Researchers at the security firm CyberArk have discovered a new attack vector they’ve dubbed “Illusion Gap.” While it’s somewhat tricky for a hacker to implement, when it works, it can be devastatingly effective, completely bypassing Windows Defender, which is security software that comes pre-loaded on all Windows-based computers.
To successfully execute the attack, the hacker relies on a combination of social engineering tricks and the use of a rogue SMB server. Thanks to the way Windows Defender scans files stored on an SMB share, if he can convince a user to execute a poisoned file hosted on a malicious server, then Windows Defender can be bypassed completely.
This is actually not as difficult as it may first appear. Often, simply presenting the user with a shortcut to the poisoned file is sufficient, and the moment that a user double clicks the shortcut, the damage is done.
Windows Defender does try, because before the file is executed, it requests a copy for scanning purposes, but the hackers can simply substitute a clean copy of the file to hand off to Windows Defender, tricking it into thinking that there’s no problem. That done, the poisoned file executes and can inject whatever code the hacker likes into the target system.
Unfortunately, Microsoft does not view this as a security issue at all. CyberArk contacted Microsoft when they discovered the flaw, and received the following as a response from the company:
“Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature request which I have forwarded to the engineering group.
Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.”
All that is to say, where Illusion Gap is concerned, you’re on your own, at least for the time being. Be very careful when you click on any file hosted on an SMB server, or any shortcuts to them.