We spoke to Michael Gorelik, Morphisec’s CTO, who explained why the CIGslip vulnerability could be a potential risk
A new report by Morphisec, a cybersecurity startup from Israel, has discovered that a stealth attack technique dubbed CIGslip that could be exploited by attackers to bypass MS Code Integrity Guard and inject malicious libraries into protected processes. The glib was detected by Morphisec researchers Michael Gorelik and Andrey Diment, which impacts Microsoft’s CIG, a security system that Microsoft first introduced in 2015, during the launch of Windows 10. A report on Morphisec highlights that Windows users are vulnerable in multiple ways. First, the attack POC takes advantage of a non-CIG enabled process, which is the most popular form of process on Windows, in order to sneak into a CIG-enabled target process, and uses it as an entry point to load any kind of DLL, including a malicious one. However, when MorphiSec researchers approached Microsoft with their findings, they were informed that Microsoft has not classified CIGslip as a security issue yet – which doesn’t mean that it won’t in the future.
We spoke to Michael Gorelik, Morphisec’s CTO, who explained why the CIGslip vulnerability could be a potential risk.
How did Morphisec researchers discover this new attack vector?
Morphisec, its team and Endpoint Threat Prevention solution, are the experts in preventing today’s most advanced attacks, such as fileless, in-memory attacks. To stay ahead of attackers, Morphisec Labs constantly investigates new attack techniques. In addition, it is a core value of our solution to work seamlessly with other security products, such as the protections built into the Microsoft Edge browser. Morphisec is currently undergoing the signing process required by Microsoft in order to inject its protection into Edge. While waiting for Microsoft’s approval, Morphisec researchers conducted tests on the robustness of current Edge protection by looking for unsigned binary injection techniques that do not trigger Edge’s protection mechanisms. That’s when we identified CIGslip: It is a very simple way to inject non-signed binary into the CIG protected process by leveraging non-CIG protected processes.
What are the multiple ways in which Windows users are vulnerable to attacks?
Currently only a few processes are protected by CIG. With CIGslip, CIG essentially becomes irrelevant in terms of protecting the Edge browser. Info stealers will be able to steal browsing history and passwords from Microsoft Edge just like they do from other browsers. Attackers can also bypass any add-on protection and launch various types of add-ons, embedding adware and redirects.
Besides Edge, CIG also protects some additional processes (part of the dll host and svchost). Here we may see some escalation as well.
Putting CIG aside for a moment, the technique used by CIGslip is a very stealthy injection technique which is not identified by detection-based security solutions. This means, that this technique could be used in malware spam campaigns and by banking Trojans, which are very quick to adopt new injection techniques. Detection solutions will need to track the creation and duplication of session handles in-order to detect this injection technique.
In the past, NSA had warned Microsoft about vulnerability connected to ‘WannaCry'. However, the attack occurred as predicted? Do you think an attack similar to WannaCry can make a possible comeback?
WannaCry is just a payload, the end result, and yes, it certainly can and most probably will make a comeback in a slightly different form. Also, CIGslip is just part of the attack chain and I suspect that this technique has already been used by state-sponsored cyber attackers for a long time.
What's the next step now? How can companies protect themselves?
To mitigate the risk, companies need to turn to a defense-in-depth security stack. If they have a suitable infiltration prevention layer in place, the binary should never even get to the disk. Today’s attacks are mostly fileless, in-memory attacks that use extremely stealthy techniques to penetrate. For attacks like this a dedicated prevention layer – like Morphisec’s Endpoint Threat Prevention Solution - is critical to keep companies safe.