Mar 24 2023

Top ways attackers are targeting your endpoints

Category: Cyber Attack,Endpoint securityDISC @ 7:19 am

Over the last several years, endpoints have played a crucial role in cyberattacks. While there are several steps organizations can take to help mitigate endpoint threats – such as knowing what devices are on a network (both on-premises and off-site), quarantining new or returning devices, scanning for threats and vulnerabilities, immediately applying critical patches, etc. – there is still much to be done to ensure endpoint security.

To achieve that, it’s important to understand some of the primary attack vectors hackers use against endpoints.


Phishing, especially spear-phishing, is an effective way for gaining access to endpoints to harvest user credentials.

It is not itself an exploit, but a method that threat actors use to deliver a payload – whether it’s a link to a fake Microsoft 365 web portal (for credential harvesting), or a macro-enabled word document with a malware payload that executes on opening.

Because of this nuance, it’s critical that security analysts implement not only email filtering (a crude defense, at best) but endpoint tools that would block the deployment of malware payloads delivered by email: antivirus (AV) and antimalware (AM). Implementing AV/AM products creates a safety net, blocking malware execution if a phishing email successfully bypasses corporate email filters.

We recently saw how threat actors deployed phishing to infect user endpoints at a massive scale with the IceXLoader malware. The malware is bundled into an innocent-looking ZIP file delivered as an email attachment. Once opened, the malware extracts itself to a hidden file directory on the C drive of an endpoint, providing a beachhead for the attacker to perform additional attacks to further breach the corporate network.

OS vulnerability exploitation

Vulnerabilities are made possible by bugs, which are errors in source code that cause a program to function unexpectedly, in a way that can be exploited by attackers. By themselves, bugs are not malicious, but they are gateways for threat actors to infiltrate organizations. These allow threat actors to access systems without needing to perform credential harvesting attacks and may open systems to further exploitation. Once they are within a system, they can introduce malware and tools to further access assets and credentials.

For attackers, vulnerability exploitation is a process of escalation, whether through privileges on a device or by pivoting from one endpoint to other assets. Every endpoint hardened against exploitation of vulnerabilities is a stumbling block for a threat actor trying to propagate malware in a corporate IT environment.

There are routine tasks and maintenance tools that allow organizations to prevent these vulnerabilities getting exploited by attackers. Patch management tools can scan devices, install patches (fixes), and provide reports on the success or failure of these actions. In addition, organizations can leverage configuration management tools to maintain OS configuration files in the desired secure state.

Software vulnerability exploitation

Software vulnerabilities exist in products (software) installed within an OS environment. For example, Google Chrome gets frequent patches from Google, primarily because it is a massive target for exploitation.

As with OS vulnerabilities, the best defense against exploits are the frequently released third-party patches/updates, the implementation of which can be facilitated by endpoint management tools.

Additionally, enforcing acceptable use policies can help reduce the opportunities for end users to engage in behaviors that could put their endpoints and company assets at risk.

And beyond security information and event management (SIEM) and antivirus tools, organizations can drastically decrease the impact caused by a successfully executed ransomware attack by:

  • Implementing data loss prevention (DLP) solutions
  • Creating off-site backups
  • Taking advantage of data storage solutions in the cloud


The changing cyberattack landscape requires IT and security departments to be nimble and evolve in tandem with threats. The fixes of yesterday may not work today – while the threats could be the same, their tactics are likely different. When working to mitigate network threats, do not forget the increasingly vital role endpoints play.


Endpoint security Complete Self-Assessment Guide

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: endpoints

Dec 17 2021

Flaws in Lenovo laptops allow escalating to admin privileges

Category: Access Control,Endpoint securityDISC @ 10:47 am

The ImControllerService service of Lenovo laptops is affected by a privilege elevation bug that can allow to execute commands with admin privileges.

Lenovo laptops, including ThinkPad and Yoga families, are affected by a privilege elevation issues that resides in the ImControllerService service allowing attackers to execute commands with admin privileges.

The vulnerabilities, tracked as CVE-2021-3922 and CVE-2021-3969, are a race condition vulnerability and a Time of Check Time of Use (TOCTOU) vulnerability respectively.

The flaws affect the ImControllerService service (“System Interface Foundation Service”) of all Lenovo System Interface Foundation versions below

The Lenovo System Interface Foundation Service provides interfaces for multiple features, including system power management, system optimization, driver and application updates, for this reason it is not recommended to disable it.

The vulnerability was reported to Lenovo by researchers at NCC Group on October 29, 2021, and the vendor addressed it with the release of security updates on November 17, 2021. This week the company publicly disclosed the vulnerability.

“The following vulnerabilities were reported in the IMController component of Lenovo System Interface Foundation used by Lenovo Vantage.” reads the advisory published by the company.

“CVE-2021-3922: A race condition vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to connect and interact with the IMController child process’ named pipe.

CVE-2021-3969: A Time of Check Time of Use (TOCTOU) vulnerability was reported in IMController, a software component of Lenovo System Interface Foundation, that could allow a local attacker to elevate privileges.”

According to NCC Group, the ImController service comes installed on certain Lenovo devices, it runs as the SYSTEM user and periodically executes child processes that perform system configuration and maintenance tasks.

An attacker can exploit the vulnerabilities to elevate its privileges to SYSTEM and take over the vulnerable device.

The vulnerability resides in the way the ImControllerService handles the execution of highly privileged child processes which allows an unprivileged attacker with local access to the system to elevate their privileges.

The flawed vulnerable component periodically starts child processes to perform tasks and each of them opens a named pipe server to which any user on the system can connect.

“The parent process establishes a connection to the child’s server as soon as possible in order to send XML serialised commands over the named pipe. The child does not validate the source of the connection and parses the XML serialized commands. One of the commands that the parent process can send instructs the child to load a ‘plugin’ from an arbitrary location on the filesystem. The child process validates the digital signature of the plugin DLL file before loading the file into its address space and yielding execution to it.” reads the post published by NCC Group. “Successful exploitation of two vulnerabilities required to get the child to load a payload of the attacker’s choosing.”

The researchers noticed that the child process does not validate the source of the connection, this means it will begin accepting commands from the attacker using high-performance filesystem synchronization routines after the race condition has been exploited.

NCC Group researchers developed a proof of concept code that never failed to connect to the named pipe before the parent service could do so.

The second issue, the time-of-check to time-of-use (TOCTOU) vulnerability, is exploited to stall the loading process and replace the validated plugin with a malicious DLL file. The DLL is executed with high privileges.

Privilege Escalation Techniques: Learn the art of exploiting Windows and Linux systems

Privilege Escalation Techniques

System Security Threats

Tags: admin privileges, Lenovo laptops, Privilege Escalation Techniques

May 19 2021

Endpoint security: How to shore up practices for a safer remote enterprise

Category: Endpoint security,Information SecurityDISC @ 9:07 am

In the modern cloud-based application era, securing hardware is often neglected, so the volume of unmanaged devices noted above is not surprising. Endpoint management is hard, it’s boring, it’s time-consuming — but it’s nevertheless extremely important to a robust security strategy.

Why? Bad actors know that machines aren’t getting configured and maintained at the rate at which they should. This makes them ripe for exploitation. One of the easiest ways to attack corporate networks is through a machine that is not configured correctly or that hasn’t downloaded a patch to shore up a certain vulnerability.

Endpoint management: Scaling for a new world

VPNs have been under significant strain throughout the pandemic, and bandwidth is at a premium. This is part of the reason we’re seeing such rapid migration to the cloud. While there are numerous benefits to this move, it still doesn’t protect actual endpoints. To do this, regardless of environment, you need to find an endpoint management solution that can scale rapidly and not affect network performance.

This requires a novel approach to drive continuous compliance and configuration management across the enterprise. Of note, the latest peer-to-peer solutions can check the configuration of local or remote endpoints, diagnose problems, and/or remediate any issues found. Because of the nature of peer-to-peer, these solutions can conduct routine and advanced endpoint management at massive scale, addressing hundreds of thousands of endpoints without bandwidth throttling or hindering network performance.

Workers don’t even realize their systems are being updated. Being able to protect endpoints at scale without degrading the user experience or getting in the way of business processes is a game-changer in the remote world. It means that you can institute or return to a regular endpoint management schedule.