FortiGuard Labs Threat Research
The Curveball Vulnerability Research Analysis
Introduction to Curveball Exploits
On patch Tuesday for January 2020, Microsoft disclosed a critical vulnerability that had been discovered by the NSA, that has been dubbed CurveBall or ChainOfFools by the security research community. This vulnerability affects Windows 10, Windows 2016, and the 2019 version of the crypt32.dll that implements Windows’ CryptoAPI.
This vulnerability can be exploited by a malicious actor to spoof certificates in a way that will trick any software that leverages Windows CryptoAPI for signature validation into believing it is legitimate. For example, ransomware authors can trick Windows into believing that their samples have been signed by Microsoft.
Exploit PoCs Released
Due to the severity of this issue, a lot of effort has been invested by the security community over the past few days to understand its root cause. Surprisingly, the vulnerability is very simple to exploit and there are already several public implementations that can leverage it to spoof certificates.
As expected, soon after the public exploits were released, malware with spoofed Microsoft certificates were uploaded to Virus-Total:
Figure 1. Signed Ransowmare in VirusTotal
Fortinet Endpoint Protection vs CurveBall
As with any emerging threat, FortiEDR and FortiClient were put to the test to ensure that this new vulnerability could not bypass or impact their detection capabilities. As you can see, the signature of the VT ransomware sample appears to be a legitimately signed Microsoft file:
Figure 2. Spoofed Certificate
However, when we executed the sample against FortiEDR, the sample was immediately detected and blocked. Moreover, the file is marked as unsigned, as can be seen in Figure 3:
Figure 3. Spoofed certificate blocked by FortiEDR
This same sample is also detected by FortiClient, as can be seen in VirusTotal:
Figure 4. FortiClient blocks spoofed certificate, as seen on VirusTotal
Final Thoughts
The CurveBall/ChainOfFools vulnerability is extremely severe, as signed files often are considered to be “trusted” by security endpoint products. This allows threat actors to fool security endpoint products and affected Microsoft Windows machines into trusting falsely signed files that contain a certificate that appears to chain appropriately. Furthermore, exploiting this vulnerability is quite simple, and now that there are working PoCs in the wild, we predict that malware authors will leverage it extensively.
Because of this, we urge vendors to patch their systems ASAP. It is safe to surmise that we will see more proof of concept attacks floating in the wild as well as malware incorporating these techniques. Fortunately, FortiEDR and FortiClient are not fooled by this exploit even on unpatched systems.
For more information, please reference our recent blog on CVE-2020-0601 as well as our Threat Signal update.
Solutions
The recently acquired FortiEDR (an Endpoint Detection and Response solution integrated into FortiGate firewalls, FortiSIEM, and FortiSandbox) and FortiClient are not affected by this vulnerability.
Customers running the latest definition sets are also protected by the following signatures:
AV
W32/FilecoderProt.F183!tr.ransom
IPS
MS.Windows.CryptoAPI.ECC.Certificate.Spoofing
IOCs
Avgdiagex.exe [SHA-256] - d6ab910259c9bc68196aeec3e9ff4864bada22738c02ecf5ada7912ced292d28
Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs.
Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert program, Network Security Academy program, and FortiVet program.
