itman 1,628 Posted July 30, 2017 Share Posted July 30, 2017 We describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises which employ strict egress filtering - that is, endpoints have no direct Internet connection, or the endpoints’ connection to the Internet is restricted to hosts required by their legitimately installed software. Assuming the endpoint has a cloud-enhanced anti-virus product installed, we show that if the anti-virus (AV) product employs an Internet-connected sandbox as part of its cloud service, it actually facilitates such exfiltration. We release the tool we developed to implement the exfiltration technique, and we provide real-world results from several prominent AV products (by Avira, ESET, Kaspersky and Comodo). Ref. https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted July 31, 2017 Share Posted July 31, 2017 4 hours ago, itman said: We describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises which employ strict egress filtering - that is, endpoints have no direct Internet connection, or the endpoints’ connection to the Internet is restricted to hosts required by their legitimately installed software. Assuming the endpoint has a cloud-enhanced anti-virus product installed, we show that if the anti-virus (AV) product employs an Internet-connected sandbox as part of its cloud service, it actually facilitates such exfiltration. We release the tool we developed to implement the exfiltration technique, and we provide real-world results from several prominent AV products (by Avira, ESET, Kaspersky and Comodo). Ref. https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf thx for sharing.. hmm.. I once used similar way described in this doc to sniff the av sandbox Link to comment Share on other sites More sharing options...
itman 1,628 Posted July 31, 2017 Author Share Posted July 31, 2017 (edited) Forgot to add that Eset mitigated the issue. Appears Kaspersky is the only one who intends to do nothing about the issue: VENDOR STATUS Cloud AV sandboxes • Avira – fixed on May 2nd (10h30m!). • ESET – fixed on May 15th or before. • Comodo – fixed on May 26th . • Kaspersky - provided to us on July 14th with the following statement: "If customers are concerned about this scenario, they may configure their device and security settings accordingly. Edited July 31, 2017 by itman Link to comment Share on other sites More sharing options...
0xDEADBEEF 43 Posted August 1, 2017 Share Posted August 1, 2017 (edited) 20 hours ago, itman said: Forgot to add that Eset mitigated the issue. Appears Kaspersky is the only one who intends to do nothing about the issue: VENDOR STATUS Cloud AV sandboxes • Avira – fixed on May 2nd (10h30m!). • ESET – fixed on May 15th or before. • Comodo – fixed on May 26th . • Kaspersky - provided to us on July 14th with the following statement: "If customers are concerned about this scenario, they may configure their device and security settings accordingly. I remembered Microsoft's username in its engine was "JohnDoe". Not sure if they have fixed it or not. Edited August 1, 2017 by 0xDEADBEEF Link to comment Share on other sites More sharing options...
Recommended Posts