Threat Alert

by IthacaLabs™

THREAT LEVEL/High 07/04/2021

Hackers Using a Windows OS Feature to Evade Firewall and Gain Persistence

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a novel technique that uses Microsoft’s Background Intelligent Transfer Service (BITS) to deploy malicious payloads on Windows machines, stealthily, has been identified.

When a malicious application creates BITS jobs, files are uploaded or downloaded in the context of the service host process, which could allow threat actors to bypass security mechanisms, such as firewalls.

In addition, BITS transfers can be scheduled, allowing these processes to be performed at previously determined times without relying on long-running processes.

Background Intelligent Transfer Service (BITS) is a component of Microsoft Windows XP and later iterations of the Microsoft Windows operating systems, which facilitates asynchronous, prioritized, and throttled transfer of files between machines, using idle network bandwidth. It is most commonly used by recent versions of Windows Update, Microsoft Update, Windows Server Update Services, and System Center Configuration Manager to deliver software updates to clients. Furthermore, Microsoft’s anti-virus scanner “Microsoft Security Essentials” (a later version of Windows Defender) utilize it to fetch signature updates. Besides Microsoft’s own products, the service is also put to use by other applications, such as Mozilla Firefox, to enable downloads to continue in the background even when the browser is closed.

It is found that the BITS is exposed through the Component Object Model (COM).

BITS jobs can be created with user-specified notification commands, which will run after the job completes or when an error is detected. Also, these jobs can be created using API calls or with the “bitsadmin” command-line tool. Notification commands associated with BITS jobs can allow any executable or command to run, allowing cybercriminals to generate persistence of malicious applications.

This new attack mechanism leads us to keep in mind how attackers can reuse useful tools, like BITS, for their own benefit.

CVE(s)

N/A

Affected Systems

  • Microsoft’s Background Intelligent Transfer Service (BITS)

Recommendation(s)

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

Get the latest Threat Alerts in your inbox.