Notes from the Field • 3 Mins READ

PoC Exploit of Windows CryptoAPI Vulnerability with Global Scale Spoofing Actively Discussed

by Eleanor Barlow • Jan 2020

Dubbed as CurveBall or ChainOfFools, Microsoft’s latest ‘Patch Tuesday’ revealed a critical vulnerability (CVE-2020-0601) affecting Windows server 2019, 2016 and Windows 10.

How it Works

This spoofing vulnerability is exploited by using a certificate of code-signing to interact and inject malicious executable code, which emulates a trusted file and legitimate code. This vulnerability can be utilised by a malicious actor to trick any software that uses Windows CryptoAPI validation. As a result, the user and the protection solution, such as anti-malware, may be tricked as the malicious file appears to be digitally signed by a trusted provider, such as Microsoft.

The Effects

CurveBall or ChainOfFools is a serious threat, in that any/all signed files using this vulnerability may be regarded as genuine by the security endpoint solutions. Which, in turn, allows the threat to deceive security endpoint detection products and, with it, all contaminated windows machines.

The key issue, however, is in how quickly and effortlessly this vulnerability has, and is, being exploited. Proof-of-concept exploits for CurveBall is being actively followed and discussed within the dark web and is manipulated extensively by malware authors.

Mitigation Recommendations

‘Administrators should be prepared to conduct remediation activities since unpatched endpoints may be compromised. Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints. Other actions can be taken to protect endpoints in addition to installing patches. Network devices and endpoint logging features may prevent or detect some methods of exploitation, but installing all patches is the most effective mitigation.’ – National Security Agency (NSA)

  • Update operating systems with current released patch level by Microsoft.
  • Update your anti-virus solutions with the latest virus definitions.
  • Monitor your EDR and Anti-malware tools and solutions 24/7 for potential malicious activities.

The Solution

SecurityHQ ensures that this, and any other emerging threat or vulnerability, cannot and will not influence or evade our detection.

For additional support, reach out to one of our specialists here, and learn how to safeguard your data, business and people from the latest attacks.