Windows 10 Credential Guard Bypassed

Despite the demonstrated successes and new security mitigations (specifically Credential Guard) of Windows 10 detailed by Microsoft in the link and PDF document listed below, security researchers from CyberArk have been able to obtain domain admin account (defined) credentials from the Local Security Authority (LSA) Secrets registry hive of Windows 10 using a technique similar to Pass the Hash (PtH)(defined):

https://technet.microsoft.com/en-us/itpro/windows/whats-new/security

https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf

Once obtained they injected the credentials into a newly created malicious service to achieve lateral movement (defined) which lead to the compromise of the domain controller (defined). The only requirement of the exploit the researchers developed was obtaining administrator access to a workstation within the domain.

While this could be considered a tall order, a well-designed spear phishing email (defined) with a malicious attachment or a malicious link targeting an unpatched or (zero day, defined) vulnerability on the workstation could be used to achieve privilege escalation (defined) and gain administrative rights (defined). Social engineering (defined) in combination with a malicious USB flash drive could also be a potential way of exploiting this. The methodology of how the CyberArk researchers carried out this exploit is available within their blog.

They also provide a list of mitigations for this exploit, many of which are well known and/or best practice. Microsoft responded to the team’s disclosure of this vulnerability that there will not be a fix since the system must already be compromised for it to succeed.

Thank you.

Blog Post Shout Out: SHA-1 Migration and Internet of Things (IoT)

With the transition to SHA-2 rapidly approaching (January 2017) if you have not already begun the migration process for your website or are having difficulties locating all of the certificates that need migrating; the following article that I wish to provide a respectful shout out to may be of assistance. The article includes advice on making the best use of the remaining time:

SHA-1 Time Bomb: One Third of Websites Have Yet to Upgrade by Phill Muncaster (Infosecurity Magazine)

This issue is also of note since Google (like the other browser vendors is moving away from SHA-1) will remove support for SHA-1 in Chrome version 56. Further details are provided in their blog post. The source of the statistics for the Infosecurity Magazine article was this blog post from Venafi, an organisation that provides cryptography related solutions and services to enterprises.

=======================
With the DDoS attack (defined) against the DNS service Dyn last month attributed to Internet of Things (defined) devices further steps need to be taken to secure them. To assist with this, the US CERT have written a PDF document titled “Strategic Principles for Securing the IoT”. It is intended for consumers, operators and manufacturers of IoT devices. It is available from the link below:

Securing the Internet of Things (US-CERT)

=======================
Thank you.

Encrypted Linux Systems Affected By Boot Process Vulnerability

Early last week a potentially serious vulnerability (assigned CVE-2016-4484 (defined)) within the Linux boot sequence was disclosed by security researchers at the DeepSec conference in Vienna.

Why Should This Issue Be Considered Important?
This is an elevation of privilege (defined) vulnerability that when exploited can result in an attacker obtaining root (defined) level access over your Linux system. It can be exploited by continually pressing the Enter key at the LUKS (Linux Unified Key Setup) password prompt. According to the researchers Hector Marco & Ismael Ripoll after approximately 70 seconds a new root shell (defined) will appear.

With this shell the attacker can delete all of information on the encrypted disks the LUKS prompt is designed to protect. This could also be used to copy the encrypted information to another location to attempt to brute force (defined) it. This also applies to any unencrypted information on the disk. Finally it could be used to elevate privileges from a standard user by storing an executable file with the SetUID bit enabled.

Interestingly this issue can only occur if the system partition is encrypted. At least Debian and Ubuntu distributions are vulnerable to this issue. Others may be too but the researchers have not exhaustively tested them.

Further details of this issue are provided within the researcher’s blog post.

How Can I Protect Myself From This Issue?
The researchers have provided a workaround and have proposed a more permanent fix within their blog post. It involves editing the cryptroot file so that the computer simply reboots when the number of password guesses reaches the limit.

If you are a Linux system administrator or know someone who is, this issue and it’s fix may be of interest. Thank you.

Microsoft Announces End of Support for EMET

Early last week Microsoft extended the support deadline of their exploit mitigation tool, Enhanced Mitigation Experience Toolkit (EMET). The final support deadline is now the 31st of July 2018 (originally 27th January 2017).

Why Should This Announcement Be Considered Important?
At this time there are known bypasses for EMET e.g. this and this. While a competitor to EMET, SurfRight HitmanPro.Alert mitigated the WoW64 bypass, Microsoft never incorporated such changes (or at least never documented such improvements). In addition in their most recent blog post concerning EMET; Microsoft states that EMET’s effectiveness against modern exploit kits (defined) has not been proven and were not designed to be a long term solution just a “stop gap” to add extra protection to older versions of Windows without necessitating upgrading to a newer version of Windows.

In addition, Microsoft mentioned that EMET can reduce the performance of the applications that it protects. Moreover it can impact their reliability since it hooks into the operating system at a low level in order to add its protection to the applications chosen by a system administrator or individual user.


You recommend EMET a lot on this blog; is that going to change?

In the short term, no. In the long-term, yes. While EMET is still supported I will recommend its use but will note that its end of support date is approaching.

I still believe that EMET can provide value by adding mitigations to commonly used applications both for enterprise/business users and individual user applications when those applications don’t include mitigations such as DEP or ASLR etc. by default after installing them. I don’t agree with Microsoft’s decision to end support for EMET for this reason.

I believe that they were overly critical of EMET in their most recent blog post. Yes it can cause performance issues (usually disabling one or both EAF and EAF+ mitigations resolves this) and can cause compatibility issues. In general, this depended on the set up of your individual applications. E.g. if you don’t install add-ons into Microsoft Word, Excel etc. they are far more likely to work with EMET without any changes. In many business and enterprise environments I realise this isn’t an option.

In my experience, accepting the defaults of the EMET configuration and adding all but EAF and EAF+ to custom applications would almost always work. Adding EAF and/or EAF+ was appropriate if they didn’t cause performance issues. A further reference regarding EMETs mitigations and another application compatibility list is available here.

I always believed that if you were going to deploy EMET across an organisation that you had to extensively test it. This could possibly involve testing it on hardware and software that mostly (or exactly if possible) emulates each type of server and workstation in use across each team in your organisation. Using just one configuration across your organisation would not work or if it did, it would be sub-optimal since you would likely have to disable many more mitigations to make it work smoothly across all systems in use.

How secure non-best practice applications (namely that they don’t include mitigations such as DEP or ASLR) are when installed on Windows 10 is uncertain. However given the continuing work that Microsoft is doing with Windows 10 and their recent publishing of details concerning the new mitigations available in Windows 10 (the original security benefits are discussed in a previous blog post) Windows 10 in the long term is the way forward. Overall however the Windows 10 without any additions is more secure by default than Windows 7 or Windows 8.1. Just one example would be the disabling of LDR Hotpatching which mitigates the issues caused by abusing its functionality discussed here and here.


If I can’t upgrade to Windows Server 2016 or Windows 10 before the support for EMET ends, what would you recommend?

If your business applications already include security mitigations such as DEP and ASLR, you may not need EMET and can simply ignore it. EMET and indeed the competitors to EMET are only necessary if the applications you use need hardening.

For business, enterprises and individuals Alternatives to EMET are Malwarebytes Anti-Exploit (Business and Personal editions) and HitmanPro.Alert. Malwarebytes Anti-Exploit can be used to protect custom applications and thus can take that role over from EMET. I am currently testing Malwarebytes Anti-Exploit and HitmanPro.Alert and will comment on their resource usage and any drawbacks they may have. I will update this post when I have completed this testing.

Alternatively try to contact the developers of the custom business applications that you are using and request that they enable some security mitigations e.g. DEP and ASLR. Visual Studio 2015 is required for adding CFG but DEP and ASLR can be added using compilers like Mono and mingw (example 2 and example 3).

I contacted the developer of a 64 bit open source tool and he mentioned that since he still supports Windows XP migrating to a newer version of Visual Studio is not an option right now but would consider it for the future. Another small but commercial application developer (a 64 bit utility for Windows) was very enthusiastic about a new version of Visual Studio offering extra mitigations and promised to add these to the next major release of his product which is currently in beta and moving towards a release candidate.

Thank you.

November 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available many bulletins, 14 in total. These updates address 67 vulnerabilities listed within Microsoft’s security bulletin summary (as before excluding the Adobe bulletin). These are more formally known as CVEs (defined).

Once again this month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages should be your first places to check for solutions.

====================

Today Adobe made available one other security bulletin by Adobe affecting Adobe Connect (resolving 1x priority 3 issue) in addition to their regular Flash Player update. Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome which was made available very shortly after Adobe’s update.

The Flash Player update addresses 9 priority 1 CVEs. If you use either of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month the previously disclosed zero day (defined) vulnerability under attacker should take first priority, it is addressed in MS16-135 Next, please prioritise the deployment of the following updates:

Microsoft Internet Explorer, Microsoft Edge, Microsoft Graphics Component , Microsoft Office, Microsoft Video Control and the Windows Security Update bulletin.

Businesses and enterprise should priorities the deployment of the SQL Server update since it addresses 6 important vulnerabilities.

As always Adobe’s Flash Player update (to version 23.0.0.207) should also be on your shortlist this month.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

Please note that Microsoft EMET is in the process of being retired with the end of support scheduled for the 31st of July 2018.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Disclosed Microsoft Zero Day Under Attack By APT Group

====================
Update: 8th November:
The Microsoft zero day vulnerability discussed in this post has now been patched. Please refer to this post for the appropriate information and download links.

Thank you.

====================
Original Post:
====================
Earlier this week Google publicly disclosed (defined) details of a new zero day (defined) vulnerability affecting supported versions of Windows up to Windows 10. Fortunately, the disclosure only included minimal details.

Why Should These Issues Be Considered Important?
The vulnerability disclosed by Google could result with an attacker being able to elevate their privileges (defined) on an affected system. However, when used in combination with a previously patched Adobe Flash Player vulnerability (reference previous post) this could result in a Windows system under your responsibility or in your ownership to have a backdoor (defined) installed.

Some good news is that this new exploit primarily targets organisations that operate in the following sectors (thus all other organisations are at somewhat reduced risk): government, intelligence or military organisations.

The nature of the backdoor is the decision of the attacker but would usually include a means of remaining persistent on the system and allowing the attacker to remote access the infected system. This backdoor can then be used to move data of the attacker’s choice off the affected system. The APT group known as STRONTIUM by Microsoft (other aliases used in the wider cyber security industry are APT28, also aka Sofacy aka Fancy Bear aka TsarTeam aka Sednit aka PawnStorm). STRONTIUM is also known for moving laterally throughout the network which they compromise (where the pass the hash (PtH) (defined) technique is the method of choice to do so).

How Can I Protect Myself From This Issue?
While a patch from Microsoft is in progress (scheduled for release on the 8th of November): follow safe email guidelines namely don’t click on unexpected/unsolicited links or open potentially dangerous email attachments to prevent the execution (carrying out of) the exploits actions in the first instance.

If you use the Microsoft Edge or Google Chrome web browsers the exploit for the local elevation of privilege vulnerability will be mitigated. This is due to Chrome’s sandbox (defined) blocking the use of API (defined) calls to the win32k.sys driver (defined). This in addition to its existing mitigations when installed on Windows 10 which I previously discussed.

Microsoft Edge on the other hand implements Code Integrity to prevent the next steps of exploitation.

To protect endpoints within your organisation you could consider utilising the logging capabilities of Microsoft EMET and Systinternals’ Sysmon by processing their logs using a SIEM (defined) and taking action when that SIEM a alerts you to suspicion activity. This is especially true since this exploit can occur from within web browsers, the Java JRE, Microsoft Word and Microsoft PowerPoint (namely that these applications are used to open suspicious/untrusted files).

My thanks to a colleague (you know who you are!) for compiling very useful information for this blog post.

Thank you.

October 2016 Security Updates Summary

====================
Update: 2nd November:
Last week Adobe made available an out of band (unscheduled) security update to Adobe Flash. This was due to a zero day (defined) vulnerability being exploited in limited targeted attacks (using spear phishing (defined) emails sometimes originating from previous victims of this vulnerability).

To protect your organisation or yourself from this vulnerability please install the Adobe Flash update if you make use of Flash Player on your organisations devices or your own individual systems. This link can be used to test if Flash Player is already installed.

This vulnerability is related to an APT (defined) group’s activity that is detailed in a more recent post.

Thank you.

====================
Original Post:
====================
Yesterday Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available 10 security bulletins. These updates address 36 vulnerabilities listed within Microsoft’s security bulletin summary (excluding the Adobe bulletin). These are more formally known as CVEs (defined).

This month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages are the best first places to check for solutions.

====================
Tuesday also saw the release of 3 security bulletins by Adobe affecting Adobe Flash Player, Adobe Acrobat/Adobe Reader and Adobe Creative Cloud Desktop.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

The Flash Player update addresses 12 priority 1 CVEs while the Adobe Acrobat/Adobe Reader security bulletin resolves 71 priority 2 CVEs. The final security bulletin published by Adobe this month fixes 1 priority 3 CVE in the Adobe Creative Cloud Desktop application.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.
—————

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month saw an unusually high number of 5 Microsoft zero day (defined) vulnerabilities being addressed. For this reason, please prioritise the deployment of the following updates: Microsoft Graphics Component, Microsoft Internet Explorer, Microsoft Edge, Microsoft Internet Messaging API and Microsoft Office.

Once these updates are deployed, please move onto Adobe’s Flash Player update (to version 23.0.0.185) addressing 12 critical vulnerabilities, should be installed next if you already have a previous version installed. Due to the high number of vulnerabilities patched this month in Adobe Acrobat/Adobe Reader this should be installed next if you use their PDF creation/reader software.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.