Elastic Security Research Uncovers Vulnerabilities in Microsoft Smart App Control and SmartScreen Features
In the digital world, security is a constant battle, and the latest frontier seems to be Microsoft's Smart App Control (SAC). SAC, a feature introduced with Windows 11, is designed to block malicious or untrusted apps by querying a Microsoft cloud service when applications are executed. However, recent findings suggest that SAC, along with SmartScreen, may have design weaknesses that can be exploited by attackers.
Elastic, a company specialising in search and security solutions, has identified several methods that attackers can use to bypass these security controls without triggering warnings or popups. One such method is reputation hijacking, where attackers find and repurpose apps with a good reputation to bypass the system. Another is reputation seeding, where a tampered binary is crafted with a unique hash that has never been seen by Microsoft or Smart App Control, which can still be executed with Smart App Control in enforcement mode.
Attackers have also been using Extend Validation (EV) certificates to sign malware, a way to bypass Smart App Control. This practice has been on the rise, with financial crime groups like FIN7 using over 100 unique code-signing certificates for their malware attacks.
Elastic has also discovered a bug in the handling of LNK files that can bypass these security controls. LNK stomping, a Method of Transfer (MotW) bypass, involves crafting LNK files with non-standard target paths or internal structures, which can lead to the removal of the MotW label before security checks are performed.
To combat these threats, Elastic has developed a utility that displays the trust of a file and made the source code publicly available. They also emphasise the importance of scrutinising downloads carefully and not relying solely on OS-native security features for protection. Robust behavioural coverage around common attacker techniques can help detect realistic intrusions, including reputation hijacking.
Microsoft exposes undocumented APIs for querying the trust level of files for SmartScreen and Smart App Control, providing a potential avenue for attackers to exploit. However, it's important to note that the oldest sample identified was submitted over six years ago, and Elastic disclosed details of the bug to the Microsoft Security Response Centre (MSRC).
In conclusion, while Smart App Control and SmartScreen are valuable tools in the fight against malware, it's clear that they are not infallible. Security teams must remain vigilant and use a combination of methods to ensure the safety of their systems and data.
Read also:
- InformationWarfare in the Modern Era: Enhancing an Information Strategy for today's Battlefield and Botnet Threats
- U.S. intelligence leader alleges UK succumbed to pressure over Apple data access request
- Politician's Rivalry Slips into Online Traps Made for Stealing Information via Social Media Phishes
- Top 46 Significant Tech Firms Based in Toronto
