Major BIOS vendors and manufacturers such as Intel and Nvidia were named as affected, as well as Microsoft’s Windows. In fact, the danger to Windows was almost blanket. The Complete Control attack affects all newer versions of the OS. Eclypsium confirmed Windows 7, 8, 8.1, and Windows 10 could be exploited. At the time, Microsoft reassured users by saying Windows Defender can easily deal with any attack based on the flaw. While the company was correct, for some reason it did not say only the latest Windows patches could protect against the flaw. Users not on the latest security patches are left vulnerable. Microsoft said it would blacklist reported drivers through HVCI (Hypervisor-enforced Code Integrity). Again, this is good news but only has limited scope. HVCI is only supported on devices running 7th Gen Intel CPUs or newer. Those on older processors must manually uninstall affected drivers. Hackers have already found a way to exploit the Complete Control vulnerability. An updated version of Remote Access Trojan (RAT) is being leveraged. Called the NanoCore RAT, security researchers at LMNTRX Labs have found it has been used to exploit the vulnerability. It is currently available to attackers through the Dark Web, according to Forbes.
Detection
As NanoCore RAT has been around for a while, researchers know plenty about it. LMNTRX Lab discussed how the tool can be detected:
“T1064 – Scripting: Scripting is commonly used by system administrators to perform routine tasks. Any anomalous execution of legitimate scripting programs, such as PowerShell or Wscript, can signal suspicious behaviour. Checking office files for macro code can also help identify scripting used by attackers. Office processes, such as winword.exe spawning instances of cmd.exe, or script applications like wscript.exe and powershell.exe, may indicate malicious activity.
T1060 – Registry Run Keys / Startup Folder: Monitoring Registry for changes to run keys that do not correlate with known software or patch cycles, and monitoring the start folder for additions or changes, can help detect malware. Suspicious programs executing at start-up may show up as outlier processes that have not been seen before when compared against historical data. Solutions like LMNTRIX Respond, which monitors these important locations and raises alerts for any suspicious change or addition, can help detect these behaviours.
T1193 – Spearphishing Attachment: Network Intrusion Detection systems, such as LMNTRIX Detect, can be used to detect spearphishing with malicious attachments in transit. In LMNTRIX Detect’s case, in-built detonation chambers can detect malicious attachments based on behaviour, rather than signatures. This is critical as signature-based detection often fails to protect against attackers that frequently change and update their payloads.”
For organizations and users, the best thing to do to avoid an attack is to ensure Windows is update to date.