DooKey
[H]F Junkie
- Joined
- Apr 25, 2001
- Messages
- 13,554
A post-intrusion technique developed by researchers at CyberArk Labs called BoundHooking allows attackers to exploit a feature in all Intel chips introduced since Skylake. The attack technique allows for the execution of code from any process without detection by antivirus software or other security measures, researchers said. However, since the machine has to already be compromised to use this attack both Microsoft and Intel have no plans to patch for it. In lieu of a Microsoft patch, CyberArk researchers said admin should rein-in user account privileges to minimize the type of lateral and system penetration an adversary can carry out in a BoundHooking attack.
As was the case with GhostHook and also now with BoundHooking, Microsoft and Intel don’t see either as a vulnerability on their end. Both told CyberArk it will not patch the issue because the attack requires that the adversary already has already fully compromised the targeted system. Naim said that such an attack is within the realm of a nation-state attacker and that some well-known targeted intrusions such as Flame and Shamoon could easily make use of malware to establish a foothold on machines and networks. Once that foothold is established, adversaries can easily go unnoticed.
As was the case with GhostHook and also now with BoundHooking, Microsoft and Intel don’t see either as a vulnerability on their end. Both told CyberArk it will not patch the issue because the attack requires that the adversary already has already fully compromised the targeted system. Naim said that such an attack is within the realm of a nation-state attacker and that some well-known targeted intrusions such as Flame and Shamoon could easily make use of malware to establish a foothold on machines and networks. Once that foothold is established, adversaries can easily go unnoticed.