Security News Remote Evil Butler Attack Threatens Windows Computers

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A modification of an older Windows vulnerability can be used over the Internet and allow attackers to bypass Windows authentication, gaining control over remote computers.

Last November, Synopsys security researcher Ian Haken had demonstrated how it would be possible to bypass Windows authentication and even BitLocker encryption on devices to which he had physical access.

Original Evil Maid attack that bypassed Windows logon and BitLocker
The attack routine he described involved taking a computer out of the enterprise network it was assigned to and away from its original domain controller.

The attacker would set up a rogue domain controller with the same name, but that used incorrect time settings, making the computer think the password's lifetime had expired.

When the attacker would connect the PC to this rogue domain, he would be asked to change the computer's password, which would also be saved in a local cache file.

The attacker would disconnect the computer from any domain controller, and would be able to use the fake password he set up, which would get validated against the poisoned cache file he created with the fake domain controller.

Thus, an attacker with access to the computer would be able to bypass authentication, and inherently BitLocker encryption.

Evil Maid attack fixed
Microsoft fixed this vulnerability (CVE-2015-6095) following Haken's research, and then fixed it again when two researchers pointed out in February 2016 (CVE-2016-0049), that the fix was incomplete.

This type of attack is known in infosec circles as an Evil Maid attack because physical access is needed to compromise the device. As such, Evil Maid attacks are usually not considered dangerous.

At this year's Black Hat USA 2016 security conference that took place in Las Vegas during the past week, Microsoft security researchers Chaim Hoch and Tal Be'ery presented a variation of this attack that can be carried out over the Internet, which they called the Remote Evil Butler attack.

Remote Evil Butler attack
In their version of the exploit, the researchers said the attacker only needs to compromise one PC on the network assigned to a domain controller.

They install a rogue domain controller on the compromised machine. They then sniff for local machines with open RDP (Remote Desktop Protocol) connections and route their traffic towards the rogue domain controller with readily available tools.

The attackers carry out the same Evil Maid attack but using the open RDP connection instead of the physical access required for the initial attack.

Once they have poisoned the cache, they disconnect the machine from both the rogue and actual domain controllers and extract the computer's password (NTLM hash) for the real domain controller using open source memory dumping tools (e.g. Mimikatz).

After getting their hands on the real password, attackers clean up after themselves by deleting the poisoned cache and restoring the computer to the real domain controller.

Evil Maid and Evil Butler attacks
This particular attack is extremely attractive for cyber-espionage groups, who now can add a new method to their arsenal of hacking tools that will help them compromise high-value targets.

The good news is that Microsoft's February fix for the original Evil Maid attack also prevents Remote Evil Butler exploitation.

The reason why the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need of keeping their systems up to date at all times.

Below is a video of a Remote Evil Butler attack in action. The Hoch and Be'ery's research paper is also available, providing more details.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top