Category Archives: Malware

Posts that discuss malware infections and how to avoid or recover from their effects.

Blog Post Shout-out: Potential for Ransomware to Leverage Windows EFS

Related to my previous post detailing my tests of anti-ransomware software that could compliment existing anti-malware software, I wish to provide a respectful shout-out to the following post from SafeBreach. It details their results testing a proof of concept of using the built-in Encrypting File System (EFS) capability of Windows in order to encrypt a victim’s files rather than writing their own means of doing so:

https://safebreach.com/Post/EFS-Ransomware

Please review the list of anti-malware and anti-ransomware solutions available within the SafeBreach post. If yours is not on the list, contact the vendor to ask if such a change will be added soon? If you are certain you will not being EFS, disable it using the Windows Registry (defined) changes suggested in their post.

Thank you.

Magellan 2.0 SQLite Vulnerabilities: What you need to know

====================
[TL DR]
====================
If you use any of the affected products e.g. Google Chrome, Mozilla Firefox or Android WebView (full list provided below), please make certain to update them to the latest version available.

In the closing days of December, security researchers from the Tencent Blade team disclosed five vulnerabilities that affect the SQLite database. This is used in products such as Google Chrome, Android WebView, Mozilla Firefox and Windows 10 (among others):

https://blade.tencent.com/magellan2/index_en.html

Why should these vulnerabilities be considered important?
Due to the widespread use of the affects products and the severity of the vulnerabilities the potential for a large impact is present. These vulnerabilities if exploited could allow “remote code execution in Chromium render process.

However, the CVSS base scores (defined) for all but one vulnerability (at 8.8: High) are 6.5 Medium severity. Thus, these vulnerabilities are NOT critical but medium to high severity. The rationale for this is explained by the creator of SQLite, D. Richard Hipp. While the comment is from 2018 it is still valid since most applications which use SQLite are not impacted by remote attacks:

“Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk” (Source).

While Chromium based browsers effectively do allow “random internet users to run arbitrary SQL”; Google have already issued an update (see below). Other browsers will follow e.g. Opera did so on the 27th of December upgrading to the same version of Chromium that Google issued namely, 79.0.3945.79

How can I protect my organisation or myself from these vulnerabilities?
If you use any of the following products, please make certain to update to the most recent versions available. Google made available Chrome version 79.0.3945.79 on the 10th of December to resolve these vulnerabilities with Opera following on the 27th of December:

Affected Products (among others):
Chrome/Chromium prior to version 79.0.3945.79
Smart devices using old version of Chrome/Chromium.
Browsers built with old version of Chromium/Webview.
Android Apps that uses old version of Webview and can access any web page.
Software that uses the old version of Chromium and can access any web page.

Thank you.

SafeBreach Discloses Acer, Asus and Intel Vulnerabilities

====================
[TL DR]
====================
If you have any of the following applications or drivers are installed on your personal systems, please consider updating your drivers using the links below to resolve the reported security vulnerabilities.

In late December a team of security researchers with the security firm SafeBreach published security advisory for Asus, Acer and Intel products that are pre-loaded on many devices from those manufacturers.

Why should these vulnerabilities be considered important?
All of the vulnerabilities could allow an attacker to download a malicious payload, load persistent malware at system start-up and bypass Application Whitelisting and escalate to the highest level of privilege on Windows system namely that of kernel model. These issues are made more serious by the widespread nature of these products.

I later found that my Intel Optane Memory Accelerator fitted to my Intel X299 motherboard is also vulnerable to the Intel RST driver vulnerability.

How can I protect my organisation or myself from these vulnerabilities?
If you use any of the above products, please update them using the download links provided below. Thank you.

====================
Download Links
====================
Asus Laptops (Asus ATK Package)
https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/

To check the installed version of ATK Package and to download the latest version, visit https://www.asus.com/support/faq/1041545

Acer Quick Access (pre-installed on most Acer systems):
Acer Quick Access Security Vulnerability information

Intel Rapid Storage Technology (RST) Driver (also affects Intel Optane Memory Accelerator drivers):
Intel RST Advisory

Intel Optane Memory Accelerator Patched Driver

Safe Breach Advisories
Acer Quick Access – DLL Search-Order Hijacking and Potential Abuses (CVE-2019-18670)

https://safebreach.com/Post/Acer-Quick-Access-DLL-Search-Order-Hijacking-and-Potential-Abuses-CVE-2019-18670

ASUS ATK Package – Unquoted Search Path and Potential Abuses (CVE-2019-19235)

https://safebreach.com/Post/ASUS-ATK-Package-Unquoted-Search-Path-and-Potential-Abuses-CVE-2019-19235

Intel Rapid Storage Technology Service – DLL Preloading and Potential Abuses CVE-2019-14568
https://safebreach.com/Post/Intel-Rapid-Storage-Technology-Service-DLL-Preloading-and-Potential-Abuses-CVE-2019-14568

Exploits of BlueKeep Vulnerability Have Begun

In early November the security researcher Kevin Beaumont detected exploitation of the BlueKeep RDP vulnerability (patched in May 2019) within his honeypot network (defined).

How serious are these attacks?
At this time the attacks are not considered serious since the exploits are not using a wormable (automatic) means of spreading.

While this is true, Beaumont and Microsoft have cautioned that more stable exploits are likely to follow. Beaumont points to a blog post that discusses why the current exploits are mostly causing crashes upon systems and how to make the exploit more stable. Beaumont has stated over 724k system remain exposed to this vulnerability.

How can I protect my organisation or myself from this vulnerability?
For workstation systems, as recommended in my previous post, please install the Microsoft update if your system is vulnerable. Beaumont and Microsoft provide recommendations specific to organisations in their respective posts to both mitigate the vulnerability and to locate vulnerable systems within your network.

Thank you.

Blog Post Shout Out November 2019

While patching workstations and servers within organisations can be time consuming and occasionally disruptive to operations; critical infrastructure must remain online or at least minimise downtime.  I wish to provide a respectful shout-out to the following article from Amir Levintal,CEO and Co-Founder of Cylus who discusses these challenges and provides suggestions e.g. more resources, increased security awareness, and increased lobbying among regulators (among other suggestions) to overcome them:

How to Secure Critical Infrastructure When Patching Isn’t Possible: Kaspersky ThreatPost by Amir Levintal

I also wish to provide a respectful shout-out for the following article which highlights possible upcoming software updates for Amazon Kindles since vulnerabilities in the Universal Boot Loader were recently resolved:

Amazon Kindle, Embedded Devices Open to Code-Execution: Kaspersky ThreatPost by Tara Seals

Full-disclosure: I am not affiliated or sponsored by Kaspersky ThreatPost in any way. I simply wish to more widely highlight good advice on topical security issues.

Thank you.

Evaluating Anti-ransomware Tools

With ransomware still very much prevalent in the headlines I wanted to test the effectiveness of complimentary products designed to work alongside your anti-malware solution.

For the results presented in the attached Excel file, I turned off all protections of Windows 10/Windows 7 and opened real ransomware samples on an updated version of Windows.

These products are mostly free but paid options are available. They clearly show how effective they can be even when the user follows no security best practices and opens ransomware. I wanted to provide the toughest challenge I could for these products and so chose ransomware that has made the headlines over the past 2 – 3 years.

I hope you find the results useful.

Excel file: Results

Thank you.

================

Products tested:
Please note that these tools are primarily targeted at client rather than server systems. Please check the license before deploying in a commercial environment:

Acronis Ransomware Protection : https://www.acronis.com/en-us/personal/free-data-protection/

Cyberreason RansomFree (discontinued: November 2018)

CheckMAL AppCheck (Free and Pro editions): https://www.checkmal.com/product/appcheck/

Kaspersky Anti-Ransomware Tool for Business: https://www.kaspersky.com/anti-ransomware-tool

Heilig Defense RansomOff: https://www.ransomoff.com/

ZoneAlarm Anti-Ransomware: https://www.zonealarm.com/anti-ransomware/

================

Attackers Turn to OpenDocument Files Attempting to Bypass Attachment Scanning

Earlier last week Cisco Talos researchers discovered 3 OpenDocument files that were being used in an attempt to deliver malware to their intended targets.

================
TL DR
================
For any email attachment you receive, if you weren’t expecting it, don’t open it. Be cautious of clicking unknown or potentially suspicious links received within emails or via social media. If you use alternatives to Microsoft Office e.g. OpenOffice, LibreOffice or StarOffice within your organisation, small business or home office consider scanning files you receive from others with your anti-malware software before opening them. Keep your office/productivity software up to date.

Why should these files be considered a potential risk?
Since OpenXML Microsoft Office files are compressed archives they are commonly treated as such by anti-malware software and scanned. However, this is not always the case for OpenDocuments (ODT) and they are not always opened within malware sandboxes (defined) or by anti-malware software meaning they can be used to deliver malware that would otherwise be detected and blocked. This is despite the fact that While these documents are also Zip archives with XML files.

Description of the 3 files found and analysed are as follows:

File 1:
The file contained an embedded OLE object (defined) which the person opening the files must accept a prompt in order for that embedded object to be executed targeting Microsoft Office. When accepted the object executes an HTA file (defined) which in turn downloads 2 scripts which are used to download a remote access trojan (RAT)(defined) in one instance the NJRAT and the other the RevengeRAT malware.

File 2:
Once again targeting Microsoft, this file also contained an OLE object but this time it downloaded a fake Spotify.exe. This file downloads another file which is packed to disguise its true purpose from anti-malware software. This packed file actually contains the AZORult information stealer.

File 3:
The final files targets OpenOffice and LibreOffice. The attackers used their equivalents of Microsoft Office macros (defined) to download and run a file called “plink” which sets up SSH connections. However, Talos found that the connection being set up when intended for an internal address rather than an external address located on the internet. They assume this was either for use within a commercial penetration testing programme (due to it attempting to download Metasploit (defined) payloads to be executed with WMI scripts (defined) ) or may be used for lateral movement within the network.

How can I protect my organisation or myself from these threats?
Exercise standard caution when receiving email attachments. If you weren’t expecting the file, don’t open it even if it comes from someone you know/trust. Be cautious of links within emails or received by social media or another means. Consider scanning files intended for OpenOffice, LibreOffice or StarOffice before opening them. If those files begin asking confirmation to carry out actions, DON’T provide your consent.

Since such attachments may contain personal information, please pause and think before you upload them to online scanning services e.g. VirusTotal.

Thank you.