Resurrecting Stuxnet in 2024: Leveraging Emulated Read-Only Filesystems and NTFS Glitches for Infection and Persistence
This paper presents an in-depth exploration into the lesser-known vulnerabilities and glitches in the NTFS and emulated filesystems, drawing a direct parallel with the 2011 Stuxnet worm. The focus is on reevaluating established assumptions about filesystem security in the light of contemporary cybersecurity challenges. The foundation of the research lies in two key questions: How can the strategies used by Stuxnet be adapted to exploit modern NTFS and emulated filesystem weaknesses? And, what are the implications of these vulnerabilities for current Windows security frameworks? The main aim is to incentivize further research in these areas and to encourage a reassessment of filesystem security. We seek to provide a comprehensive understanding of NTFS, outline some its inherent weaknesses, and how they can be leveraged to create a Stuxnet-like attack chain. The paper begins with a foundational overview of NTFS, catering to varying levels of prior knowledge among the audience. It then delves into a detailed comparison with Stuxnet’s attack chain, highlighting key similarities and differences, from both an offensive and defensive standpoint. The discussion extends to the evolution of Windows security measures post-Stuxnet and presents a modern reimagination of a Stuxnet-like attack, named DriverJack, demonstrating the practical application of theoretical vulnerabilities. The results of this research underscore the everlasting relevance of filesystem nuances in modern cybersecurity. We conclude that while Windows security has evolved, significant loopholes remain that can be leveraged using re-engineered versions of past attack strategies.
In homage to one of the most intricate cyberattacks ever recorded, our presentation titled “Resurrecting Stuxnet” explores contemporary strategies that emulate the intricate and covert nature of the Stuxnet worm. This exploration specifically focuses on exploiting vulnerabilities in emulated read-only filesystems and NTFS glitches. We commence with a swift analysis of Stuxnet’s operational mechanisms, setting the stage for a discussion on analogous modern techniques. Since 2011, the Windows ecosystem has undergone significant changes, rendering some of the attack strategies used by Stuxnet considerably more challenging. In our presentation, we will explain attacks like the Bring-Your-Own-Vulnerable-Driver (BYOVD) and examine the impact of robust security measures like Device Guard Signature Enforcement (DSE) and Hypervisor-protected Code Integrity (HVCI). Expanding upon this groundwork, we introduce an innovative attack method that capitalizes on unaddressed weaknesses in emulated, read-only file systems, challenging several accepted security assumptions. This strategy allows attackers to subtly deploy and sustain malicious drivers or software, echoing the stealth tactics utilized by Stuxnet. Furthermore, we will explore unpublished NTFS glitches that allow an attacker to perform a full cleanup of the attack traces without losing persistence within the system. In conclusion, we will discuss the creation of new indicators of compromise (IOCs) specifically designed to detect the types of attacks we outline. By drawing comparisons to Stuxnet and adapting its methodologies to contemporary technologies, our presentation strives to offer a compelling narrative of what a modern-day Stuxnet-style attack might look like. Additionally, it aims to provide insights about less recognized filesystem weaknesses, highlighting their potential complexities and the challenges they pose to defenders.