The NSA has found a critical flaw in Microsoft’s CryptoAPI (crypt32.dll), which leaves the system vulnerable to spoofing. How can possible attackers exploit this issue? Is your company at risk? What steps do you need to take? We’ll cover what you need to know in this blog post.
The vulnerability was discovered in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates: by using a spoofed code-signing certificate to sign a malicious executable file, an attacker could make Windows believe that their file was from a trusted, legitimate source and therefore harmless. With the digital signature appearing to be from a trusted provider, users would have no way to tell the file is malicious.
As a result, the attacker could infiltrate a system to decrypt confidential information about user connections to the affected software. By spoofing the digital signatures on malicious software, the attacker can trick Windows into believing that their software is a legitimate application that’s safe to be installed.
The vulnerability exists in all versions of Windows 10, Windows Server 2016 and Windows Server 2019. Kudelski Research Facility has developed a working exploit code, and according to French security researcher SwitHak, public and private exploits have been detected.
Event Log Windows Logs/Application
Event Source Audit-CVE
Event ID 1
Get-EventLog -LogName Application -Source Audit-CVE -InstanceId 1
Do you need assistance detecting this exploitation through PowerShell? Don’t hesitate to contact us – we’ll gladly help you.
Microsoft has addressed this issue with a Security Update, as described in the security bulletin for CVE-2020-0601. The patch ensures that Windows CryptoAPI completely validates ECC certificates. Installing this patch is currently the only way to mitigate the risk.
Your email address will not be published. Required fields are marked.