Significant security weaknesses have been discovered in well-known security software applications that could allow an attacker to disable them. Additionally, these apps can be used to take control of allowed applications and carry out malicious actions. This way, attackers could not only bypass anti-ransomware defenses but can use them to carry out attacks as well.
What's new?
Researchers from the University of London and the University of Luxembourg provided detailed information regarding these twin attacks. These attacks are named Cut-and-Mouse and Ghost Control.
- For the Cut-and-Mouse attack, the researchers attempted to abuse the protected folder feature of antivirus programs to encrypt files. The Ghost Control attack can disable the real-time protection of these antivirus programs by simulating mouse clicks.
- Usually, a small group of whitelisted applications, such as Notepad, is provided privileges to write to a protected folder. However, these applications themselves are not protected from being abused by other applications.
- The attack points to the fact that this type of trust is unjustified since a malicious tool or malware can be used to perform nefarious operations on protected folders with the use of whitelisted applications as intermediaries.
- Researchers evaluated a total of 29 antivirus solutions, all of which were found vulnerable to Cut-and-Mouse attack, while 14 of them were found vulnerable to the Ghost Control attack.
Scenario
Researchers created an attack scenario that indicates that malicious code could be used to control a trusted application such as Paint and Notepad. These can be abused to perform write operations and encrypt the victim's files saved in the protected folders.
- Ransomware can read the files in the folders, encrypt them in memory, and then copy them to the system clipboard. After this, Notepad can be executed to overwrite the folder contents with the clipboard data.
- In addition, by using Paint as a trusted application, the same attack sequence could be used to overwrite user's files with a randomly created image to permanently damage them.
Conclusion
Malware authors are continuously attempting to sneak past security defenses and the discovery of attack scenarios like these can help them gain new strengths. Further, this indicates that in the field of cybersecurity, nothing should be taken for granted and users need to protect themselves with multiple layers of security to reduce the risk of such innovative attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_370779680.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7d44_shutterstock_1508385932.jpg)
