Remote Evil Butler Attack Threatens Windows Computers

An anonymous reader writes: Last year, a security researcher discovered a way to defeat BitLocker on Windows by taking a PC and inserting him into a network controlled by a rogue domain controller, that allowed the attacker to poison the credentials cache and set a new password on the targeted device. This type of attack is called an Evil Maid, because it requires the attacker physical access to the device.

Microsoft fixed this vulnerability (CVE-2015-6095), and then fixed it again when two researchers pointed out in February 2016 (CVE-2016-0049), that the fix was incomplete. At this year's Black Hat security conference, two Microsoft researchers have discovered a way to carry out the Evil Maid attack from a remote location, even over the Internet. The two researchers say that an attacker can compromise a PC, configure it to work as a rogue domain controller, and then use RDP to access computers (that have open RDP connections) on the same network and carry out the attack from a distance. This particular attack, nicknamed a Remote Evil Butler, can be extremely attractive and valuable for cyber-espionage groups.