Threat Research

Update: Curveball Exploit (CVE-2020-0601) Starts Making the Rounds

By Udi Yavo | January 21, 2020

A FortiGuard Labs Threat Analysis

Introduction

On patch Tuesday for January 2020, Microsoft disclosed a critical vulnerability that had been discovered by the NSA, that has been dubbed CurveBall or ChainOfFools by the security research community. This vulnerability affects Windows 10, Windows 2016, and the 2019 version of the crypt32.dll that implements Windows’ CryptoAPI.

The vulnerability can be exploited by a malicious actor to spoof certificates in a way that will trick any software that leverages Windows CryptoAPI for signature validation into believing it is legitimate. For example, ransomware authors can trick Windows into believing that their samples have been signed by Microsoft.

Exploit PoCs Released

Due to the severity of this issue, a lot of effort has been invested by the security community over the past few days to understand its root cause. Surprisingly, the vulnerability is very simple to exploit and there are already several public implementations that can leverage it to spoof certificates.

As expected, soon after the public exploits were released, malware with spoofed Microsoft certificates were uploaded to Virus-Total:    

Figure 1. Signed Ransowmare in VirusTotal

Fortinet Endpoint Protection vs CurveBall

As with any emerging threat, FortiEDR and FortiClient were put to the test to ensure that this new vulnerability could not bypass or impact their detection capabilities. As you can see, the signature of the VT ransomware sample appears to be a legitimately signed Microsoft file:

Figure 2. Spoofed Certificate

However, when we executed the sample against FortiEDR, the sample was immediately detected and blocked. Moreover, the file is marked as unsigned, as can be seen in Figure 3:

Figure 3. Spoofed certificate blocked by FortiEDR

This same sample is also detected by FortiClient, as can be seen in VirusTotal:

Figure 4. FortiClient blocks spoofed certificate, as seen on VirusTotal

Final Thoughts

The CurveBall/ChainOfFools vulnerability is extremely severe, as signed files often are considered to be “trusted” by security endpoint products. This allows threat actors to fool security endpoint products and affected Microsoft Windows machines into trusting falsely signed files that contain a certificate that appears to chain appropriately. Furthermore, exploiting this vulnerability is quite simple, and now that there are working PoCs in-the-wild we predict that malware authors will leverage it extensively.

Because of this, we urge vendors to patch their systems ASAP. It is safe to surmise that we will see more proof of concept attacks floating in the wild as well as malware incorporating these techniques. Fortunately, FortiEDR and FortiClient are not fooled by this exploit even on unpatched systems.

For more information, please reference our recent blog on CVE-2020-0601 as well as our Threat Signal update.

Solutions

The recently acquired FortiEDR (an Endpoint Detection and Response solution integrated into FortiGate firewalls, FortiSIEM, and FortiSandbox) and FortiClient are not affected by this vulnerability.

Customers running the latest definition sets are also protected by the following signatures:

AV

W32/FilecoderProt.F183!tr.ransom

IPS

MS.Windows.CryptoAPI.ECC.Certificate.Spoofing

IOCs

Avgdiagex.exe [SHA-256] - d6ab910259c9bc68196aeec3e9ff4864bada22738c02ecf5ada7912ced292d28

Learn how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems. 

Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.  

Discover how the FortiGuard Security Rating Service provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.