TOP-3 cybersecurity events of the week according to Jet CSIRT

The outgoing week will be remembered by the emergence of a new PoC exploit for a previously identified Windows vulnerability, the discovery of another way to intercept the BitLocker master key, and a report on the growth of attacks using the SocGholish framework. We will tell you the details under the cut.

New PoC exploit for unpatched Windows 0-day vulnerability

Google Project Zero Security Researcher Maddie Stone discoveredthat the June patch from Microsoft did not fix the CVE-2020-0986 vulnerability, and it can still be exploited with some adjustments. The original problem gave the attacker control over the src and dest pointers to the memcpy function and allowed privilege escalation to the kernel level. The identified vulnerability was identified as CVE-2020-17008.

New way to intercept BitLocker master key

Researcher Henri Nurmi of F-Secure demonstrated a way to intercept the Windows BitLocker service encryption master key via the SPI bus. The method is based on a well-known architectural feature that is associated with the lack of standard security for the connection between the central processor and the Trusted Platform Module, which is responsible for storing the key. During the research, the specialist found that the flash chip, which is used to store the firmware microcode, and the TPM chip are located on the same SPI bus. In this case, to decrypt the data on the disk, it is enough to intercept the master key by connecting to the SPI bus.

Growth in the number of attacks using the SocGholish framework

Menlo Labs Specialists reported on the growing number of drive-by attacks using a framework called SocGholish. The malicious tool masquerades as legitimate browser, Flash Player and Microsoft Teams client updates, forcing users to launch a malicious ZIP archive. Hacked sites and legitimate Google Drive and Google Sites resources are used for distribution.