Hackers Bypass Firewalls Using Windows Feature

Hackers bypass firewalls

Hackers now bypass firewalls using a legitimate component of the Windows operating system called Background Intelligent Transfer Service (BITS), installing malware into it.

In 2020, hospitals, medical centres and nursing homes suffered from an ever-changing phishing campaign that spread the KEGTAP backdoor, which opened the way for Ryuk ransomware attacks.

FireEye Mandiant recently discovered a previously unknown mechanism that allows KEGTAP to persist using the BITS component.

First introduced in Windows XP, BITS is a background intelligent file transfer service between a client and an HTTP server that consumes unused portions of network bandwidth. BITS is commonly used to deliver operating system updates to clients.

In addition, it is used by the Windows Defender Antivirus Scanner to obtain updates to malware signatures. In addition to Microsoft’s own products, the service is also used by other applications such as Mozilla Firefox to keep downloading in the background even when the browser is closed.

When malicious applications create BITS jobs, files are loaded or unloaded in the context of the service host process. This can be useful for bypassing firewalls that can block malicious or unknown processes, as well as for hiding which application requested the transfer.FireEye Mandiant said.

BITS transfers can also be scheduled, allowing them to happen at specific times without relying on lengthy processes or a task scheduler.

Already compromised systems are loaded with Ryuk ransomware that uses BITS to create a new job as a System update configured to run the mail.exe executable, which in turn launches the KEGTAP backdoor after attempting to load an invalid URL.

As noted by the researchers, the malicious BITS job was configured to send a non-existent file from the local host over HTTP.

Since this file will never exist, BITS will raise an error state and run a notification command, which in this case was KEGTAP.FireEye explained.

Let me remind you that I also talked about the fact that Google Project Zero discovered a 0-day vulnerability in the Windows kernel.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *