Company
Deception / 08.25.2021

TrapX DeceptionGrid Deceives and Traps Attackers Exploiting Latest Vulnerabilities

By Guy Waizel, Chief Operating Officer, TrapX Security

TrapX DeceptionGrid 7.2 uses patented emulation technology to deliver comprehensive protection and visibility at scale. DeceptionGrid deploys a crowd of tangible assets, hidden in plain sight among organizational assets, that interact with attackers and misinform them so as to identify them and to gain insight into their tactics, techniques, and procedures (TTPs), enabling rapid response and containment. In just minutes, with DeceptionGrid you can launch hundreds of credible emulations that engage attackers and malware, generating high-fidelity alerts for rapid response.

TrapX emulation traps purposely present known Microsoft and other vulnerabilities. The attacker exploits the trap and we provide the customer with the complete inside picture of attack and attacker details.

Recently, Microsoft published several new vulnerabilities, known as PrintNightmare (CVE-2021-1675: Windows Print Spooler Elevation of Privilege Vulnerability, and CVE-2021-34527: Windows Print Spooler Remote Code Execution Vulnerability) and HiveNightmare (also known as SeriousSAM; CVE-2021-36934: Windows Elevation of Privilege Vulnerability). Exploits of these vulnerabilities are detected by DeceptionGrid. When an attacker tries to exploit either of these vulnerabilities, DeceptionGrid responds to seem successfully exploited. Interaction and infection alerts are produced as soon as the attacker even scans to find the vulnerable endpoint, so an analyst can see that the attacker is attempting to leverage these vulnerabilities. Even after that, the attacker is still allowed to think that the exploit has succeeded. Attackers can be diverted to VLAN quarantine using our eco system integrations with third-party security and network systems.

Regarding these vulnerabilities, Microsoft recommends:

  • Install June and July patches, or the latest updates, from Microsoft.
  • Disable Windows Print Spooler on computers that don’t need it. In particular, domain controller servers are highly unlikely to need the ability to print.
  • For HiveNightmare, Microsoft provides workarounds rather than complete remediation.

How DeceptionGrid deceives attackers who decide to exploit and use these vulnerabilities and others

With deployed TrapX Windows emulation traps, when an attacker tries to exploit the PrintNightmare vulnerability on these traps, the connections succeed just as on a regular endpoint. The attacker receives actual responses, despite the fact that the targeted asset is fake!

DeceptionGrid records an immediate event as below, alerting the analyst that the PrintNightmare exploit was used and detected:

In another example, we attacked an emulation trap proxied to our high-interaction Full OS Windows server trap and exploited the HiveNightmare exploit. We succeeded in running the exploit:

At the same time, we can see all the performed actions taking place on the Full OS trap Windows: creating files, creating registry keys and processes that are used:

Summary

In these few examples, we’ve seen known vulnerabilities that attackers can leverage and breach organizations. Keep in mind, that in today’s world there are new vulnerabilities every few months that customers need to make sure to protect against. This is difficult to do quickly, especially in large organizations, and impossible to do in critical environments such as healthcare and operational systems.

With TrapX emulation traps, customers reduce risk by identifying attackers and isolating them once they exploit the emulation trap no matter what new vulnerability develops in the future.

 

About TrapX Security

TrapX provides a new generation of Deception technology that provides real-time breach detection and prevention. Our proven solutions immerse tangible IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting SOC teams to malicious activity with immediate, actionable intelligence. Our solutions enable our customers to isolate, fingerprint rapidly and disable new Zero-Day attacks and APTs in real-time. TrapX Security has thousands of government and Global 2000 users worldwide, servicing customers in manufacturing, defense, healthcare, finance, energy, consumer products, and other vital industries. For more information, visit www.trapx.com .

Learn more about our unique approach to Deception

Discover why more than 300 global customers call TrapX "simple, powerful, and affordable."