Category Archives: Malware

Posts that discuss malware infections and how to avoid or recover from their effects.

Recent Shodan Scan Reveals Increase in Risky Exposed RDP Access

====================
TL;DR
====================
With working from home being the new normal during the COVID-19 crisis, it is still important to secure Microsoft Remote Desktop Protocol (RDP) if your organisation uses it. Keep your installation of RDP updated, protect it with a strong password, strongly consider enabling Network Level Authentication (NLA), accessing it via firewall, by using a VPN, enable 2 factor authentication and restricting access to only those that use it.

====================

Late last month the online search engine, Shodan provided details of one the online activity changes they witnessed when lockdown in many countries took effect around the world. The number of Remote Desktop Protocol (RDP)(defined) connections being exposed to the internet rose as more people sought to work from home while still accessing their companies’ systems:

====================

Other notable findings were:

  1. Shodan’s operators also noticed that some organisations were attempting to hide the presence of exposed RDP connections by using port 3388 rather than the default well known port 3389. This provides a false sense of security since it will not stop a determined attacker from locating an exposed RDP connection.
  2. 8% of the systems with RDP ports exposed across the world were still vulnerable to the critical vulnerability known as BlueKeep (CVE-2019-0708) (patched in May 2019). Others were vulnerable to DejaBlue (CVE-2019-1181 and CVE-2019-1182)(patched along with other vulnerabilities in August 2019).
  3. Industrial Control Systems (ICS)(defined) were among the systems exposed on the internet.

====================
How can I protect my organisation if they (or I) need to use RDP for remote access during the lockdown period?
====================
Essential:
Strongly consider increasing the strength of your RDP access password to 12 characters or more.

Keep your RDP installation up to date (please see the above links for the necessary patches to BlueKeep and DejaBlue).
====================

Strongly consider at least one of the following safeguards (2 or more recommended):

For ICS systems only:
Managing Remote Access Best Practices (PDF)
====================

  1. Enable network level authentication (NLA)
  2. Place a hardware or software firewall between your Remote Desktop Gateway Server and the internet. (firewall: defined)
  3. Set up RDP to use a VPN(VPN: defined)
  4. Enable 2 factor authentication (also called multi-factor authentication)(usually paid for commercial solutions).
  5. Restrict RDP to the users to only those that need it.

====================

Thank you and stay safe.

Special thanks to Solarwinds and Pieter Arntz of Malwarebytes for their useful references which inspired this post.

Blog Post Shout-Out March 2020

With ransomware attacks continuing to be prevalent if you have an unaffected backup you won’t need to pay the ransom. However, how you backup your data (how many copies do you create?), the software you use and how it is configured can all make a difference.

Recommendation for how to create your corporate backups and how to better secure it are provide in the following article (which also includes details gathered from ransomware operators).

Ransomware Attackers Use Your Cloud Backups Against You by Lawrence Abrams (Bleeping Computer)

In previous posts I have provided recommendations for better securing Internet of Things (IoT) devices, to re-emphasise the basic steps, I also wish to provide a respectful shout-out to the following article highlighting the publication of guidance from the UK National Cyber Security Centre (NCSC):

UK NCSC Releases Tips on Securing Smart Security Cameras by Sergiu Gatlan (Bleeping Computer)

Full-disclosure: I am not affiliated or sponsored by Bleeping Computer in any way. I simply wish to more widely highlight good advice on topical security issues.

Thank you.

Vulnerability Within Philips Hue IoT Devices Disclosed

====================
TL;DR
If you use Philips Hue lightbulbs and/or the Philip Hue bridge, please make certain they are using the most recent firmware available.
====================

While the technological benefits and added convenience of Internet of Things (IoT) (defined) devices are well known, their increasing functionality/complexity is leading security researchers to target them. A recent example is the high severity vulnerability reported to Signify (owner of the Philips brand) within the Philip Hue bulbs and bridge. The vulnerability has been designated CVE-2020-6007 (defined)

How severe is this vulnerability?
While this vulnerability is of high severity it requires significant user interaction and would also require that the affected Philips Hue lightbulb be already compromised by an attacker by installing malicious firmware on it. The Philips Hue app on the victim’s smartphone is used to controls the bulbs, the attacker could then convince the victim to remove and re-add the bulb to the app.

What is the result of exploiting this vulnerability?
While the compromised bulb is being added or “commissioned” the compromised firmware of the bulb is used to exploit the Philips Hue Bridge. Once complete the attacker can then laterally traverse (defined) the victim’s business or home network by exploiting known vulnerabilities of other devices on the network e.g. the Microsoft Windows EternalBlue vulnerability on a Windows system.

How can I protect my organisation or myself from this vulnerability?
If you use Philips Hue lighting with the Hue Bridge, please update both the lighting and bridge to the most recent firmware available. Version Firmware 1935144040 (Bridge V2) and Software version: 1.65.9_hB3217DF4 for lights and later address this vulnerability. Please also strongly consider placing IoT devices such as these on segmented networks e.g. guest wireless networks for WiFi devices and VLANs (defined) for wired devices.

In this instance, the Hue Bridge could be placed on a VLAN to increase security (namely if the device is exploited it cannot be used to traverse further into your network). However, this increased security may result in reduced functionality if not implemented correctly.

Thank you.

====================
References:

The Dark Side of Smart Lighting: Check Point Research Shows How Business and Home Networks Can Be Hacked from a Lightbulb
https://blog.checkpoint.com/2020/02/05/the-dark-side-of-smart-lighting-check-point-research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb/

What are IoT devices?
https://news.sophos.com/en-us/2015/10/26/what-is-the-internet-of-things/

What is EternalBlue?
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

What is lateral movement (pivoting)?
https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html

What is a VLAN?
https://kb.netgear.com/24720/What-is-a-VLAN

How to isolate a VLAN containing IoT devices
https://community.ui.com/questions/HomeKit-on-Isolated-VLAN/2fd20346-59df-4662-9559-0ecac7ec83cb

Philip Hue Firmware Release Notes
https://www2.meethue.com/en-us/support/release-notes

Researchers Disclose New DMA Attacks

=====================
TL;DR
If you own an affected laptop from Dell (XPS 13 7390) or HP (ProBook 640 G4), please update its BIOS/firmware to the most recent version. For other laptop vendors, check if the most recent BIOS/firmware resolves this or similarly named vulnerabilities. For servers, keep operating systems and software up to date and enforce physical access control.

If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. A social engineer might also attempt to exploit this vulnerability using either a closed or open chassis attack.
=====================

=====================
Acknowledgements
My sincere thanks to Eclypsium researchers, Jesse Michael and Mickey Shkatov for their detailed walkthrough of their research within their referenced work (below). I have used this research to provide the extracts below supplementing my write-up of this work below.

=====================

In the second half of last week, security researchers from Eclypsium disclosed a vulnerability present within Dell and HP laptops (however it is likely other vendors are also affected). Servers (especially hosting cloud infrastructure are at increased risk due to the widespread availability of remote DMA (RDMA) (defined) enabled networks.

How serious is this vulnerability?
While the vulnerability is considered high severity due to its CVSS 3 base score of 7.6 (defined) (in the case of CVE-2019-18579 for Dell systems) an attempt to leverage the vulnerability would not be trivial (see also “How can an attacker exploit this vulnerability?” below).

What could an attacker do if they exploited this vulnerability?
According to the researchers “It can allow attackers to bypass hardware-based root-of-trust and chain-of-trust protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start and Microsoft Virtualization-Based Security with Device Guard”.

“an attacker can…extend control over the execution of the kernel itself,”. “This can allow an attacker to execute kernel code on the system, insert a wide variety of kernel implants and perform a host of additional activity such as spawning system shells or removing password requirements”.

How can an attacker exploit this vulnerability?
This vulnerability could be exploited remotely or locally. Let’s discuss the remote means first:

Remote attacks
An attacker would first have needed to compromise software within your system and then attempt to exploit the systems firmware (defined) e.g. the network interface card (NIC). The Eclypsium researchers also provide the following example:

“malware on a device could use a vulnerable driver to implant malicious firmware to a DMA capable device such as a NIC. That malicious code could then DMA back into memory during boot to get arbitrary code injection during the boot process. The fundamental ability of DMA attacks to shim attacker code into the boot process makes it useful for almost any type of attacker goal”.

Alternatively an attacker could use the Throwhammer exploit developed by VUSec to compromise a system by sending specifically crafted data packets to a target system. This results in bit flips within the target systems main memory providing an attacker with code execution for an application (which is remote to the attacker).

Local attacks
Closed chassis
The researchers demonstrated a closed chassis attack on a Dell XPS 13 7390 laptop. They did so by connecting to the Thunderbolt port of the laptop and performed a DMA code injection during the boot process of the system.

Separately the researchers were able to compromise a Dell laptop connected to a modified WiGig (information on WiGig) dock which was wirelessly connected to that dock. They were successful in “dump[ing] secrets out of the laptop remotely over the air. In this example the laptop was never touched by the attacker or physically connected to any device but was compromised remotely via DMA”.

Open chassis
Due to the presence of HP SureStart it was necessary for the attackers to open the case of the HP laptop they were testing namely a HP ProBook 640 G4 (which includes HP SureStart Gen4). Upon opening the chassis, they replaced the systems M.2 wireless card with a Xilinx SP605 FPGA development platform, they then performed the following:

“We were able to successfully attack the system and gain control over the device. By using DMA to modify the system RAM during the boot process, we gained arbitrary code execution, thus bypassing the HP Sure Start protections that verify BIOS code integrity before CPU execution starts”.

How can I protect myself or my organisation from this vulnerability?
If your organisation uses either of the affected laptops, please update their BIOS(defined)/firmware to the most recent version. For other laptop vendors, check if the most recent BIOS/firmware resolves this or similarly named vulnerabilities. The update for the Dell XPS 13 7390 laptop is referenced from within their security advisory.

Since an attacker would need to first compromise the software of your systems, please keep your software (especially web browsers, email clients, productivity software, document readers, virtualisation software and media players) and operating system up to date.

Be cautious with the links you click and when processing your email, don’t click on unknown/unexpected links and don’t open unexpected file attachments. While up to date software and operating systems for servers are equally important they are much less likely to be vulnerable to malicious links in emails, IM clients or drive by downloads since only authorised administrators should have access for maintenance/admin and not for day to day work activities.

Social engineers or malicious insiders may seek to exploit this vulnerability in person, verify the identity of any person before allowing them near your IT infrastructure especially in the case of servers. Lock laptops away when not in use. If employees need to leave laptops unattended, use Kensington locks (especially at locations other than your usual office) and consider the use of port blockers (Type C for Thunderbolt) for laptops and servers which will deter casual attackers or less determined thieves.

For servers (especially part of cloud infrastructure), your existing IT security policy should already include regular patching of servers, only having necessary applications and sufficient physical access control. Access control monitoring should also be in place to detect malicious insiders, while your incident management policy should contain how to respond in a timely and decisive manner.

Thank you.

=====================

Aside
While I have used the term “BIOS/firmware” above they are not the same thing. I have done this since the terms are often used interchangeably and I wish for users to still understand the intended meaning. For one user, they may understand updating their laptops firmware but not updating its BIOS and vice versa. My intention is for them to check the vendor website for such updates and if present, to install them.

At the time of writing the HP ProBook 640 G4 did not have a BIOS update available resolving this vulnerability. From the researchers work, the BIOS appears to be still in beta testing. Please regularly check with the HP website and apply the update when it is publicly available.

=====================

References
Eclypsium PDF Report:
https://eclypsium.com/wp-content/uploads/2020/01/DMA-Attacks-A-Walk-Down-Memory-Lane.pdf

Eclypsium Vulnerability Write Up:
https://eclypsium.com/2020/01/30/direct-memory-access-attacks/

Dell Security Advisory:
https://www.dell.com/support/article/SLN319808

=====================

Blog Post Shout-out: Potential for Ransomware to Leverage Windows EFS

Related to my previous post detailing my tests of anti-ransomware software that could compliment existing anti-malware software, I wish to provide a respectful shout-out to the following post from SafeBreach. It details their results testing a proof of concept of using the built-in Encrypting File System (EFS) capability of Windows in order to encrypt a victim’s files rather than writing their own means of doing so:

https://safebreach.com/Post/EFS-Ransomware

Please review the list of anti-malware and anti-ransomware solutions available within the SafeBreach post. If yours is not on the list, contact the vendor to ask if such a change will be added soon? If you are certain you will not being EFS, disable it using the Windows Registry (defined) changes suggested in their post.

Thank you.

Magellan 2.0 SQLite Vulnerabilities: What you need to know

====================
[TL DR]
====================
If you use any of the affected products e.g. Google Chrome, Mozilla Firefox or Android WebView (full list provided below), please make certain to update them to the latest version available.

In the closing days of December, security researchers from the Tencent Blade team disclosed five vulnerabilities that affect the SQLite database. This is used in products such as Google Chrome, Android WebView, Mozilla Firefox and Windows 10 (among others):

https://blade.tencent.com/magellan2/index_en.html

Why should these vulnerabilities be considered important?
Due to the widespread use of the affects products and the severity of the vulnerabilities the potential for a large impact is present. These vulnerabilities if exploited could allow “remote code execution in Chromium render process.

However, the CVSS base scores (defined) for all but one vulnerability (at 8.8: High) are 6.5 Medium severity. Thus, these vulnerabilities are NOT critical but medium to high severity. The rationale for this is explained by the creator of SQLite, D. Richard Hipp. While the comment is from 2018 it is still valid since most applications which use SQLite are not impacted by remote attacks:

“Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk” (Source).

While Chromium based browsers effectively do allow “random internet users to run arbitrary SQL”; Google have already issued an update (see below). Other browsers will follow e.g. Opera did so on the 27th of December upgrading to the same version of Chromium that Google issued namely, 79.0.3945.79

How can I protect my organisation or myself from these vulnerabilities?
If you use any of the following products, please make certain to update to the most recent versions available. Google made available Chrome version 79.0.3945.79 on the 10th of December to resolve these vulnerabilities with Opera following on the 27th of December:

Affected Products (among others):
Chrome/Chromium prior to version 79.0.3945.79
Smart devices using old version of Chrome/Chromium.
Browsers built with old version of Chromium/Webview.
Android Apps that uses old version of Webview and can access any web page.
Software that uses the old version of Chromium and can access any web page.

Thank you.

SafeBreach Discloses Acer, Asus and Intel Vulnerabilities

====================
[TL DR]
====================
If you have any of the following applications or drivers are installed on your personal systems, please consider updating your drivers using the links below to resolve the reported security vulnerabilities.

In late December a team of security researchers with the security firm SafeBreach published security advisory for Asus, Acer and Intel products that are pre-loaded on many devices from those manufacturers.

Why should these vulnerabilities be considered important?
All of the vulnerabilities could allow an attacker to download a malicious payload, load persistent malware at system start-up and bypass Application Whitelisting and escalate to the highest level of privilege on Windows system namely that of kernel model. These issues are made more serious by the widespread nature of these products.

I later found that my Intel Optane Memory Accelerator fitted to my Intel X299 motherboard is also vulnerable to the Intel RST driver vulnerability.

How can I protect my organisation or myself from these vulnerabilities?
If you use any of the above products, please update them using the download links provided below. Thank you.

====================
Download Links
====================
Asus Laptops (Asus ATK Package)
https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/

To check the installed version of ATK Package and to download the latest version, visit https://www.asus.com/support/faq/1041545

Acer Quick Access (pre-installed on most Acer systems):
Acer Quick Access Security Vulnerability information

Intel Rapid Storage Technology (RST) Driver (also affects Intel Optane Memory Accelerator drivers):
Intel RST Advisory

Intel Optane Memory Accelerator Patched Driver

Safe Breach Advisories
Acer Quick Access – DLL Search-Order Hijacking and Potential Abuses (CVE-2019-18670)

https://safebreach.com/Post/Acer-Quick-Access-DLL-Search-Order-Hijacking-and-Potential-Abuses-CVE-2019-18670

ASUS ATK Package – Unquoted Search Path and Potential Abuses (CVE-2019-19235)

https://safebreach.com/Post/ASUS-ATK-Package-Unquoted-Search-Path-and-Potential-Abuses-CVE-2019-19235

Intel Rapid Storage Technology Service – DLL Preloading and Potential Abuses CVE-2019-14568
https://safebreach.com/Post/Intel-Rapid-Storage-Technology-Service-DLL-Preloading-and-Potential-Abuses-CVE-2019-14568