The recent CurveBall vulnerability shook the Info-Sec community worldwide: a major vulnerability reported directly by the US National Security Agency. Such uncommon vulnerability reporter alerted the whole Industry, CVE-2020-0601 quickly conquered most of the headlines.
The reason for this unusual outreach is still not clear, but Microsoft, along with many experts in the industry, confirmed it actually is an important vulnerability having real chances of being abused in the wild.
The Malware Threat behind CurveBall
There was a little misunderstanding during the first hours after the disclosure of the CVE-2020-0601 vulnerability. Many system administrators and companies were rushing to update internet exposed machines, like web servers or gateways, worried about possible remote code execution, reviving the EternalBlue/WannaCry crisis in their mind.
Luckily, CurveBall is not the same type of issue. But, if this is true, how exactly it may impact the IT infrastructure and why did the NSA raise such alarm?
What the NSA states is real: CVE-2020-0601 exposes companies to high risks. But it does in a more stealthier way and, differently from EternalBlue, not in a way could be exploited by criminals and vandals for an Internet wide CryptoWorm infection.
In fact, CurveBall enables attackers to trick Windows 10, Windows Server 2016 and Windows Server 2019, to impersonate other trusted parties such as Microsoft itself, resulting in being successfully cryptographically verified by the vulnerable hosts.
Pragmatically, this means organizations relying on CVE-2020-0601 vulnerable cryptography implementations to protect their communication are at risk of man in the middle attacks, and impersonification in general. Even cryptographically signed files and emails are exposed to spoofing and tampering, violating the core parts of the threat models most of the company use to secure their businesses.
Is it all? No.
CurveBall also poses at risk endpoints and security perimeters due to its appeal for one of the most relevant threats for modern businesses: Malware.
In fact, signed files equal signed malware in the modern threat panorama. Thus, several threat actors, both state sponsored and cyber criminals, may likely abuse the CurveBall vulnerability to fake Microsoft signed executables, impersonating legit files and potentially tricking perimetral and endpoint security technologies relying on the faulty Windows cryptographic validation.
Yomi Hunter Catches CVE-2020-0601
So, after evaluating the risks of CurveBall exploitation in the wild, especially considering the release of public tools to abuse the vulnerability to sign arbitrary files, we rolled out a new update of Yomi Hunter able to catch CurveBall exploit attempts.
Now, both Private and Public instances of the Yomi Sandbox are actively looking for CVE-2020-0601 exploits trying to evade traditional security controls. The new detection logic is available into malware reports generated by Yomi-Hunter community (e.g. LINK), within the new VirusTotal integrated reports, and for every private instances in use by Yoroi's Cyber Security Defence Center customers.
Figure. CVE-2020-0601 exploit on Yomi Hunter
But, Yomi Hunter does not limits to hunt for Portable Executable files exploiting Curveball. The cryptographic detection mechanism rolled out in the new update supports CVE-2020-0601 exploit detection even for signed Powershell modules.