Show threadKevin BeaumontNov 8

As an update to the #ShadowBunny thread - WSL is now being abused by a ransomware threat actor.

WSL opens up a whole attack surface on Windows. The Defender EDR integration is crap, and an optional bolt on.. and other EDR providers have basically no visibility. It’s a mess.

https://www.bleepingcomputer.com/news/security/qilin-ransomware-abuses-wsl-to-run-linux-encryptors-in-windows/

Qilin ransomware abuses WSL to run Linux encryptors in Windows

The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools.

BleepingComputer
Show threadKevin BeaumontOct 15, 2023

The #ShadowBunny vulnerability in MDE persists over 6 months later - if you contain an endpoint in MDE, Windows Subsystem for Linux apps can all still access the internet.

So if you’re a threat actor, enable WSL from control panel and SSH back to yourself - if the org detects you, your access persists. It also allows internal network access, too.
https://infosec.exchange/@nieldk/111241070277583473

PhreakByte (@[email protected])

7 months ago I reported #shadowbunny-as-a-service to MSRC, one month ago they “hope to have an answer in a few days” lol

Infosec Exchange
Show threadKevin BeaumontJul 17, 2023
For anybody tracking #ShadowBunny - it still works as a way to evade device isolation in MDE.
Show threadKevin BeaumontApr 14, 2023
Good news, MS have revisited the Defender/WSL issue where network traffic is not inspected/logged (and asset containment is fully bypassed) in Microsoft Defender for Endpoint. Now has a logo and a name - #ShadowBunny. https://infosec.exchange/@nieldk/110198058070907150
nieldk :verified: 💻 (@[email protected])

Attached: 1 image Happy to annonce MS acknowledging my Defender bypass, and a “patch” will be produced ✌️ #shadowbunny. Thanks to @cirriustech for logo ;) which will be added to my blog https://sec1.dk/blog.html this weekend

Infosec Exchange