Alert Essentials:

Many tools in the Microsoft Sysinternals suite have a critical flaw that allows malicious DLLs to be activated.

Microsoft considers this weakness a defense-in-depth issue and will not release a patch. Follow mitigations to assist in preventing exploitation.

Email Team

Detailed Threat Description:

Microsoft Sysinternals tools were originally developed for system administrators and power users, but they have become integral to diagnosing system issues and analyzing malware.

A newly discovered vulnerability in how Sysinternals tools load DLL files results in significant risk for administrators and developers.

The affected tools in the DLL search order erroneously load additional modules from untrusted directories before validating directory integrity. This enables a DLL hijacking attack, in which malicious DLLs can be placed alongside legitimate Sysinternals executables.

Attackers can take advantage of this by crafting a malicious DLL that mirrors the legitimate file’s name and location. Once the executable is initiated, the operating system inadvertently loads the malicious module, thereby granting an adversary elevated privileges and unintended access.

Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers this an issue that should be addressed with secured usage practices.

Therefore, organizations are advised to adopt measures to protect against exploitation, such as manually revising execution practices and network storage behaviors.

Impacts on Healthcare Organizations:

The ability to inject malicious DLLs into tools offers attackers a potential avenue to gain a foothold on a network, deploy ransomware, or steal sensitive patient data.

Furthermore, exploiting a tool commonly used in malware analysis could provide the perfect cover to disguise nefarious activities from defenders.

IT administrators must prioritize securing their use of Sysinternals tools and adopt a layered security strategy that includes tools to monitor DLL integrity.

Affected Products / Versions:

  • Autorun versions that have not incorporated a comprehensive DLL path verification update
  • BGInfo versions that rely on default shared directory paths without proper security modifications
  • Prerelease or legacy builds of Process Explorer before versions with enhanced digital signature
  • System monitoring tools in the Microsoft Sysinternals suite

Recommendations:

Engineering Recommendations:

  • Technical teams are advised to cease running the affected Microsoft Sysinternals Tools from network shares and instead execute these utilities from local, secured storage devices to ensure strict control over DLL provisioning
  • Enforce rigorous file integrity checks by integrating host-based intrusion detection systems that monitor DLL loading activities
  • System administrators should implement application whitelisting policies that only allow digitally signed binaries to be loaded by high-risk applications
  • Deploy enhanced logging mechanisms to capture anomalous DLL load events and to audit any changes to system directories regularly
  • Strengthen access controls on shared network directories
  • Reinforce internal file access monitoring
  • Leverage sandbox environments to test and validate new Sysinternals tool deployments before production rollouts

Leadership/Program Recommendations:

  • Collaborate with security solution providers to activate signature-based detection for DLL hijacking attempts
  • Proactive vulnerability scanning and continuous monitoring of endpoints for unusual DLL behaviors will further add layers of defense as organizations await a permanent patch from Microsoft

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: