Category Archives: Malware

Posts that discuss malware infections and how to avoid or recover from their effects.

Exploits of BlueKeep Vulnerability Have Begun

In early November the security researcher Kevin Beaumont detected exploitation of the BlueKeep RDP vulnerability (patched in May 2019) within his honeypot network (defined).

How serious are these attacks?
At this time the attacks are not considered serious since the exploits are not using a wormable (automatic) means of spreading.

While this is true, Beaumont and Microsoft have cautioned that more stable exploits are likely to follow. Beaumont points to a blog post that discusses why the current exploits are mostly causing crashes upon systems and how to make the exploit more stable. Beaumont has stated over 724k system remain exposed to this vulnerability.

How can I protect my organisation or myself from this vulnerability?
For workstation systems, as recommended in my previous post, please install the Microsoft update if your system is vulnerable. Beaumont and Microsoft provide recommendations specific to organisations in their respective posts to both mitigate the vulnerability and to locate vulnerable systems within your network.

Thank you.

Blog Post Shout Out November 2019

While patching workstations and servers within organisations can be time consuming and occasionally disruptive to operations; critical infrastructure must remain online or at least minimise downtime.  I wish to provide a respectful shout-out to the following article from Amir Levintal,CEO and Co-Founder of Cylus who discusses these challenges and provides suggestions e.g. more resources, increased security awareness, and increased lobbying among regulators (among other suggestions) to overcome them:

How to Secure Critical Infrastructure When Patching Isn’t Possible: Kaspersky ThreatPost by Amir Levintal

I also wish to provide a respectful shout-out for the following article which highlights possible upcoming software updates for Amazon Kindles since vulnerabilities in the Universal Boot Loader were recently resolved:

Amazon Kindle, Embedded Devices Open to Code-Execution: Kaspersky ThreatPost by Tara Seals

Full-disclosure: I am not affiliated or sponsored by Kaspersky ThreatPost in any way. I simply wish to more widely highlight good advice on topical security issues.

Thank you.

Evaluating Anti-ransomware Tools

With ransomware still very much prevalent in the headlines I wanted to test the effectiveness of complimentary products designed to work alongside your anti-malware solution.

For the results presented in the attached Excel file, I turned off all protections of Windows 10/Windows 7 and opened real ransomware samples on an updated version of Windows.

These products are mostly free but paid options are available. They clearly show how effective they can be even when the user follows no security best practices and opens ransomware. I wanted to provide the toughest challenge I could for these products and so chose ransomware that has made the headlines over the past 2 – 3 years.

I hope you find the results useful.

Excel file: Results

Thank you.

================

Products tested:
Please note that these tools are primarily targeted at client rather than server systems. Please check the license before deploying in a commercial environment:

Acronis Ransomware Protection : https://www.acronis.com/en-us/personal/free-data-protection/

Cyberreason RansomFree (discontinued: November 2018)

CheckMAL AppCheck (Free and Pro editions): https://www.checkmal.com/product/appcheck/

Kaspersky Anti-Ransomware Tool for Business: https://www.kaspersky.com/anti-ransomware-tool

Heilig Defense RansomOff: https://www.ransomoff.com/

ZoneAlarm Anti-Ransomware: https://www.zonealarm.com/anti-ransomware/

================

Attackers Turn to OpenDocument Files Attempting to Bypass Attachment Scanning

Earlier last week Cisco Talos researchers discovered 3 OpenDocument files that were being used in an attempt to deliver malware to their intended targets.

================
TL DR
================
For any email attachment you receive, if you weren’t expecting it, don’t open it. Be cautious of clicking unknown or potentially suspicious links received within emails or via social media. If you use alternatives to Microsoft Office e.g. OpenOffice, LibreOffice or StarOffice within your organisation, small business or home office consider scanning files you receive from others with your anti-malware software before opening them. Keep your office/productivity software up to date.

Why should these files be considered a potential risk?
Since OpenXML Microsoft Office files are compressed archives they are commonly treated as such by anti-malware software and scanned. However, this is not always the case for OpenDocuments (ODT) and they are not always opened within malware sandboxes (defined) or by anti-malware software meaning they can be used to deliver malware that would otherwise be detected and blocked. This is despite the fact that While these documents are also Zip archives with XML files.

Description of the 3 files found and analysed are as follows:

File 1:
The file contained an embedded OLE object (defined) which the person opening the files must accept a prompt in order for that embedded object to be executed targeting Microsoft Office. When accepted the object executes an HTA file (defined) which in turn downloads 2 scripts which are used to download a remote access trojan (RAT)(defined) in one instance the NJRAT and the other the RevengeRAT malware.

File 2:
Once again targeting Microsoft, this file also contained an OLE object but this time it downloaded a fake Spotify.exe. This file downloads another file which is packed to disguise its true purpose from anti-malware software. This packed file actually contains the AZORult information stealer.

File 3:
The final files targets OpenOffice and LibreOffice. The attackers used their equivalents of Microsoft Office macros (defined) to download and run a file called “plink” which sets up SSH connections. However, Talos found that the connection being set up when intended for an internal address rather than an external address located on the internet. They assume this was either for use within a commercial penetration testing programme (due to it attempting to download Metasploit (defined) payloads to be executed with WMI scripts (defined) ) or may be used for lateral movement within the network.

How can I protect my organisation or myself from these threats?
Exercise standard caution when receiving email attachments. If you weren’t expecting the file, don’t open it even if it comes from someone you know/trust. Be cautious of links within emails or received by social media or another means. Consider scanning files intended for OpenOffice, LibreOffice or StarOffice before opening them. If those files begin asking confirmation to carry out actions, DON’T provide your consent.

Since such attachments may contain personal information, please pause and think before you upload them to online scanning services e.g. VirusTotal.

Thank you.

Mitigating August’s Remote Desktop Services (RDS) Vulnerabilities

Earlier last week Microsoft released security updates for Remote Desktop Services (RDS).

====================
TL DR:
If you use  Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions, please install the security updates for August 2019 which include fixes to these vulnerabilities: CVE-2019-1181 and CVE-2019-1182
====================

Why should these vulnerabilities be considered important?
The following two vulnerabilities CVE-2019-1181 and CVE-2019-1182 have received a CVSS 3 base score (defined) of 9.8 and have the potential to be used by network worms to rapidly spread without the need for assistance from computer users. There is the potential for a repeat of an attack very similar to the WannaCry ransomware outbreak of May 2017.

How can I protect my organisation or myself from these vulnerabilities?
The most effective means of defence is to install the updates released by Microsoft available via Windows Update (this link provides guidance on doing so) or manually from the above links.

While the BlueKeep vulnerability has not yet been exploited, there are indications (here and here) it may be soon. These more recent vulnerabilities will likely receive similar or more interest since they are present in more versions of Windows (8.1 and 10 alongside their Server based equivalents) than BlueKeep.

If for any reason this is not possible, the mitigations listed in this Microsoft blog post will be useful. Thank you.

IBM Creates “Warshipping” Proof of Concept Device

Earlier this year I detailed a new method for an attacker to compromise an organisation by means of a modified smartphone charging cable. Today we see another method to compromise an organisation using an even more common means; the postal mail.

Why should this attack method be considered important?
Virtually every organisation receives postal mail with packages being commonplace. An attacker could send an anonymous package with one of the devices the IBM X-Force team created. The device was a small motherboard (defined) with 3G, WiFi and GPS built-in. It can be activated remotely over the internet and report its position via GPS and then instructed to scan for vulnerable network devices to attack.

It’s used to obtain the credentials of a corporate WiFi network. Once complete the device seeks to pivot using other vulnerable devices on the network to eventually compromise the network (also achieving persistence) and exfiltrate data or any other action of the attacker’s choice.

An attacker no longer needs to scout premises before trying to infiltrate it. They can just send a parcel to do it for them.

How can I protect my organisation or myself from this?
For an organisation; you can prohibit employees from having personal packages shipped to their office. A much more rigorous and expensive option which is unlikely to be favoured would be to scan all deliveries with an RF scanner.

Other suggestions to counter this device are detailed in IBM’s blog post.

Thank you.

Responding to the Asus Live Update Supply Chain Compromise

Earlier last week the security vendor Kaspersky detailed their initial findings from the compromised supply chain of the Taiwanese hardware vendor Asus.

TL DR: If you own or use any Asus laptop or desktop system, please check if your device is affected using the downloadable tool from Kaspersky (which checks the MAC address (defined) of your network card). If you know how to obtain the MAC address of your network card manually you can use the online tool. This is the link for both tools: https://securelist.com/operation-shadowhammer/89992/

If you are affected, contact Kaspersky, contact Asus or use the anti-malware tools to try attempt removal of the backdoor (defined) yourself.

When did this attack take place and what was affected?
This incident took place from June to November 2018 and was initially thought to have affected approximately 60,000 users. This number was later revised to possibly affecting just over a million users. While primarily users in Asia and Russia were targeted; a graph of victim’s distribution by country shows users within South America, Europe and the US. It was later disclosed that mainly Asus laptops were affected by this incident.

What Asus infrastructure was affected?
An older version of the Asus Live Update utility was compromised by unknown attackers so that it would inject a backdoor within the Asus Live Update utility when it was running. The compromised Asus Live Update utility was signed with an older but still legitimate Asus digital signature. The compromised Asus utility was available for download from two official Asus servers.

What were the attacker’s intentions?
Unfortunately, even after extensive analysis it is unknown why the attackers targeted their chosen victim systems or what their eventual goal was. The backdoor would have likely allowed the attackers to steal files of their choice, remote control the system (if the second stage had been installed) and deploy compromised updates to systems which in the case of a UEFI update may have rendered the system unbootable.

It appears the goal of the attackers was to target approximately 600 systems of interest to them with the initial intention to carry the above-mentioned actions. We know it is approximately 600 systems since upon installation the malware would check if the system had a MAC address of interest; if yes it would install the stage 2 download (which unfortunately Kaspersky was unable to obtain a sample of). The server which hosted the stage 2 download was taken offline in November 2018 before Kaspersky became aware of this attack.

If the system was not of interest, the backdoor would simply stay dormant on the system. It’s unclear how the attackers may choose to leverage this in the future (assuming it remains intact on a system which installed the compromised utility).

Do we know who is responsible?
It is not possible to determine with absolute certainty who these attackers were but it is believed it is the same perpetrators as that of the ShadowPad incident of 2017. Microsoft identifies this advanced persistent threat (APT) (defined) group with the designation of BARIUM (who previously made use of the Winnti backdoor).

How have Asus responded to this threat?
Initially when Kaspersky contacted Asus on the 31st of January 2019 Asus denied their servers were compromised. Separately a Kaspersky employee met with Asus in person on the 14th of February 2019. However, Asus remained largely until earlier this week.

On the 26th of March Asus published a notice which contains an FAQ. They issued an updated version (3.6.8) of the Asus Live Update utility. Additionally, they have “introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future”.

They have also made available a utility to check if your system was affected. It is downloadable from the above linked to notice.

How can I remove the backdoor from my system if I installed the compromised Asus utility?
While Asus in their announcement recommends a full backup and full reset of your system; for some that may not be a preferred choice. If you use Kaspersky security suite it will very likely easily remove it since they were the first to detect it.

Please which ever approach is more convenient for you.

If you want to leave your system as it is:
I would first recommend a scan of your system with your current anti-malware product. I would then recommend using free anti-malware scanners such as RogueKiller, AdwCleaner and PowerEraser since they use cloud based forensic analysis and compare known safe files on your system with VirusTotal to check if any file has been tampered with or is new/suspicious. It is very unlikely the backdoor could hide from all of these utilities. Yes, this is overkill but will ensure a thorough check.

A link to full original story of this malware is available here.

You use an Asus system; how were you affected?
Since my high-end Core i9 7980 Extreme desktop uses an Asus desktop motherboard (ROG Rampage VI Apex); I ran the Asus utility to check my system; It displayed the message “Only for Asus systems” before closing. I’ll make an educated guess and assume that since the threat mainly affects laptops running this tool on a desktop system resulted in this message.

The offline and online tools from Kaspersky showed no issues with my system. I wasn’t surprised since I don’t use the Asus Live Update utility. Their drivers are available manually from their website and that’s how I stay updated.

I upload every downloaded file for my system to VirusTotal, verify the checksums and digital signatures, use two reputation based scanners on new downloads and have application whitelisting enabled. In summary; my system will be more difficult to compromise.

Thank you.