On January 17, Microsoft announced Security Advisory ADV200001, describing a zero-day remote code execution in Internet Explorer that has been actively exploited in the wild. This announcement continues the parade of devastating memory-space exploits including EternalBlue and BlueKeep.
Bitdefender has confirmed that this critical vulnerability is being actively exploited in the wild. Security researchers in Bitdefender Labs have obtained and analyzed multiple samples to explore its tactics, techniques, and procedures. We have independently verified that 2 distinct executable payloads are unleashed by the exploit and currently in circulation:
Below are Bitdefender’s analysis and key findings concerning the exploitation of CVE-2020-0674 in the wild. We also demonstrate the successful detection and defeat of this dangerous exploit in virtual datacenter systems protected by Bitdefender Hypervisor Introspection (HVI)—including standard desktops, servers, and VDI desktops. HVI prevents this type of exploit, closing the gap between the time exploit code is used in the wild and the time the systems are patched.
Hypervisor Introspection intercepts and denies the attempt to access and overwrite protected memory areas.
Instead of scanning millions of malware samples, Bitdefender Hypervisor Introspection detects all known memory attack techniques—few in number and only visible at the hypervisor level—identifying advanced and zero-day attacks as easily as any known exploit, preventing the malicious behavior from executing. HVI requires no signature updates, since the common attack techniques remain relatively constant, even as the tools and procedures change with each specific attack. Bitdefender Labs maintains constant vigilance, keeping pace with new techniques and adding them to HVI’s detection stack.
- When the RCE memory-space exploit is successful, the scripts download and run two distinct executable files in memory with the privileges of the logged-in user
- The attack attempts to access a protected memory area, to write data to read-only memory, and to execute arbitrary code from a non-executable area such the heap stack or process stack
Hypervisor Introspection is essential in the virtual datacenter, where built-in protection against new memory exploits and other advanced attacks using well-known exploit techniques cannot come at the expense of VM efficiency, density, or performance. Don’t rely on vendor software patches to keep you safe, as the attackers will always be one step ahead. Instead, proactively take away their operating space with HVI and set your defenses on the high ground of memory space. Bitdefender has demonstrated proactive prevention of memory vulnerabilities and exploits time and again—from EternalBlue to BlueKeep and more—proving that proactive defense with denial is always better than reactive detection.
*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Michael Rosen. Read the original post at: http://feedproxy.google.com/~r/BusinessInsightsInVirtualizationAndCloudSecurity/~3/06Cf_E7x_9w/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild