Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it

[Karlston]

We enlisted a leading security researcher to test if Microsoft's newest, locked-down version of Windows 10 is protected against all "known" kinds of ransomware, as the company claims.

 

Microsoft claims "no known ransomware" runs on Windows 10 S, its newest, security-focused operating system.

 

The software giant announced the version of Windows earlier this year as the flagship student-focused operating system to ship with its newest Surface Laptop. Microsoft touted the operating system as being less susceptible to ransomware because of its locked-down configuration -- to the point where you can't run any apps outside the protective walled garden of its app store. In order to get an app approved, it has to go through rigorous testing to ensure its integrity. That's one of several mitigations that helps to protect the operating system to known file-encrypting malware.

 

We wanted to see if such a bold claim could hold up.

 

Spoiler alert: It didn't.

 

Last week, on its debut day, we got our hands on a new Surface Laptop, the first device of its kind to run Windows 10 S. We booted it up, went through the setup process, created an offline account, and installed a slew of outstanding security patches -- like any other ordinary user would (hopefully) do.

 

And that's when we asked Matthew Hickey, a security researcher and co-founder of cybersecurity firm Hacker House, a simple enough question: Will ransomware install on this operating system?

 

It took him a little over three hours to bust the operating system's various layers of security, but he got there.

 

"I'm honestly surprised it was this easy," he said in a call after his attack. "When I looked at the branding and the marketing for the new operating system, I thought they had further enhanced it. I would've wanted more restrictions on trying to run privileged processes instead of it being such a short process."

 

But Windows 10 S presents a few hurdles. Not only is it limited to store-only apps, but it doesn't allow the user to run anything that isn't necessary. That means there's no command prompt, no access to scripting tools, and no access to PowerShell, a powerful tool often used (and abused) by hackers. If a user tries to open a forbidden app, Windows promptly tells the user that it's off-limits. Bottom line: If it's not in the app store, it won't run.

 

Cracking Windows 10 S was a tougher task than we expected.

 

But one common attack point exists. Hickey was able to exploit how Microsoft Word, available to download from the Windows app store, handles and processes macros. These typically small, script-based programs are designed to automate tasks, but they're also commonly used by malware writers.

 

Here's how he did it.

 

Hickey created a malicious, macro-based Word document on his own computer that when opened would allow him to carry out a reflective DLL injection attack, allowing him to bypass the app store restrictions by injecting code into an existing, authorized process. In this case, Word was opened with administrative privileges through Windows' Task Manager, a straightforward process given the offline user account by default has administrative privileges. (Hickey said that process could also be automated with a larger, more detailed macro, if he had more time.)

 

But given the dangers associated with macros, Word's "protected view" blocks macros from running when a file is downloaded from the internet or received as an email attachment. To get around that restriction, Hickey downloaded the malicious Word document he built from a network share, which Windows considers a trusted location, giving him permission to run the macro, so long as he enabled it from a warning bar at the top of the screen. The document could easily point an arrow to the bar, telling the user to disable protected mode to see the contents of the document -- a common social engineering technique used in macro-based ransomware. (If he had physical access to the computer, he could have also run the file from a USB stick, but he would have to manually unblock the file from the file's properties menu -- as easy as clicking a checkbox.)

 

Once macros are enabled, the code runs and gives him access to a shell with administrator privileges.

 

From there, he was able to download a payload using Metasploit, a common penetration testing software, which connects the operating system to his own cloud-based command and control server, effectively enabling him to remotely control the computer. From there, he was able to get the highest level of access, "system" privileges, by accessing a "system"-level process and using the same DLL injection method.

 

By gaining "system" privileges, he had unfettered, remote access to the entire computer.

 

"From here we can start turning things on and off -- antimalware, firewalls, and override sensitive Windows files," he said. With a few steps, the computer would have been entirely vulnerable and unable to defend against any malware.

 

"If I wanted to install ransomware, that could be loaded on," he said. "It's game over."

 

To prove his level of access, he sent me a screenshot with the plaintext password of the Wi-Fi network that the computer was connected to, something only available to "system"-level processes.

 

"We considered leaving the laptop playing 'AC/DC Thunderstruck' on loop for you, but we didn't want to upset your neighbors or any pets!" he joked.

 

"We could even take something like Locky, a DLL-based ransomware, and run it so that it would encrypt all the files in your documents and request a key by setting the wallpaper," he said.

 

Though he was given permission, Hickey stopped short of installing the ransomware, citing the possible risk to other devices on the network. "We've proved the point enough," he said. "We can do whatever we wanted," he said.

 

From popping the shell, which took him "a matter of minutes," he was able to gain full system-wide access to the operating system in a few hours. "That's because we knew already of these kinds of attacks and these kinds of techniques, and we know it's worked for us in the past," he said.

 

Hickey did not use any previously-undisclosed or so-called zero-day vulnerabilities to carry out the attack, but he said that this attack chain could be carried out several other ways.

 

Although Hickey used publicly known techniques that are widely understood by security experts, we nevertheless privately informed Microsoft's security team of the attack process prior to publication.

 

For its part, Microsoft rejected the claims.

 

"In early June, we stated that Windows 10 S was not vulnerable to any known ransomware, and based on the information we received from ZDNet that statement holds true," said a spokesperson. "We recognize that new attacks and malware emerge continually, which is why [we] are committed to monitoring the threat landscape and working with responsible researchers to ensure that Windows 10 continues to provide the most secure experience possible for our customers."

 

This hack may not have been the prettiest or easiest to launch. You could argue that the hack took too many steps that wouldn't be replicated in the real world, and that this case would rely on either social engineering or physical access to a device, rather than a weaponized file to launch on a double-click. That said, hackers aren't known to give up after a little over three hours probing vulnerabilities.

 

In the end, Microsoft said that "no known ransomware" works on the operating system, but by gaining "system"-level access, we showed that it's entirely possible to take control of the machine to install ransomware.

 

If there's a lesson to be learned (and repeated again and again), it's that nothing is unhackable.

 

Source: Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it (ZDNet)

[straycat19]

What Microsoft should have claimed is "No known Windows version is immune from Ransomware."  That is a true statement.  The one Microsoft made is an outright lie and just more marketing hype.  If they can't even protect a version of Windows 10 that allows the user to do nothing on it how are they ever going to protect a normal copy.  Which doesn't bode well for those running Windows 10 because if Microsoft takes this as an affront they will start hardening windows by removing everything from it so all you will be able to do is click the start button and run programs you have subscribed to from their app store.  Give them another year to hook more people on Windows 10 who think they can't run a previous version on new hardware and then the proverbial shit will hit the proverbial fan.

[LeeSmithG]

I am confused by the term 'hacked it'.

 

'Cracked' is more appropriate.

 

Like a safe, you 'crack' the code to enter, you don't spend hours using a meaningless tool to 'hack' into it.

 

What M$ should do is run updates periodically, like ones anti-virus or internet security programs do to stop such nasty code.

 

One can tell the world they have made a bullet proof and watertight feature, however we all know the human mind is better than a computer, we program them, so we are superior.

 

The old saying about, ''the chain is only as strong as it's weakest link''!

 

Now one programmer can write code and another programmer can bypass the security as they are better at writing the code and make less errors..

 

I could build what I believe in code terms is a door, like Fort Knox, to stop people gaining access, however where there is a will there is a way in, even if I dug a tunnel underneath and came up through the floor.

 

So my point is, finally I hear you scream, you can make as many patches and fixes you want to infinity (dead eight (8)) however there is always a way around everything.

 

 

 

[Holmes]

Depends on how long you spend writing the program in question.  A fantastic programmer taking years to write a program is going to be alot harder to crack or hack then a mediocre programmer writing a program in three to six months.

[luisam]

As I see, it's meaningless to crack or hack Windows 10 S. It's basically the OS for a school computer. Sounds kind of "much ado for nothing". If the user is not satisfied with it, the easiest solution is simply install the FULL FEATURED Windows 10, readily available and forget all about 10 S.

Can it be "targetd" by ransomware? Looks it is possible but not probable. Again... much ado for nothing. How much benefits might get ransomware cybercriminals by hijacking homeworks and school-projects?