prevent the attack

Windows CrytpoAPI Spoofing highlights the complications organizations face with prioritizing vulnerability patch management. CVE-2020-0601 is clearly a high priority patch that needs immediate attention but it will be months before all Windows devices are secure. Several vendors are publishing browser and software updates to detect for the exploitation of CVE-2020-0601 as preventative protection until all organizations can deploy the security patches. For example, the Google Chrome update 79.0.3945.130 that checks the integrity of a certificate before allowing access to the website.

Security and vulnerability teams lack data on the organization’s potential exposure in the face of high impact vulnerabilities to identify which will breach the network and get into the critical assets. SafeBreach Breach and Attack Simulation closes the gap to help the organizations understand the potential exposure in various segments of the network to help prioritize the highest patch management priority plan across the organization.