• “But I Reset the Password” – Remediating an Enterprise After a Targeted Attack

    Determined human adversaries, or DHA for short, have changed the information security game for everyone.  Many customers take actions in attempt to evict an emplaced attacker – actions that result in alerting the attacker to the organization’s knowledge of their presence, but don’t truly evict the attacker from the network.  In this blog, we will discuss why a simple password change or implant cleanup does not impact a DHA – and provide insight into a comprehensive process for eliminating their presence.

    The “H” in DHA is Human

    It sounds obvious, but it is easy to forget the human aspect of a DHA.  Unlike normal malware infections (sometimes referred to as “commodity” malware), a human can identify and respond to changes in the target environment.

    For example, a simple bitcoin mining application or botnet implant is one of likely thousands of hosts involved in the attacker’s scheme.  In most cases, it doesn’t matter which machines commodity malware infects, rather it is about how many machines they infect.  Removal of one, 10, or 100 nodes from a botnet dents the capability of the attacker, but does not significantly impact their operation.

    In contrast, DHA implants typically have a specific interest in their targets.  Typically, a DHA attacker will work to obtain access to a specific target.  Once access is obtained, they will commonly setup multiple footholds within the enterprise to ensure that a single implant removal does not eliminate their access altogether.

    Implants, Credentials, and You

    Malware implants are only part of the problem in a DHA infiltration.  Once embedded, a DHA is likely to perform some sort of credential theft – either to elevate their current level of authorization, or to establish resilience in their forms of authorization.  Resilience is key to a DHA and ensures continuing access and authorization to their target should their implants be discovered.

    Credentials can provide durable access to a target, especially when paired with a powerful service, such as session virtualization (i.e. Remote Desktop Protocol) or remote management (RPC, WS-Man, SSH, etc.).  With a sufficiently powerful credential, an attacker can re-establish access placing their target right back in the same situation they thought they remediated.

    Tipping Your Hand

    An attacker may change their persistence technique if they realize their existing implant has been discovered.  Changes to command and control channels (the network path used by the attacker to communicate with the infected host), implant family, and other attributes surrounding the event may change, thus rendering prior research less useful.

    Taking a Coordinated Approach

    Responding to a DHA attack requires a coordinated strike addressing the ABC’s of the infection:

    • Accounts (any identities known to be compromised by the attacker)
    • Backdoors (the means that the attacker is communicating with “victim” endpoints, such as the malware implant or published management port)
    • Command and Control (the network path used by the attacker to interface with the backdoor)

    When planning to evict a DHA, ensure that your planning includes a concerted approach to eliminate as many of these aspects as possible as part of a single effort.  Successful eviction will result in the attacker losing access and authorization to the enterprise, forcing them to attempt to establish a new entry point.

    Bring in the Experts

    When planning this activity, consider engaging consultants who specialize in remediating networks after a targeted attack.  Consultants specializing in targeted attack perform this activity regularly and are typically more familiar with cleaning up targeted attack scenarios, thus their activities are less likely to cause unnecessary downtime and will be more aligned to disruption.

  • Understanding Ransomware, Such as WannaCrypt, and their Origins and Evolution

    Recently, the world was reminded of the impact that a simple piece of commodity malware can have when paired with a remotely exploitable vulnerability. WannaCrypt, a ransomware worm first seen en masse on May 12, 2017, demonstrated that although we have come a very long way in information security, we still have many improvements to make. To better understand the situation, let’s take a look at ransomware’s origins.

    AidsInfo

    WannaCrypt follows in the footsteps of a large number of ransomware predecessors.  The earliest recorded ransomware malware is the AIDSInfo Trojan, first seen around December of 1989.  A pioneer of its time, AIDS Info was distributed on floppy disks and would randomly choose when to infect its host.  When it did, the malware would replace the AUTOEXEC.BAT file on the target (a batch file that specified the boot order of a DOS machine) with itself, then encrypted the names and hid non-essential files.  The ransom portion?  AIDS Info included a EULA which demanded payment of $189 or $378 for licensing of the malware to PC Cyborg Corporation.

    Truly, malware that encrypts only file names is less devastating than one that destroys the data itself – but for the time, it was highly impactful.  A better example of ransomware would be the famous Cryptolocker.  This malware began widespread distribution in late 2013 and was spread as an e-mail attachment.

    Cryptolocker

    Cryptolocker was significant in a number of ways.  First, it used asymmetric cryptography to encrypt the target’s data.  For those who are unfamiliar, asymmetric cryptography uses a pair of mathematically related keys whereby data encrypted with one part of the key pair can only be decrypted with the corresponding paired key.

    Second, the dawn of bitcoin enabled untraceable financial transactions.  This means that money transferred between Cryptolocker victims and the hacking group were processed covertly, thus making it difficult to track the attackers.

    Last, servers used to interact with the users were hosted using a network tunneling solution known as Tor.  This means that the server’s real address information was rendered untraceable, thus enabling the attackers to remain hidden while negotiating with victims.

    SamSam \ Samas

    While effective, Cryptolocker still required the victim to initiate the malware – typically through opening a malicious e-mail attachment.  In early 2016, a hacking group created a new ransomware variant that was spread manually by breaking into the target’s network and distributing the executable – commonly through use of PSExec.  This malware, known as SamSam or Samas, began by targeting hospitals.

    Image result for samas ransom

    SamSam initially identified that there were numerous servers throughout the internet that remained vulnerable to a long-patched vulnerability in JBoss – a suite of middleware capabilities commonly used in Java development efforts.  The vulnerability targeted by SamSam, CVE-2010-0738, had been long identified and patched by the time the SamSam group began exploiting it for ransomware distribution.  Initial targets for SamSam were primarily hospitals and medical facilities; however, the group later moved to breaking into servers that exposed remote desktop protocol (RDP) to the Internet.

    SamSam changed the game in that it was the first major ransomware variant to actively exploit vulnerabilities in an enterprise for purposes of distribution.  Much like Cryptolocker, payments were made using bitcoin to a server hosted on the Tor network.

    WannaCrypt

    Today, we are dealing with a new evolution in ransomware – WannaCrypt is the first self-replicating (worm) ransomware variant.  Worm capability for this malware is provided through exploitation of a recently disclosed vulnerability to the SMB protocol, exposed in a dump of hacking tools allegedly developed by the NSA.  The vulnerability, addressed by bulletin MS17-010, provided remote code execution to anonymous users over the SMB protocol.

    The worm capability enabled WannaCrypt to spread very quickly – impacting thousands of machines in less than a day.  Despite the patch being published two months prior, WannaCrypt brought to light the large number of machines that were not up to date.

    Lessons Learned

    Ransomware has taught us some painful lessons in the past; however, we seem to remain susceptible to new variants.  Here are a few lessons we should all impart to limit the impact of ransomware in the future.

    Keep up-to-date on patches

    Both SamSam and WannaCrypt exploited vulnerabilities that had already been patched.  Keeping your systems up-to-date reduces their susceptibility to attack.

    Additionally, be sure to implement a patch management strategy for all software in your environment.  Software with remotely exploitable vulnerabilities may yield the ability to execute code up to the privilege level that the vulnerable process executes under.  If that process can write to a file, so can ransomware.

    Limit excessive user permissions

    A standard user can encrypt any file that they have write access to – whether it is on their system or not.  As such, ransomware can infect a single host and encrypt files on a file server.  Limiting where users are able to write protects those files from tamper in the event of a ransomware attack.

    Ensure antimalware is up-to-date

    Many ransomware variants are identified and addressed by antimalware technologies rapidly; however, if antivirus definitions are out-of-date your machine remains susceptible to attack.

    Additionally, some antimalware companies, such as Microsoft, offer up to the second protection against malware that may not be in the machine’s signature files.  One example of this is Microsoft Active Protection Service (MAPS) which checks suspicious files against the cloud to determine if they reside in newly published signatures.

    Always have a backup

    Backups are very important when recovering from a ransomware attack.  Additionally, ensure that an offline backup of highly valuable data is performed periodically – attackers have been known to destroy online backups.

    Limit network-accessible ports

    WannaCrypt requires a vulnerable instance of Windows’ SMB service to propagate using its worm capability.  Using the Windows Firewall to block SMB connections when they are not needed can limit the exposure of your endpoints.

    Prevent execution of unapproved executables

    In most cases, ransomware is invoked by a user running software obtained from an untrusted source, such as an e-mail attachment.  Allowing users to run code arbitrarily downloaded from the Internet poses a risk to any writeable data store.

    To reduce this risk, consider preventing execution of programs from directories where users have write permissions using a capability such as Microsoft AppLocker.  This approach takes time and testing, but limiting locations where programs can be executed will ultimately protect your organization and its data from an unknowing user putting it at risk.

    References

    DISCLAIMER: Opinions and statements made within this article are solely the opinion of the author and do not reflect those of his employer of their affiliates.

  • Understanding the Vulnerability in Intel’s Management Technology

    Recently, social media and news sources have been thoroughly covering a vulnerability in Intel’s various management technologies. Although there is definitely reason to be concerned, there appears to be a bit of misinformation about the vulnerability, likely either due to sensationalism or lack of research. As such, I felt it beneficial to provide a view into the situation based on reliable referenced sources to help you determine whether or not you should be concerned.

    Discovery

    The vulnerability in question was identified by information security researcher Maksim Malyutin from Embedi in mid-February 2017. The vulnerability highlights a condition that allows an attacker to bypass authentication in Intel’s management technologies when using digest authentication.  This concern becomes somewhat greater when paired with a built-in admin account that always utilizes digest authentication, regardless of what form of authentication may be used for normal enterprise systems management.

    In digest authentication, a cryptographic hash of the password being used for authentication is sent from the client in order to protect the actual password being used for authentication. The password is combined with a random and session-specific value (called a nonce) to prevent an attacker from capturing an authentication and replaying it. Digest authentication is non-proprietary, thus ensuring authentication will be widely compatible with browsers and other integrating technologies.

    To validate the accuracy of the password, the server (in this case, the Intel management technology firmware) combines its copy of the known plaintext password with the nonce and performs its own MD5 hash. Now that we have two strings that should be identical, we are able to compare them to determine if the correct password was supplied.

    The Vulnerability

    The vulnerability in question resides in how data is supplied to the string comparison function used for digest authentication. The function utilized, strncmp(str1, str2, size_t), is a C++ function that compares two strings to determine if size_t or greater characters match between them.

    The vulnerable condition arises because the authentication system trusts user input when providing a value for size_t – the number of characters that match between the two strings. A MD5 hash will always produce a 128 bit result that, when converted to a hexadecimal string, will always be 32 characters long. In all normal conditions, any password provided to the authentication function would fail – even when blank – because a single character change in a string undergoing a MD5 hash would result in an entirely different string.

    As we can see from the reverse engineering notes provided by Maksim, the value for size_t is obtained based on the length of the string provided by the authenticating client. This means that if a hacker were to craft a custom HTTP authentication packet with a null string instead of a MD5 of a password, the resulting function call would look something like this:

    Strncmp(“CorrectMD5PasswordHashFromDatabaseWithNonce”, “”, 0)

    As long as zero or more characters match between the null string and the correct password hash the authentication will succeed. Most likely, the fix for this vulnerability was either explicitly specifying 32 for size_t to ensure that 32 characters must always match, or changing the function to strcmp(str1, str2) which compares the strings without regard to length.

    Impact

    Attackers who identify and exploit this vulnerability will be able to bypass authentication to Intel’s management technology, as long as the user is authenticated using digest authentication. Given that there is a built-in admin account which must leverage digest authentication, all vulnerable versions of Intel’s firmware are likely at risk.

    Intel’s management system provides a number of capabilities designed to simplify administration of their endpoints, including remote keyboard, video, and mouse (KVM), secure disk wipe, mounting logical volumes over a network, and changing boot order. All capabilities are provided without requiring support from the operating system, thus it is unlikely that any operating system mitigations will impact the availability of this vulnerability.

    Based on the documented capability of Intel’s management technology, this means that impact to a vulnerable system may allow remote console sessions to be established, could enable a denial of service by wiping the machine’s drives, and could allow an attacker to boot the system off of media provided by the attacker.

    Mitigating Factors

    • Intel’s management technology is only available on enterprise SKU’s and is disabled by default
    • Intel’s management technology is published using TCP ports that are less likely to be published through an organization’s firewall (TCP ports 16992 and 16993)
    • Intel has published a mitigation guide to help affected customers address the vulnerability
    • Updated firmware has been provided by Intel that addresses these vulnerabilities

    Public Articles

    The vulnerability in question is published in the NIST National Vulnerability Database (NVD) and Mitre’s Common Vulnerabilities and Exposures database as CVE-2017-5689. Additionally, Intel confirmed the presence of this vulnerability and has published a security article, ID INTEL-SA-00075 discussing the condition and providing links to updated firmware, which should be deployed to any affected endpoints to resolve this issue.

    References

    1. NIST National Vulnerability Database – CVE-2017-5689 https://nvd.nist.gov/vuln/detail/CVE-2017-5689
    2. Mitre Common Vulnerabilities and Exposures – CVE-2017-5689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
    3. Intel Security Advisory INTEL-SA-00075 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
    4. Embedi White Paper Silent Bob is Silent https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
    5. Microsoft – How Digest Authentication Works https://technet.microsoft.com/en-us/library/cc780170(v=ws.10).aspx
    6. Strncmp() function on cplusplus.com http://www.cplusplus.com/reference/cstring/strncmp/
    7. Strcmp() function on cplusplus.com http://www.cplusplus.com/reference/cstring/strcmp/
    8. Intel Active Management Technology Start Here Guide https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9
    9. INTEL-SA-00075 Mitigation Guide https://downloadmirror.intel.com/26754/eng/Intel-SA-00075%20Mitigation%20Guide-Rev%201.2.pdf

    DISCLAIMER

    All information used for this article is available in the references section and is not a result of any form of code review or penetration test on my part. Opinions within this article are avoided, but where present do not represent that of any employers, business partners, or other business associates. The accuracy of this article is directly a result of the accuracy of the referenced articles. Although sources referenced are reputable and not expected to be incorrect, I apologize for any errata that may occur through use of incorrect data from these sources.

  • Understanding and Preventing Pass the Hash Attacks

    Pass the hash is one of most prevalent techniques used in targeted attacks today, due to its ease of use and effectiveness.  Despite this prevalence, many organizations do misunderstand how the attack works and remain vulnerable.  In this post, I will describe how a pass the hash attack works and provide some effective ways to prevent its occurrence and effectiveness on your enterprise. (more…)

  • Patching and Vulnerability – The Plague of Portable Apps

    Software patching has long been considered a core capability within an enterprise, though the focus of software patching is almost always limited to software provided by the enterprise.  Unfortunately, many enterprises today struggle with reducing user rights due to application compatibility issues or support costs.  In addition, many users have discovered that they are able to download applications which do not require administrative permissions to install (such as portable apps).  These applications usually remain unpatched and vulnerable to exploitation.

    In this post, I will cover two ways to protect your enterprise from portable apps and commodity malware using free technologies.  These simple efforts can significantly improve the security of your enterprise, reduce support costs that stem from malware infection, and improve user experience. (more…)

  • Understanding Antivirus – Signatures, Scans, and Schedules

    Antivirus, when used properly, can provide great protection for an organization if used effectively.  Although antivirus may appear to be a set-it-and-forget-it software, diligence in managing antivirus can pay off. (more…)

  • Am I Pwned? – 5 simple ways to help determine if you should be concerned about malware you discover on your network

    One of the difficulties involved with malware analysis is determining exactly how concerned you should be when you find a new sample on your network.  Categorizing malware does not require high cost tools and access to subscription-only databases (although these can help).  The following is a list of ways to help determine how concerned you should be when your team discovers a new sample. (more…)

  • Beginning my first book

    I am back to work again after taking some time to relax this holiday season.  I look forward to resuming analysis of recent cyber trends and sharing my opinion and analysis with my readers this year.  In addition, I have just started on my first book, which I hope to complete by June of this year.  This book is designed to help those interested in information security and targeted attack understand the inticacies of remediating a targeted attack.  I plan to keep my readers updated on its status as it develops.  In addition, if there are any publishers interested in signing up a new author, please feel free to contact me.

  • Understanding MS14-068

    In November 2014, Microsoft issued a critical patch addressing a Kerberos issue on domain controllers.  This vulnerability enables an attacker to leverage any authenticated session to create a Kerberos ticket which can have any group membership in the Active Directory domain, to include membership in domain admins, schema admins, enterprise admins, or BUILTIN\Administrators.  In addition, a toolkit designed to exploit this vulneravbility has been published online since the beginning of December.

    (more…)

  • Cyber Warfare and the New Cold War

    The Cold War was a unique period in history; a period of high political tension lasting for almost 45 years whereby the world was divided into distinct categories of extremely capable countries. The term “Cold War” was coined by George Orwell in an article entitled “You and the Atomic Bomb” published in the Tribune on October 19, 1945. In addition to creating the term “Cold War”, Orwell made some very keen observations:

    • The atomic bomb is an extremely destructive force that is misunderstood by the masses, yet carries a significant possibility that their life will be affected by it
    • The atomic bomb was seen as a new revolution in war and was likened to the discovery of gunpowder
    • Few superpowers had this significant warfare at their fingertips thus creating an imbalance in battlefield equality
    • The atomic bomb has caused nations that were once thought to be unconquerable to enter a permanent state of ‘cold war’ with their neighbors thus prolonging indefinitely a ‘peace that is no peace’

    (more…)

designing secure systems book cover

Ever wonder if there was a single unifying pattern that could describe the security of any system? Check out Designing Secure Systems for my take.