🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Windows Projected File System (ProjFS) Internals: A Technical Deep Dive - **Huntress** controls the content posted at the URL. The company was founded in 2015 by Kyle Hanslovan, Chris Bisnett, and John Ferrell, who are former cyber operators for the U.S. National Security Agency (NSA) . Kyle Hanslovan is the CEO and Co-founder of Huntress . The Huntress security platform is built, owned, and operated entirely by their team . 🔍 Show Kagi Synopsis
  The Windows Projected File System (ProjFS), introduced in Windows 1809, allows applications to virtualize file system content, making it appear as if files exist on disk and hydrating them on demand when accessed.
  
  **What Happened**
  Microsoft developed ProjFS as a feature enabling user-mode applications, known as "providers," to virtualize file system content. The article delves into its technical architecture, explaining its function as a minifilter, its communication methods, and its various applications.
  
  **Who is Affected**
  * **Administrators** are responsible for enabling the ProjFS feature.
  * **Developers** can create custom "providers" to define how files and data are projected.
  * **End-users and applications** interact with these projected files, often unaware of their virtualized nature until they are accessed.
  
  **Security Implications**
  ProjFS presents both offensive and defensive security implications:
  
  * **Offensive:**
  * **Privilege Escalation:** A user with medium integrity can initiate a ProjFS provider, potentially allowing them to control file appearances and access, which could bypass higher-privilege restrictions.
  * **Data Manipulation:** Providers can prevent file deletions or alter file content upon reading on a per-process basis, enabling sophisticated methods for hiding or manipulating data.
  * **Defensive:**
  * **Tripwire/Canary Files:** ProjFS can be utilized to create "canary" files that act as tripwires. These can log file access, modifications, and operations in detail, potentially without requiring a kernel-mode minifilter.
  * **Enhanced Visibility:** ProjFS offers significant file visibility, which may replace the need for minifilters in certain scenarios, aligning with Microsoft's trend away from kernel-mode components.
  
  **Technical Details**
  ProjFS operates as a minifilter, not a standalone file system. It uses reparse points (specifically `IO_REPARSE_TAG_PROJFS` and `IO_REPARSE_TAG_PROJFS_TOMBSTONE`) to identify its virtualized files and directories. It functions at a specific filter altitude (189800) and supports pre/post callbacks for file I/O operations. Communication between the kernel-mode ProjFS minifilter and the user-mode provider occurs through filter communication ports, such as `PrjFltPort`. The core components include the `prjflt.sys` driver, the `ProjectedFSLib.dll` library, and the provider application itself. ProjFS supports various notifications, including `NEW_FILE_CREATED`, `FILE_OPENED`, and `FILE_READ`, with "PRE" notifications allowing for interception and denial of operations like deletion, renaming, and hardlink creation.
  
  **What Defenders Should Know**
  Defenders can leverage ProjFS to enhance file monitoring and threat detection. By configuring ProjFS providers with specific "canary" files, security professionals can gain detailed insights into file access patterns, detect unauthorized modifications, and identify malicious activities like ransomware. The capability to log file operations and process interactions provides a potent defensive tool, particularly in environments where kernel-mode solutions are restricted. Understanding how providers can intercept and respond to file operations is crucial for both utilizing ProjFS defensively and recognizing its potential misuse. ProjFS is presented as an efficient technology for improving file visibility and overall security posture 【1】.
• Phishing über Messengerdienste - Phishing via messaging services - current information indicating that a cyber actor, likely state-controlled, is conducting phishing attacks via messaging services - Bundesamt für Verfassungsschutz (BfV) and Bundesamt für Sicherheit in der Informationstechnik (BSI) 🔍 Show Kagi Synopsis
  A cybersecurity warning has been issued regarding **phishing attacks conducted via messenger services**, primarily targeting the **Signal app**, with potential applicability to **WhatsApp** 【1】. These attacks are believed to be **state-sponsored** and are aimed at **high-ranking individuals in politics, military, diplomacy, and investigative journalism** across Germany and Europe 【1】.
  
  **What Happened:**
  The attackers are not employing malware or exploiting technical vulnerabilities. Instead, they are using **social engineering tactics combined with the legitimate security features of messenger apps** to gain unauthorized access to chats and contact lists 【1】.
  
  **Who is Affected:**
  The primary targets are **senior figures in political, military, and diplomatic spheres, as well as investigative journalists** in Germany and Europe 【1】.
  
  **Security Implications:**
  Successful attacks can result in **unauthorized access to confidential communications**, the potential compromise of entire networks through group chats, and the reconstruction of sensitive contact information for further intelligence or criminal purposes. Victims may lose access to their accounts, and their communications could be monitored without their knowledge 【1】.
  
  **Technical Details:**
  Two main attack methods have been identified:
  1. **Impersonation of Support:** Attackers pretend to be "Signal Support" or a "Signal Security ChatBot" through direct messages. They use social engineering, often starting with a fake security warning, to pressure victims into revealing their **Signal Security PIN** or an **SMS verification code**. This allows the attackers to register the victim's account on a device they control, gaining full control and the ability to send messages as the victim 【1】.
  2. **Device Pairing via QR Code:** Attackers exploit the legitimate feature for linking additional devices. They trick targets into scanning a QR code under a false pretext. This action links an attacker-controlled device to the victim's account, granting ongoing access to contact lists and messages from the past 45 days, and enabling the attacker to send messages as the victim 【1】.
  
  **What Defenders Should Know:**
  Users should take the following precautions:
  * **Do not respond** to messages from purported "Signal" support accounts, as Signal customer service does not contact users directly via the app 【1】.
  * **Block and report** any accounts impersonating "Signal" support 【1】.
  * **Never enter your "Signal" PIN** in plain text in a message; legitimate prompts will obscure characters 【1】.
  * **Enable the registration lock** in Signal settings (Settings -> Account -> Registration lock) 【1】.
  * **Only scan QR codes** within the Signal app when intentionally linking a new device 【1】.
  * **Ignore unsolicited group invitations** from unknown contacts 【1】.
  * **Regularly review** the list of linked devices in Signal settings (Settings -> Linked Devices) and remove any unrecognized devices 【1】.
  
  Users who have shared their "Signal" PIN or personal information with fake support, are prompted to re-register their account without clear reason, find unrecognized devices linked to their account, experience unexpected app behavior, or notice messages marked as read that they haven't read, should **contact the authorities (BfV or BSI)** 【1】.