Windows Downdate Attacks, Quick Share Vulnerability Exploit, and More: Hacker’s Playbook Threat Coverage Round-up: August 2024

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for several new threats, including those discovered via original research by the SafeBreach Labs team. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below. 

New SafeBreach Original Research

Windows Downdate Attacks – What you need to know

Downgrade attacks—also known as version-rollback attacks—are a type of attack designed to revert an immune, fully up-to-date software back to an older version. They allow malicious actors to expose and exploit previously fixed/patched vulnerabilities to compromise systems and gain unauthorized access. 

The latest research, undertaken by SafeBreach Labs researcher Alon Leviev was presented at Black Hat USA 2024 and DEF CON 32. This research intended to explore the state of downgrade attacks on Windows and resulted in the discovery of several vulnerabilities that allowed him to develop Windows Downdate – a tool to take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components. This research highlighted how a determined attacker could make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world.

Discovered vulnerabilities were disclosed to Microsoft in February 2024 who promptly acknowledged them and issued two CVEs – CVE-2024-21302 and CVE-2024-38202. Additional security guidance was provided by Microsoft via  Security Update Guide ADV24216903 and anyone having additional questions should contact the Microsoft communications team directly at [email protected].

Quick Share Vulnerability Exploit – What you need to know

Google’s Quick Share is a peer–to-peer data-transfer utility for Android, Windows, and Chrome operating systems. It uses a variety of communication protocols—including Bluetooth, Wi-Fi, Wi-Fi Direct, Web real-time communication (WebRTC), and near-field communication (NFC)—to send files between compatible devices that are near each other.

The research, undertaken by SafeBreach Labs researchers Shmuel Cohen and Or Yair was recently presented at DEF CON 32. The objective of this research was to thoroughly understand the intricacies of this relatively new file sharing solution and understand if there were any vulnerabilities that could be potentially exploited. The research resulted in the identification of 10 unique vulnerabilities, some of which were able to be combined into an innovative remote code execution (RCE) attack chain against Quick Share for Windows. This research highlighted that seemingly insignificant capabilities of a product/ tool can be exploited by motivated attackers to create advanced attacks. 

The following 10 vulnerabilities were disclosed to Google in January 2024 and resulted in Google issuing 2 CVEs – CVE-2024-38271 and CVE-2024-38272:

1. Remote Unauthorized File Write in Quick Share for Windows
2. Remote Unauthorized File Write in Quick Share for Android
3. Remote Forced WiFi Connection in Quick Share for Windows
4. Remote Directory Traversal in Quick Share for Windows
5. Remote DoS in Quick Share for Windows – Endless Loop
6. Remote DoS in Quick Share for Windows – Assert Failure
7. Remote DoS in Quick Share for Windows – Assert Failure
8. Remote DoS in Quick Share for Windows – Unhandled Exception
9. Remote DoS in Quick Share for Windows – Unhandled Exception
10. Remote DoS in Quick Share for Windows – Unhandled Exception

SafeBreach Coverage of Windows Downdate attacks and Quick Share Vulnerabilities

The following individual attacks (associated with the identified vulnerabilities) were added to the Hacker’s Playbook and can be individually run to validate organizational controls:

• Downdate attacks – these 2 attacks allow an attacker to potentially take over the Windows Update process, downgrade Windows to an older version, and make it vulnerable to any known one-day vulnerability.
  • #10341 – Windows Downdate – Windows update takeover
  • #10342 – Windows Downdate – TrustedInstaller elevation
• Quick Share attacks – These attacks allow an attacker to force the victim to download any file of the attacker’s choice on a vulnerable QuickShare version.
  • #10334 – QuickShare download file accept bypass (Bluetooth)
  • #10335 – QuickShare download file accept bypass (Wifi)

Additionally, 2 scenarios based on these original attacks were also created and added to the SafeBreach playbook for our customers to validate their security controls against these attacks/vulnerabilities:

Other Threats We Added Coverage for in August 2024

Attacks based on original research conducted by SafeBreach Labs were the highlight of our additions to the attack playbook in August 2024. However, we also added coverage to the following additional threats to ensure an additional, comprehensive level of coverage for our customers.

• MagicRAT – MagicRAT is a remote access trojan, developed by the Lazarus APT group – a North Korean state-sponsored threat group. MagicRAT is programmed in C++ programming language and is primarily distributed through exploiting vulnerabilities such as Log4j in VMware Horizon. After the malicious software has been installed on a computer, it will initiate a connection with a command-and-control server (also known as a C&C server), which will enable the hacker to carry out a variety of commands and steal sensitive data from the compromised computer.
  • #10419 – Write MagicRAT (0c0ee6) RAT to disk (HOST_LEVEL) 
  • #10420 – Pre-execution phase of MagicRAT (0c0ee6) RAT (Windows) (HOST_LEVEL) 
  • #10421 – Transfer of MagicRAT (0c0ee6) RAT over HTTP/S (LATERAL_MOVEMENT
  • #10422 – Transfer of MagicRAT (0c0ee6) RAT over HTTP/S (INFILTRATION) 
  • #10423 – Email MagicRAT (0c0ee6) RAT as a compressed attachment (LATERAL_MOVEMENT)
  • #10424 – Email MagicRAT (0c0ee6) RAT as a compressed attachment (INFILTRATION) 
• Hesperbot Trojan – Hesperbot is a banking trojan that is similar in functionality to Zeus and SpyEye. Hesperbot trojan includes functionalities such as keystroke logging, creation of screenshots and video capture, and setting up a remote proxy, and creating a hidden VNC server on the infected system. Hesperbot is used by attackers to obtain login credentials giving them access to the victim’s bank account and to get them to install a mobile component of the malware on mobile phones.
  • #10364 – Write Hesperbot trojan to disk (HOST_LEVEL
  • #10365 – Email Hesperbot trojan as a compressed attachment (LATERAL_MOVEMENT) 
  • #10366 – Email Hesperbot trojan as a compressed attachment (INFILTRATION) 
  • #10367 – Pre-execution phase of Hesperbot trojan (Windows) (HOST_LEVEL) 
• Timitator Trojan – This is a trojan malware (amongst several) used by Vietnam-based threat group APT32 (OceanLotus Group) to carry out sophisticated attacks on private organizations, journalists, foreign governments, and activists, with a major focus on Southeast Asian nations such as Vietnam, the Philippines, Laos, and Cambodia.
  • #10358 – Write Timitator (8ae286) trojan to disk (HOST_LEVEL
  • #10359 – Transfer of Timitator (8ae286) trojan over HTTP/S (LATERAL_MOVEMENT
  • #10360 – Transfer of Timitator (8ae286) trojan over HTTP/S (INFILTRATION) 
  • #10361 – Email Timitator (8ae286) trojan as a compressed attachment (LATERAL_MOVEMENT) 
  • #10362 – Email Timitator (8ae286) trojan as a compressed attachment (INFILTRATION) 

Interested in Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.