FortiGuard Labs Threat Analysis
On patch Tuesday for January 2020, Microsoft disclosed a critical vulnerability that had been discovered by the NSA, that has been dubbed CurveBall or ChainOfFools by the security research community. This vulnerability affects Windows 10, Windows 2016, and the 2019 version of the crypt32.dll that implements Windows’ CryptoAPI.
The vulnerability can be exploited by a malicious actor to spoof certificates in a way that will trick any software that leverages Windows CryptoAPI for signature validation into believing it is legitimate. For example, ransomware authors can trick Windows into believing that their samples have been signed by Microsoft.
Due to the severity of this issue, a lot of effort has been invested by the security community over the past few days to understand its root cause. Surprisingly, the vulnerability is very simple to exploit and there are already several public implementations that can leverage it to spoof certificates.
As expected, soon after the public exploits were released, malware with spoofed Microsoft certificates were uploaded to Virus-Total:
As with any emerging threat, FortiEDR and FortiClient were put to the test to ensure that this new vulnerability could not bypass or impact their detection capabilities. As you can see, the signature of the VT ransomware sample appears to be a legitimately signed Microsoft file:
However, when we executed the sample against FortiEDR, the sample was immediately detected and blocked. Moreover, the file is marked as unsigned, as can be seen in Figure 3:
This same sample is also detected by FortiClient, as can be seen in VirusTotal:
The CurveBall/ChainOfFools vulnerability is extremely severe, as signed files often are considered to be “trusted” by security endpoint products. This allows threat actors to fool security endpoint products and affected Microsoft Windows machines into trusting falsely signed files that contain a certificate that appears to chain appropriately. Furthermore, exploiting this vulnerability is quite simple, and now that there are working PoCs in-the-wild we predict that malware authors will leverage it extensively.
Because of this, we urge vendors to patch their systems ASAP. It is safe to surmise that we will see more proof of concept attacks floating in the wild as well as malware incorporating these techniques. Fortunately, FortiEDR and FortiClient are not fooled by this exploit even on unpatched systems.
The recently acquired FortiEDR (an Endpoint Detection and Response solution integrated into FortiGate firewalls, FortiSIEM, and FortiSandbox) and FortiClient are not affected by this vulnerability.
Customers running the latest definition sets are also protected by the following signatures:
Avgdiagex.exe [SHA-256] - d6ab910259c9bc68196aeec3e9ff4864bada22738c02ecf5ada7912ced292d28