BitLocker Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/bitlocker/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 21 Oct 2021 19:58:43 +0000 en-US hourly 1 https://wordpress.org/?v=68201 200474804 Microsoft warns of dangerous vulnerability in Surface Pro 3 devices https://gridinsoft.com/blogs/vulnerability-in-surface-pro-3/ https://gridinsoft.com/blogs/vulnerability-in-surface-pro-3/#respond Thu, 21 Oct 2021 19:58:43 +0000 https://blog.gridinsoft.com/?p=6044 Microsoft engineers have published a security bulletin on a new vulnerability affecting Surface Pro 3 tablets. The bug could be used by an attacker to inject malicious devices into corporate networks and bypass the Device Health Attestation. Other Surface devices, including Surface Pro 4 and Surface Book, are not considered affected by this issue. Although… Continue reading Microsoft warns of dangerous vulnerability in Surface Pro 3 devices

The post Microsoft warns of dangerous vulnerability in Surface Pro 3 devices appeared first on Gridinsoft Blog.

]]>
Microsoft engineers have published a security bulletin on a new vulnerability affecting Surface Pro 3 tablets. The bug could be used by an attacker to inject malicious devices into corporate networks and bypass the Device Health Attestation.

Other Surface devices, including Surface Pro 4 and Surface Book, are not considered affected by this issue. Although the Surface Pro 3 was released in June 2014 and discontinued in November 2016, the manufacturer claims that third-party machines using a similar BIOS may also be vulnerable.

Fortunately, an attacker would need either access to the device owner’s credentials or physical access to the tablet to successfully exploit the new bug.

The problem is identified as CVE-2021-42299 (5.6 CVSS) and Google Software Engineer Chris Fenner who discovered the bug, gave a bug name TPM Carte Blanche.

Device Health Attestation is a cloud-based and on-premises service that checks TPM and PCR logs and informs Mobile Device Management (MDM) whether Secure Boot, BitLocker, Early Launch Antimalware (ELAM) protection is enabled, Trusted Boot signed correctly, and so on.

Thanks to CVE-2021-42299, an attacker can tweak the TPM and PCR logs to obtain false attestation, which will ultimately disrupt the entire Device Health Attestation validation process.

vulnerability in Surface Pro 3

Devices use Platform Configuration Registers (PCR) to record device information and software configuration to ensure a secure boot process. Windows uses these PCR metrics to determine the state of the device.says Microsoft's official description.
A vulnerable device can masquerade as a good one by injecting arbitrary values into the Platform Configuration Register (PCR) banks. An attacker can prepare a bootable Linux USB stick to minimize the necessary interaction with the target device (for example, to carry out an attack like Evil Maid).Fenner writes.

A Google expert has already released a PoC exploit demonstrating how this vulnerability can be exploited.

Let me remind you that we also said that Microsoft warned of a critical vulnerability in Cosmos DB.

The post Microsoft warns of dangerous vulnerability in Surface Pro 3 devices appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-surface-pro-3/feed/ 0 6044
Windows EFS can help encryptors and make work of antiviruses more difficult https://gridinsoft.com/blogs/windows-efs-can-help-encryptors-and-make-work-of-antiviruses-more-difficult/ https://gridinsoft.com/blogs/windows-efs-can-help-encryptors-and-make-work-of-antiviruses-more-difficult/#respond Thu, 23 Jan 2020 16:25:10 +0000 https://blog.gridinsoft.com/?p=3384 Safebreach Labs reported that attackers could use the Windows Encrypting File System (EFS) for their needs. Windows EFS can help encryptors and make work of antiviruses more difficult. EFS has been part of Windows operating systems since the release of Windows 2000. Unlike full BitLocker encryption, EFS can selectively encrypt individual files or folders. Researchers… Continue reading Windows EFS can help encryptors and make work of antiviruses more difficult

The post Windows EFS can help encryptors and make work of antiviruses more difficult appeared first on Gridinsoft Blog.

]]>
Safebreach Labs reported that attackers could use the Windows Encrypting File System (EFS) for their needs. Windows EFS can help encryptors and make work of antiviruses more difficult.

EFS has been part of Windows operating systems since the release of Windows 2000. Unlike full BitLocker encryption, EFS can selectively encrypt individual files or folders. Researchers are now warning that EFS present significant interest to criminals.

“The fact is that using the “native” functions of Windows itself can be confusing for security solutions that will eventually lose sight of the encryptor”, — says Safebreach Labs researchers.

To start the attack, the ransomware will need to generate a key for EFS using AdvApi32! CryptGenKey. Next, generated the certificate using Crypt32! CertCreateSelfSignCertificate that is added to the certificate store via Crypt32! CertAddCertificateContextToStore. An EFS key is assigned for this certificate using AdvApi32! SetUserFileEncryptionKey.

As a result, the ransomware gets the opportunity to use AdvApi32! EncryptFile to encrypt any file and folder. The next step is to save the key file to memory and delete it from %APPDATA% \Microsoft\Crypto\RSA\[user SID]\ and %ProgramData% \Microsoft\Crypto\RSA\MachineKeys\. Then the EFS data is erased from memory using the undocumented AdvApi32! FlushEfsCache and the encrypted files become unreadable to the user and the OS. The ransomware can also “wipe” free parts of the disk to ensure that data from deleted key files and temporary files are not restored.

“With a final chord, the malware can encrypt the key file data and send the decryption key to the attacker. As a result, the only way to decrypt the affected files is to use the private key of the attacker”, – report experts of Safebreach Labs.

Researchers successfully tested the EFS encryptor created for tests on 64-bit versions of Windows 10 1803, 1809, and 1903. Analysts also write that the malware should work with 32-bit versions of Windows and earlier versions of the OS (Windows 8.x, Windows 7 and Windows Vista).

The malware was tested in combination with ESET Internet Security 12.1.34.0, Kaspersky Anti Ransomware Tool for Business 4.0.0.861 (a), as well as MS Windows 10 Controlled Folder Access in the 64-bit version of Windows 10 1809 (build 17763). None of these solutions detected an attack and a threat, but this was expectable because the cryptographer used legitimate functions and manipulated system logic.

Researchers immediately informed 17 major manufacturers of security solutions about their findings, showing them their proof-of-concept. Most of them have recognized the existence of the problem and have already made corrections to their products.

Recently, Windows faced a true plaque. The NSA said it found one of the most dangerous vulnerabilities in Windows, only yesterday a temporary patch for a serious bug appeared in IE.

Turn off your system and leave into the desert. Ok, it was a joke. Keep up your system up to date with the latest information security solutions. I am sure you know which one will for sure protect you!

The post Windows EFS can help encryptors and make work of antiviruses more difficult appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/windows-efs-can-help-encryptors-and-make-work-of-antiviruses-more-difficult/feed/ 0 3384