In the recent WannaCry attack fiasco, Windows was affected massively across the globe in over 100 countries causing organisations to effectively shut down systems which were running on XP. However, supported Windows version with Windows 10 in particular was secure against the WannaCry ransomware attacks. Microsoft had issued a patch which effectively saved the ransomware from causing any major damage.
However, a team of researchers at RiskSense have now managed to port the WannaCry exploit to infect Windows 10 as well. However, no specifics have been mentioned or made public and users of Microsoft’s operating system will remain protected if the most recent patches are installed.
The WannaCry ransomware is based on EternalBlue, an exploit which was stolen byb the Shadow Brokers hacking group from the NSA last summer and published online earlier this year.
In order to port EternalBlue to compromise Windows 10 as well, researchers at RiskSense security researchers built a Metasploit module which could bypass security features and mitigations implemented by Microsoft in its Windows 10 operating system. This also included Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Additional tweaks were also implemented, including the removal of the DoublePulsar backdoor, which the researchers say isn't needed for the exploit to work. And because this was pulled, the exploit was also developed to install an Asynchronous Procedure Call (APC) payload, which allowed execution without a backdoor.
RiskSense experts explained that the idea was to help prevent similar attacks in the future, and not to provide hackers with information into how to compromise Windows 10. Details are secret anyway, so attacking Windows 10 is very unlikely to succeed.
“We’ve omitted certain details of the exploit chain that would only be useful to attackers and not so much for building defences. The research is for the white-hat information security industry in order to increase the understanding and awareness of these exploits so that new techniques can be developed that prevent this and future attacks. This helps defenders better understand the exploit chain so that they can build defences for the exploit rather than the payload," researchers explain in a paper.
The new exploit was built to work against Windows 10 x64 version 1511 (November Update), still supported by Microsoft as part of the Current Branch for Business.
Windows users are again recommended to keep their systems fully up-to-date and to make sure that the MS17-010 update provided by Microsoft in March is running on their computers.
