Written by: Vikram Navali, Senior Technical Product Manager – Attackers often look for the easiest way to escalate privileges and bypass security controls. The Windows Security Identifier (SID) injection technique allows attackers to take advantage of the SID History attribute, escalate privileges, and move laterally within the organization’s Active Directory (AD) environment.
A vulnerability in the Windows 10 voice assistant, Cortana, allows attackers to open malicious websites on a user’s device even when a PC is locked.
Israeli researchers Tal Be’ery and Amichai Shulman discovered that they could bypass password locks to instruct a device to visit websites since the devices continue to listen for voice commands even when locked and because many users haven’t bothered to train the voice assistant to only obey a single user’s commands, the researchers demonstrated in a YouTube presentation.
Threat actors could insert a USB network adaptor to a locked device and simply give a verbal command instructing Cortana to open the web browser and head to an unencrypted HTTP webpage. The adapter inserted into the USB drive would then intercept the request and redirects the browser to a malicious webpage instead.
DoublePulsar is estimated to have previously infected nearly 100,000 Windows PCs.
Hackers are reportedly using the NSA’s leaked DoublePulsar malware to infect vulnerable Windows PCs with a new cryptocurrency miner identified as “Trojan.BtcMine.1259”. The Trojan reportedly leverages DoublePulsar, an NSA hacking tool leaked by the Shadow Brokers, to infect systems running unsecured SMB protocols.
DoublePulsar was at the heart of the WannaCry attacks and was used by hackers to spread the self-propagating ransomware last month. Security experts estimated that hackers used the NSA malware, which essentially functions as a backdoor, providing access to vulnerable Windows systems, to infect nearly 100,000 Windows PCs.