Security Experts:

New Windows Attack Turns Evil Maid into Malicious Butler

Black Hat USA 2016 – Researchers at Microsoft have demonstrated that a Windows vulnerability previously believed to be exploitable only in physical access scenarios can also be launched remotely, which could make it a tempting target for advanced persistent threat actors.

Last year at the Black Hat conference in Europe, researcher Ian Haken disclosed a flaw that can be leveraged to bypass local Windows authentication and defeat BitLocker full disk encryption.

The Windows vulnerability involved in the attack, tracked as CVE-2015-6095, was described by Microsoft as a security feature bypass caused by the failure of Kerberos to check password changes when users log into a workstation. The flaw was addressed by the vendor in November 2015 and again in February 2016 (CVE-2016-0049) after researchers Nabeel Ahmed and Tom Gilis discovered that the initial fix was incomplete.

The security bulletins released by Microsoft for the vulnerabilities were rated only “important” because exploitation required physical access to the targeted system. Attacks that require physical access to a system are known as “evil maid” attacks.

While the flaws are dangerous, many organizations may have neglected to patch them due to the fact that they can only be exploited in a physical access scenario. Sophisticated threat actors have also ignored these vulnerabilities likely for the same reason.

However, Microsoft’s Chaim Hoch and Tal Be'ery have found a way to exploit the vulnerabilities remotely over the network, turning the evil maid attack into what they call a “remote malicious butler” attack. The method was disclosed on Thursday at the Black Hat security conference in Las Vegas.

In the attack described last year by Haken, a hacker could bypass Windows authentication by setting up a new rogue domain controller (DC) with the same domain name as the victim’s computer – the domain name can be easily obtained from the lockscreen.

On this rogue DC, the attacker must then set up a user account with the victim’s username, information that is also accessible in the lockscreen user interface. The password for the new user account on the rogue DC must be configured to expire.

In the next phase of the attack, the hacker physically accesses the targeted machine, connects it to the rogue DC, and attempts to log in to the account they created. Since the password is set to expire, the attacker is prompted to change the password and the new one is added to the local machine’s cached credentials.

Finally, the attacker disconnects the device from the rogue DC and logs in with the password they selected. The login will be successful because the computer is not connected to a domain controller and the password they enter is compared to the “poisoned” cached credential store.

In the “remote butler” version of the attack, the attacker first compromises a machine on the network and sets up a rogue DC as in the case of the evil maid attack. The hacker then uses a reconnaissance tool such as nmap to find machines on the network that have an open remote desktop protocol (RDP) port.

The attacker also needs to monitor user activity and logons in an effort to identify computers vulnerable to the evil maid attack (i.e. their traffic can be intercepted and the user is away from the machine). They route network traffic on these machines through the device hosting the rogue DC. The RDP access is leveraged to launch the original evil maid attack against the vulnerable machine and log in to the system via the attacker-created password, which is valid as it’s compared to cached credentials.

After the targeted machine reconnects to the original domain controller, the attack no longer works because cached credentials are no longer used. In order to maintain access to the targeted machine even after it returns to the original DC without additional backdoors, malicious actors can obtain the victim’s password from memory by leveraging a memory dumping tool such as Mimikatz.

Hoch and Be’ery have published a video to show how the remote malicious butler attack works: 

The researchers believe it would not be difficult for an APT actor to launch such an attack. One advantage of this method is that it does not require the attacker to conduct a cleanup operation – the remote butler attack does not leave any traces on the targeted computer, especially if the hacker obtains the victim’s credentials from the memory and uses them to log in.

Hoch and Be’ery pointed out that the patches released by Microsoft for the evil maid attacks also prevent the remote butler attacks. Organizations that deprioritized the patching of these flaws due to the physical access requirement should reassess the issue.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.