Security News > 2023 > August > Hackers Can Exploit Windows Container Isolation Framework to Bypass Endpoint Security
New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework.
Microsoft's container architecture uses what's called a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files.
It's nothing but an "Operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host," thereby bringing down the overall size for a full OS. "The result is images that contain 'ghost files,' which store no actual data but point to a different volume on the system," Avinoam said in a report shared with The Hacker News.
The driver's main purpose is to take care of the file system separation between Windows containers and their host.
In other words, the idea is to have the current process running inside a fabricated container and leverage the minifilter driver to handle I/O requests such that it can create, read, write, and delete files on the file system without alerting security software.
The disclosure comes as the cybersecurity company demonstrated a stealthy technique called NoFilter that abuses the Windows Filtering Platform to elevate a user's privileges to that of SYSTEM and potentially execute malicious code.
News URL
https://thehackernews.com/2023/08/hackers-can-exploit-windows-container.html
Related news
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT (source)
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Aiohttp bug to find vulnerable networks (source)
- Microsoft confirms memory leak in March Windows Server security update (source)