SANS Stormcast Tuesday Mar 4th: Mark of the Web Details; Sharepint and Click-Fix Phishing; Paragon Partionmanager BYOVD Exploit - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

Episode Overview

Podcast: SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Host: Johannes B. Ullrich
Episode Date: March 4, 2025
Episode Theme:
A concise briefing on current cybersecurity issues including new developments with “Mark of the Web” on Windows, a novel “Click-Fix” phishing attack utilizing SharePoint, and a kernel-level driver exploit used by ransomware actors in Paragon Partition Manager.

Key Discussion Points & Insights

1. Mark of the Web – Deep Dive & Limitations

[00:36 - 02:20]

Background: “Mark of the Web” (MotW) marks files downloaded from the Internet. This is so Windows prompts a security warning if the user tries to execute such files.
- Implemented as a NTFS alternate data stream (ADS) that holds zone information (zone identifiers 1-4).
Propagation Issues:
- MotW is not always maintained when files are moved using different archiving, extraction, and image utilities.
  - Example: ZIP extraction, ISO images can strip MotW (“didn't get properly propagated to different file formats…” [00:19]).
Technical Details:
- ADS contains zone info and sometimes the original download URL and referral details.
- Incognito/private browser modes may suppress some obtainable information to avoid privacy leakage.
Practical Tip/Hack:
- The alternate data stream can be inspected easily using Notepad by specifying it as part of the filename.
- Quote: “...the little hack how you look at the content of the Mark of the Web at that alternative data stream just in Notepad...” (Johannes, [01:35])
Notable Insights:
- Implementation inconsistencies pose challenges for security teams relying on MotW for defense-in-depth.

2. Click-Fix Phishing via SharePoint and HTML Attachments

[02:20 - 03:53]

Attack Vector:
- Recently observed phishing uses HTML attachments in emails, which is becoming more prevalent (“something that I've actually seen more and more recently...” [02:32]).
- This method is termed “Click-Fix” by Fortinet researchers.
Attack Flow:
- User opens the HTML, sees a fake error message instructing them to copy-paste code (typically PowerShell) into their system.
- No executable code in the HTML itself (e.g., no JavaScript), so gateway defenses often miss it.
- The malicious payload is fetched from a SharePoint site operated by attackers, using Microsoft's Graph API.
Unique Aspects:
- Exploits user behavior—users unwittingly run malicious code as directed.
- Use of SharePoint/Graph API makes detection harder, as these are trusted business tools:
  - Quote: “all the interaction with SharePoint of course may not necessarily trigger alerts because that's usually considered a valid business resource...” (Johannes, [03:30])
Impact/Risk:
- Increased risk due to users bypassing traditional technical safeguards.
- Defender difficulty in filtering/blocking legitimate business platform usage.

3. Paragon Partition Manager BYOVD (Bring Your Own Vulnerable Driver) Exploit

[03:53 - 05:13]

Vulnerability:
- Vulnerable kernel driver distributed with Paragon Partition Manager prior to version 2 has multiple vulnerabilities.
- Now actively exploited by ransomware groups for privilege escalation.
Seriousness:
- It’s a kernel-level, digitally signed driver—grants attackers high-level system access.
- Exploitable even if user never manually installed the software; attackers can “bring their own vulnerable driver.”
  - Quote: “This is even a problem if you never installed this software because Nethacker may install that driver for you and then use it for privilege escalation.” (Johannes, [04:15])
Mitigations:
- Microsoft added the driver to its vulnerable driver block list.
- Reliability of this block list has been called into question in the past.
  - Quote: “But there have been issues with that vulnerable private block list in the past, so not sure how well this works these days.” (Johannes, [04:53])
- Suggested to add custom signatures to security solutions to outright block or detect old driver versions.
Advice:
- Urgent: Upgrade software if in use, monitor for driver presence even if not using Paragon Partition Manager.

Notable Quotes & Memorable Moments

“The purpose of the Mark of the Web is to indicate to the system that this file has been downloaded from the Internet, so the user can be presented with a warning if this file is executable...” (Johannes, [00:24])
“Yes, users will do this. The user here doesn't really realize what they're doing, of course, and that will execute then a PowerShell script that installs additional malware.” (Johannes, [02:47])
“The user here essentially exploits themselves by copy-pasting that PowerShell script.” (Johannes, [03:19])
“So first of all, yes, you should update Paragon Partition Manager if you run it, but this is even a problem if you never installed this software because Nethacker may install that driver for you and then use it for privilege escalation.” (Johannes, [04:12])

Key Timestamps

00:36 — Introduction to Mark of the Web, propagation problems
01:35 — Inspecting the alternate data stream in Notepad
02:20 — Fortinet’s “Click-Fix” phishing campaign overview
02:47 — User exploitation via PowerShell copy-paste
03:30 — SharePoint and Graph API’s role; evasion of defenses
03:53 — Paragon Partition Manager’s vulnerable driver explained
04:12 — Drivers can be introduced even if software isn’t installed
04:53 — Microsoft block list caveats and upgrade recommendations

Tone

Technical, to-the-point, with moments of practical advice and warnings for defenders; Johannes maintains a direct and informative delivery style suitable for security professionals.

Loading summary

Transcript1 lines

[00:00]
A
Hello and welcome to the Tuesday, March 4, 2025 edition of the sans Internet StormCenter's Stormcast. My name is Johannes Ulrich and today I'm recording from Baltimore, Maryland. Well, and today we have a great diary by Didier showing some of the details of the Mark of the Web. That's a feature that we have covered a few times already in the podcast, usually because it didn't get properly propagated to different file formats depending on for example, zip, file extraction software, things like ISO images and the like, where the Mark of the web is lost in transfer. So the purpose of the Mark of the Web is to indicate to the system that this file has been downloaded from the Internet, so the user can be presented with a warning if this file is executable and the user is attempting to execute it. On Windows. The Mark of the Web is implemented as an alternate data stream which is supported by the NTFS file system. But not all file systems, and with that not all archive utilities do properly support alternate data streams. Which explains some of the limitations around the Mark of the Web implementation on Windows. DDA also shows a little bit the details here. So first of all, the Mark of the Web is essentially a little text file like that alternate data stream, and it includes first of all zone information that indicates where the file came from. So there are zones one through four that will then tell you three. For example, would be this was downloaded from an external website. In addition, you may find things like the URL the file was downloaded for the refer. Basically how was the user directed to that URL? However, those details then also depend on things like the incognito mode in the browser because that would potentially leak private information. So if you are in incognito mode, you don't get all of those details. Interesting overall and also like the little hack how you look at the content of the Mark of the Web at that alternative data stream just in Notepad, by specifying the alternate data stream as part of your file name as you open it. And Fortinet published an interesting piece of research regarding some recent phishing attacks that they have observed. They start with a simple email that contains an HTML attachment. The HTML attachment is something that I've actually seen more and more recently. I think we have also written some diaries about this. It's what Fortinet calls click fix and what it refers to is if the user opens the particular HTML document, they are presented with an error message. The error message then instructs them to copy paste code to execute it. Yes, users will do this, the user here doesn't really realize what they're doing, of course, and that will execute then a PowerShell script that installs additional malware. Another sort of interesting tidbit here is that the downloads are coming from a SharePoint site that the attacker set up and then they just use the Graph API in order to interact with that SharePoint site. This way. It also becomes quite difficult for interpretection tools and other tools to detect the attack because first of all, the initial email is just an HTML email. There is nothing sort of executable really in that HTML. It's not like JavaScript or anything like this that's often associated with malicious HTML. The user here essentially exploits themselves by copy pasting that PowerShell script. And secondly, all the interaction with SharePoint of course may not necessarily trigger alerts because that's usually considered a valid business resource and something that you may use for lots of other purposes. Then an interesting noteworthy vulnerability is we do have a vulnerability in the Paragon Partition Manager. Actually it's not the software itself or part of it, it's really the driver that's being delivered with that software that's a kernel level driver and as such it's digitally signed to be trusted to operate at the kernel level, which, well, you need if you are trying to manage partitions. The problem is that versions prior to version 2 are vulnerable to actually a number of different vulnerabilities, one of which is now being exploited by ransomware gangs for privilege escalation. It's a little bit of tricky thing. So first of all, yes, you should update Paragon Partition Manager if you run it, but this is even a problem if you never installed this software because Nethacker may install that driver for you and then use it for privilege escalation. Microsoft did add this driver to its vulnerable driver block list, so make sure you have that implemented. But there have been issues with that vulnerable private block list in the past, so not sure how well this works these days. Maybe add some signatures as such to detect these older versions of the driver just as outright malicious if you're not using this software. And yes, of course, definitely upgrade if you are using this software. Well, and that's it for today. Thanks for everybody who noted that I forgot to actually add this outro yesterday. Sorry for that, just forgot to splice it in at the end. If you are interested in taking the intrusion detection class with me that I'm teaching this week here in Baltimore, I'll actually be back in Baltimore with the same class first week of June links to future classes. You'll always find them below the show notes for the podcast. Thanks and talk to you again tomorrow. Bye.