Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label BitLocker encryption. Show all posts
PC
Apple Devices BitLocker encryption Cyber Security Linux Microsoft Operating system PC

Why Windows 11 Requires a TPM and How It Enhances Security

 

When Microsoft launched Windows 11 in 2021, the new operating system came with a stringent hardware requirement: the presence of a Trusted Platform Module (TPM), specifically one that meets the TPM 2.0 standard. A TPM is a secure cryptoprocessor designed to manage encryption keys and handle security-related tasks, making it a critical component for features such as Secure Boot, BitLocker, and Windows Hello. 

The TPM architecture, defined by the ISO/IEC 11889 standard, was created over 20 years ago by the Trusted Computing Group. The standard outlines how cryptographic operations should be implemented, emphasizing integrity protection, isolation, and confidentiality. A TPM can be implemented as a discrete chip on a motherboard, embedded in the firmware of a PC chipset, or built directly into the CPU, as Intel, AMD, and Qualcomm have done over the past decade. 

Most PCs manufactured since 2016 come with a TPM 2.0, as Microsoft mandated that year that all new computers shipped with Windows must have this technology enabled by default. Even some older devices may have a TPM, though it might be disabled in the BIOS or firmware settings. Intel began incorporating TPM 2.0 into its processors in 2014, but the feature was mainly available on business-oriented models. Devices built before 2014 may have discrete TPMs that conform to the earlier TPM 1.2 standard, which is not officially supported by Windows 11. 

The TPM enhances security by providing a secure environment for processing cryptographic operations and storing sensitive data, like private keys used for encryption. For example, it works with the Secure Boot feature to ensure that only signed, trusted code runs during startup. It also enables biometric authentication via Windows Hello and holds the BitLocker keys that encrypt the contents of a system disk, making unauthorized access nearly impossible. Windows 10 and 11 initialize and take ownership of the TPM during installation, and it’s not just limited to Windows; Linux PCs and IoT devices can also use a TPM. 

Apple devices employ a different design known as the Secure Enclave, which performs similar cryptographic tasks. The added level of security provided by a TPM is crucial in protecting against tampering and unauthorized data access. For those with older PCs, upgrading to Windows 11 may require enabling TPM in the BIOS or using a utility to bypass hardware checks. However, the extra security enforced by TPM in tamper-resistant hardware is an essential advancement in protecting your data and ensuring system integrity.
Read more »
Windows BitLocker
BitLocker encryption Cyber Security Cybersecurity malware protection Ransomware attack Ransomware threats ShrinkLocker ransomware Windows BitLocker

New ShrinkLocker Ransomware Exploits BitLocker to Encrypt Files

 

The new ransomware strain, ShrinkLocker, is creating significant concerns by using Windows BitLocker to encrypt corporate systems through the creation of new boot partitions.

ShrinkLocker, named for its method of creating a boot volume by shrinking available non-boot partitions, has been targeting government entities and companies in the vaccine and manufacturing sectors.

Using BitLocker to encrypt computers isn't new. Previously, threat actors have used this security feature to encrypt 100TB of data on 40 servers at a Belgian hospital and to target a Moscow-based meat producer and distributor. In September 2022, Microsoft warned about an Iranian state-sponsored attacker using BitLocker to encrypt systems running Windows 10, Windows 11, or Windows Server 2016 and newer.

Kaspersky reports that ShrinkLocker includes previously unreported features designed to maximize damage. Written in Visual Basic Scripting (VBScript), ShrinkLocker detects the specific Windows version on the target machine using Windows Management Instrumentation (WMI) and proceeds only if certain conditions, like the current domain matching the target and the OS version being newer than Vista, are met. If not, ShrinkLocker deletes itself.

If the target meets the requirements, the malware uses the Windows diskpart utility to shrink each non-boot partition by 100MB, creating new primary volumes from the unallocated space. Kaspersky researchers noted that on Windows 2008 and 2012, ShrinkLocker saves the boot files along with the index of other volumes. The resize operations are carried out with different code on other Windows OS versions.

ShrinkLocker then uses the BCDEdit command-line tool to reinstall boot files on the new partitions. Additionally, it modifies registry entries to disable remote desktop connections and enable BitLocker encryption on hosts without a Trusted Platform Module (TPM), a security chip.

Dynamic malware analysis by Kaspersky confirmed the following registry changes made by ShrinkLocker:

- fDenyTSConnections = 1: disables RDP connections
- scforceoption = 1: enforces smart card authentication
- UseAdvancedStartup = 1: requires BitLocker PIN for pre-boot authentication
- EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip
- UseTPM = 2: uses TPM if available
- UseTPMPIN = 2: requires a startup PIN with TPM if available
- UseTPMKey = 2: uses a startup key with TPM if available
- UseTPMKeyPIN = 2: uses a startup key and PIN with TPM if available
- EnableNonTPM = 1: allows BitLocker without a TPM chip, requiring a password or startup key on a USB flash drive
- UsePartialEncryptionKey = 2: requires a startup key with TPM
- UsePIN = 2: requires a startup PIN with TPM

The threat actor behind ShrinkLocker does not drop a ransom note but instead provides a contact email address within the label of the new boot partitions. This label is only visible through a recovery environment or diagnostic tools, making it easy to miss. After encrypting the drives, the attacker deletes the BitLocker protectors, such as TPM, PIN, startup key, password, recovery password, and recovery key, preventing the victim from recovering BitLocker’s encryption key, which is sent to the attacker.

The encryption key is a 64-character string generated by combining numbers, special characters, and the holoalphabetic sentence "The quick brown fox jumps over the lazy dog." This key is transmitted via the TryCloudflare tool, a legitimate service for experimenting with Cloudflare’s Tunnel without adding a site to Cloudflare’s DNS.

In the final stage, ShrinkLocker forces a system shutdown, leaving the user with locked drives and no BitLocker recovery options. BitLocker’s custom message feature, which could display an extortion message, is not used, suggesting these attacks may be more destructive than financially motivated.

Kaspersky discovered multiple ShrinkLocker variants used against government entities and organizations in the steel and vaccine manufacturing sectors in Mexico, Indonesia, and Jordan.

Cristian Souza, an incident response specialist at Kaspersky, advises companies using BitLocker to securely store recovery keys, maintain regular offline backups, use a properly configured Endpoint Protection Platform (EPP) to detect BitLocker abuse, enable minimal user privileges, and monitor network traffic and script executions.
Read more »
Subscribe to: Posts (Atom)