BoundHook Technique Enables Attacker Persistence on Windows Systems

  /     /     /  
Publicated : 22/11/2024   Category : security


BoundHook Technique Enables Attacker Persistence on Windows Systems


CyberArk shows how attackers can leverage Intels MPX technology to burrow deeper into a compromised Windows system.



Security researchers at CyberArk have developed a technique showing how attackers can exploit a feature in the Memory Protection Extension (MPX) technology on modern Intel chips to steal data from Windows 10 systems and to remain completely undetected on them.
CyberArks new
BoundHook
technique is similar to the GhostHook method that the company revealed earlier this year in that it is a post-exploitation technique. In other words, for BoundHook to work, an attacker would need to already have privileged access on a Windows 10 system.
Microsoft itself, for that reason, has refused to categorize the issue as a vulnerability that merits a security patch. The technique described in this marketing report does not represent a security vulnerability and requires a machine to already be compromised to potentially work, the company said in a statement. We encourage customers to always keep their systems updated for the best protection.
Intels MPX technology, introduced with the chipmakers Skylake line in 2015, is
designed to protect
applications against buffer overflows, out-of-bounds access, and other memory errors and attacks. Applications running on Windows 10 systems use the feature as protection against buffer overflow attacks.
CyberArks BoundHook technique uses a boundary check instruction in MPX to hook processes on a system, and to essentially change its behavior. The BoundHook technique allows you to run your own code inside foreign processes and change its normal behavior, without leaving any traces inside these foreign processes, says Doron Naim, senior security researcher at CyberArk.
Hooking is about changing the behavior of certain functions in the operating system or application software on a system, he says. As one example, he points to the key input function. If an attacker were able to hook this function, they would be able to sniff and steal your keystrokes.
Typically, to do hooking you have to write hooking code inside a target process, he says. With BoundHook, the code is not used to execute the hook itself but to cause an error, like a boundary exception error in the process. From there an attacker can take complete control of the thread execution, Naim notes. If you control the thread execution, you can do anything you want by the name of the target process. For example, if its Word.exe, you can steal credentials or send information to the Internet through this process. Most antivirus tools are not equipped to detect the malicious activity that is enabled via BoundHook, according to CyberArk.
While Microsoft has downplayed BoundHook just as it did with GhostHook, Naim insists CyberArks latest technique indeed poses a threat. The first thing to note is that this technique is most likely to be used by nation-state attackers, or very well financed criminal organizations that are looking for infiltrations that last.
In the current threat environment, gaining administrative privileges on an endpoint system is something that administrators should assume even the most basic attacker can accomplish, he says. In most cases, all it takes is for a single individual to click on the wrong link or fall for a phishing scam.
Techniques such as the one that CyberArk demonstrated this week are important because they show how attackers can improve their dwell-time on a compromised network, Naim notes. Techniques like this are incredibly powerful in helping attackers disappear after the initial infection point — allowing them to build in backdoors and plan their attacks in de facto stealth mode.
Related content:
GhostHook Foils Windows 10 64-bits Kernel Protection
New Microsoft Kernel Bug Could Permit Malicious Modules
Linux Kernel Bug Allows Local-to-Root Privilege Escalation
Locking Down Windows 10: 6 New Features
 
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
BoundHook Technique Enables Attacker Persistence on Windows Systems