It seems that threat actors are always finding new ways to hack the devices of people. Recently, a security researcher disclosed that he found a security vulnerability in the custom Windows 10 theme. He found that attackers could use custom Windows 10 themes to steal the account information of victims. Windows 10 lets you create custom themes, and these themes contain sounds, custom colors, mouse cursors, and wallpaper that the OS is going to use. Users can then choose to switch between various themes to change the appearance of the Windows 10 Operating System. The custom Windows 10 theme packs can also be shared via an email, or as downloads on different websites.
The security research behind @bohops posted on Twitter explaining how the hack works in a chain of tweets. @bohops wrote that hackers could use specially crafted themes to perform Pass-the-Hash hacks that are used to steal Windows login credentials hashes by tricking the victim into accessing a remote Server Message Block (SMB) share that requires verification from users.
The infected Windows 10 theme file contains a line of code that changes the wallpaper of the victim, and it tells the PC of this victim to fetch a picture from the website of the attacker to use as PC’s wallpaper. Then, the threat actor sets up their site so the website asks for the credentials of victim when they connect to the website. The Windows 10 PC then asks victims to enter their login credentials to access the picture. If the victim enters their credentials, the attacker is able to harvest the data when it is sent to the hacker’s server. Attackers can then decrypt the information, and get access to the username and password.
The security researcher said that he disclosed this vulnerability to Microsoft earlier this year, and the company told him that it will not fix this vulnerability since it is a ‘feature by design.’ If you want to protect your PC against such malicious Windows 10 theme files, the security researcher recommends that you should block or re-associate the .themepack, .desktopthemepackfile, and .theme extensions to a different program. It will break the Themes feature of Windows 10 OS, and you can also configure the ‘Network security: Restrict NTML: Outgoing NTML traffic to remote servers’ group policy to set it to ‘Deny All.’ It is also recommended that you add multi-factor authorization to your Microsoft account which will prevent your account from being accessed remotely by hackers.
Read next: Microsoft Says That It Won't Allow Windows Defender To Be Disabled Via Registry To Support A Security Feature Called Tamper Protection
The security research behind @bohops posted on Twitter explaining how the hack works in a chain of tweets. @bohops wrote that hackers could use specially crafted themes to perform Pass-the-Hash hacks that are used to steal Windows login credentials hashes by tricking the victim into accessing a remote Server Message Block (SMB) share that requires verification from users.
The infected Windows 10 theme file contains a line of code that changes the wallpaper of the victim, and it tells the PC of this victim to fetch a picture from the website of the attacker to use as PC’s wallpaper. Then, the threat actor sets up their site so the website asks for the credentials of victim when they connect to the website. The Windows 10 PC then asks victims to enter their login credentials to access the picture. If the victim enters their credentials, the attacker is able to harvest the data when it is sent to the hacker’s server. Attackers can then decrypt the information, and get access to the username and password.
The security researcher said that he disclosed this vulnerability to Microsoft earlier this year, and the company told him that it will not fix this vulnerability since it is a ‘feature by design.’ If you want to protect your PC against such malicious Windows 10 theme files, the security researcher recommends that you should block or re-associate the .themepack, .desktopthemepackfile, and .theme extensions to a different program. It will break the Themes feature of Windows 10 OS, and you can also configure the ‘Network security: Restrict NTML: Outgoing NTML traffic to remote servers’ group policy to set it to ‘Deny All.’ It is also recommended that you add multi-factor authorization to your Microsoft account which will prevent your account from being accessed remotely by hackers.
Read next: Microsoft Says That It Won't Allow Windows Defender To Be Disabled Via Registry To Support A Security Feature Called Tamper Protection
