Category: Documents and Research

  • Petya and WannaCrypt Ransomware Propagation

    Petya and WannaCrypt Ransomware Propagation

    Ransomware is not new, as was covered in a previous post.  Over the past two months, the Internet has been overrun by two malware variants which are responsible for destroying an immense amount of data and crippling corporations.  In this post, we will use the concepts of access and authorization discussed in Think Like a Hacker to analyze its operation and better understand its propagation.

    The Internet was introduced to a new type of ransomware on May 12, 2017 – one that leveraged an effective self-replicating (a.k.a. worm) capability to infect a large number of systems in a short amount of time.

    Propagation of WannaCrypt was successful primarily due to its use of a powerful remote code execution vulnerability dubbed EternalBlue.  Although novel, the implementation of EternalBlue in WannaCrypt was more of a copy-and-paste approach to an already disclosed and patched vulnerability.

    EternalBlue

    On April 14, 2017, a series of exploits were published to the Internet by a group under the name ShadowBrokers.  This group had previously published other batches of exploits; however, previous disclosures were not nearly as powerful as EternalBlue.

    EternalBlue is a tool which exploits a vulnerability in the Microsoft Windows implementation of the SMB 1.0 protocol. SMB is used heavily by Windows systems in an enterprise setting to transfer data between systems.  Additionally, many non-enterprise users utilize this protocol to transfer files between systems, such as file sharing.  For more detailed technical information about the vulnerability exploited by EternalBlue, check out CVE-2017-0144.

    EternalBlue is a remote code execution exploit, which means successful execution of the exploit would enable an attacker to run arbitrary code on its host.  In the case of WannaCrypt, the arbitrary code was itself – thus enabling the worming behavior.

    Access

    The widespread use of SMB throughout both public and private networks provided the malware to access a very large number of potentially vulnerable systems.  Once a machine became infected, any machine accessible to that infected host over SMB may become the next potential victim.  This created a target rich environment when paired with the worm capability implemented in WannaCrypt.

    Authorization

    The vulnerability exploited by EternalBlue could be accomplished without credentials, thus making the authorization required to execute this vulnerability effectively anonymous.  Once exploited, EternalBlue enabled the attacker to execute code using the effective authorization of the SMB server service, whose identity is the “SYSTEM” account.  As such, any code executed in this context will likely be unrestricted.

    Effective Access and Authorization by Proxy

    WannaCrypt utilized this pattern to rapidly infect systems throughout the Internet, starting with a single vulnerable system, then infecting any unpatched hosts which it could access over TCP 445 (vulnerable machines are those that had not installed MS17-010).

    When paired with the lack of authentication needed to execute the exploit, this provided a platform for a highly effective worm.

    EternalBlue-WormPetya \ NotPetya

    Just as the world was updating their systems to avoid WannaCrypt, another worm entered the picture – Petya.  Like WannaCrypt, Petya leveraged EternalBlue to enable itself to propagate rapidly.  Being on the heels of another worm utilizing EternalBlue means that fewer vulnerable systems will remain available for attack.  Unfortunately, Petya didn’t stop at using EternalBlue.

    Credential Theft

    Petya was the “enterprise” version of WannaCrypt designed to take advantage of organizations with lax credential hygiene.  According to the write-up by the Microsoft Malware Protection Center, Petya contained a tool with a large degree of similarity to Mimikatz, a tool commonly used for credential theft.

    Use of pass the hash and credential theft as a form of self-propagation is rather new.  Traditionally, tools of this type are run manually by penetration testing teams in search of enterprise configurations where a single credential provides local administrative authority to multiple systems.  Petya marks the first documented time this technique was utilized to provide worm behavior at scale.

    Petya’s use of credential theft tools shows a particular interest in attacking enterprise networks, as these tools are much more effective in environments where single sign-on or shared local administrator credentials are used.  Additionally, Petya’s focus on accounts logged on using Remote Desktop Protocol (RDP) further demonstrates its interest in enterprises.

    Successful use of credential theft enables the malware to masquerade as the stolen identity, thus providing authorization equivalent to logging on with that credential.  In enterprises where every user has membership in the local “Administrators” group, a single stolen domain credential can provide local administrator authority to every workstation.  If the stolen account has additional permissions beyond that of a workstation administrator (for example, a domain admin or member server admin), that instance of malware will gain the authority of that credential.

    An infected machine will attempt to use these credentials to copy the Petya malware to the new victim machine and will attempt to start it using either PSExec or WMIC, both common administrative tools (the latter being a built-in Windows utility).

    Access

    Replication using EternalBlue is highly similar to WannaCrypt, therefore it doesn’t bear repeating.

    When EternalBlue will not work, Petya will attempt to utilize credentials stolen through use of its credential theft tool to connect to potential targets over SMB.  Therefore, in theory SMB must be available for Petya to propagate at all.

    PSExec uses SMB to communicate with a target, which is presumably available if the malware is able to propagate in the first place.  On the other hand, WMIC utilizes Windows Management Instrumentation (WMI) which is implemented over Remote Procedure Call (RPC).  This means that if the malware must use this means of propagation, an additional form of access must be available – access to both TCP port 135 (the RPC locator service) and whichever port the target is running WMI on (typically a random port between 1024 and 49152).  WMIC was likely used as a work-around to accommodate for high security environments that block PSExec.

    Authorization

    If the target machine is not vulnerable to EternalBlue, Petya will attempt to use credentials stolen on its currently infected host to infect the new victim.  To succeed, the stolen credential must have local administrative authorization (or equivalent) to the new infection target to enable copying of the Petya malware to the new target.

    Unfortunately, many organizations provide administrative authority broadly within an enterprise to enable users to install their own software or to allow use of legacy applications.  In addition, many organizations do not yet protect credentials of administrative accounts through credential hygiene or Credential Guard (a feature of Windows 10 and Windows Server 2016).  As such, these enterprises remain vulnerable to credential theft and reuse attack.

    Petya-WormProtection

    Defense against malware such as the Petya worm requires security to be implemented in systems architecture, since software is only a part of the issue.  Widespread use of accounts with local administrator authority can pose significant risk to an enterprise.  Utilize techniques such as Service Centric Architecture to limit exposure of high value accounts.  Additionally, Bring Your Own Device (BYOD) design can limit exposure to this class of attack by ensuring devices used by end users cannot expose credentials with administrative authorization to enterprise resources (i.e., non-domain member systems).

    In addition, it is important to ensure machines throughout your enterprise remain at the latest patch level to avoid infection using recently discovered software exploitation techniques.

    Last, always ensure your machine is running antimalware software with the latest definitions.  Antimalware companies focus heavily on detecting and preventing self-propagating malware such as the WannaCrypt and Petya ransomware worms.

  • Prologue – Think Like a Hacker

    Think Like a Hacker is designed to take an IT professional with an interest in cybersecurity on a journey through how an attacker thinks about a network, while posing new theoretical models on how to analyze their network through the lens of a targeted attacker.

    This book is not be your typical security book that focuses on tools and how to use them, but rather an introduction to the underlying capabilities enabled by a hacker’s toolset.  Additionally, readers will be introduced to concepts of systems design to help your organization defend against targeted attacks from the perspective of authentication and authorization rather than discussing how to “bolt on” security products after the fact as a stop-gap protection for a vulnerable enterprise.

    For those unfamiliar with my work I offer my prologue as an introduction.  If you find it intriguing, please consider purchasing a copy of the upcoming book at release.

    UPDATE: Book is available on Amazon and Amazon Europe in both paperback and Kindle formats

    Prologue

    Information security has become one of the most rapidly changing and advancing fields within information technology, in large part due to targeted attacks.  As we become a more connected society, hackers become more connected to our confidential information, financial institutions, and other sensitive systems.

    Why is it that we can’t seem to keep these attackers out of our networks?  Many organizations spend millions of dollars annually in software licenses, employee salaries, and consulting fees to limit the likelihood that their organization is compromised next – yet they continue to be compromised.

    Today’s compromises easily circumvent protections which were implemented to defend networks prior to the advent of targeted attacks.  Targeted attack became relevant in 2005 when the world was introduced to Stuxnet.  Touted as the first “weapons grade” malware, Stuxnet was the first known malware that transcended a cyber-attack into the physical world.  Since then, the world has been introduced to numerous variants of remote access Trojans, ransomware, wipers, credential theft tools, and various other forms of malware which enable an attacker to rapidly take control of and impact a target network.

    As software developers know, vulnerability is preventable yet inevitable.  While our understanding of secure software development improves, so do our processes for developing such software, resulting in  finished products of higher quality.  Professionally-trained software developers undergo rigorous training regarding the risks associated with buffer overflows, integer underflows, injection attacks, and the numerous other forms of software vulnerabilities which can be exploited to enable execution of arbitrary code.

    Improvements in secure software development have led to software manufacturers incorporating regular updating as part of their software package, reduced number of zero-day software vulnerabilities (those that the manufacturer has not yet patched), and a reduction in the overall number of critical vulnerabilities throughout the world.  Despite these improvements, we’ve seen an alarming increase in the number of networks compromised by attackers worldwide.  Why is that?

    Hackers have found another form of vulnerability which runs unbridled throughout most enterprises.  This class of vulnerability isn’t typically monitored and managed by the security development lifecycle (SDL), though it should be.  These vulnerabilities reside in system design rather than software design, and they’re largely responsible for enabling hackers to rapidly translate a single compromised host into compromise of an entire enterprise.

    Cybersecurity is SDL for the systems engineers of the world.  Hackers have learned that egregious delegation of administration runs rampant throughout enterprises.  Hackers have also reaffirmed that humans remain vulnerable regardless of the amount of training they are provided.  If hackers can get one user to launch their malcode, the entire enterprise can fall.

    In this book, we will discuss the cybersecurity problem space, examine how a hacker looks at a target network, and theorize on how to remediate and prevent compromise in the future.  We will work together to train your mind to see your enterprise through the eyes of a hacker – as a series of access points and forms of authorization.  Together, we will review the benefits and drawbacks behind authentication and authorization design and discuss how we can improve information security during the design phase, rather than trying to patch vulnerabilities in a production system after the fact.  Let’s take a journey together and learn how to think like a hacker.

  • Understanding the Vulnerability in Intel’s Management Technology

    Recently, social media and news sources have been thoroughly covering a vulnerability in Intel’s various management technologies. Although there is definitely reason to be concerned, there appears to be a bit of misinformation about the vulnerability, likely either due to sensationalism or lack of research. As such, I felt it beneficial to provide a view into the situation based on reliable referenced sources to help you determine whether or not you should be concerned.

    Discovery

    The vulnerability in question was identified by information security researcher Maksim Malyutin from Embedi in mid-February 2017. The vulnerability highlights a condition that allows an attacker to bypass authentication in Intel’s management technologies when using digest authentication.  This concern becomes somewhat greater when paired with a built-in admin account that always utilizes digest authentication, regardless of what form of authentication may be used for normal enterprise systems management.

    In digest authentication, a cryptographic hash of the password being used for authentication is sent from the client in order to protect the actual password being used for authentication. The password is combined with a random and session-specific value (called a nonce) to prevent an attacker from capturing an authentication and replaying it. Digest authentication is non-proprietary, thus ensuring authentication will be widely compatible with browsers and other integrating technologies.

    To validate the accuracy of the password, the server (in this case, the Intel management technology firmware) combines its copy of the known plaintext password with the nonce and performs its own MD5 hash. Now that we have two strings that should be identical, we are able to compare them to determine if the correct password was supplied.

    The Vulnerability

    The vulnerability in question resides in how data is supplied to the string comparison function used for digest authentication. The function utilized, strncmp(str1, str2, size_t), is a C++ function that compares two strings to determine if size_t or greater characters match between them.

    The vulnerable condition arises because the authentication system trusts user input when providing a value for size_t – the number of characters that match between the two strings. A MD5 hash will always produce a 128 bit result that, when converted to a hexadecimal string, will always be 32 characters long. In all normal conditions, any password provided to the authentication function would fail – even when blank – because a single character change in a string undergoing a MD5 hash would result in an entirely different string.

    As we can see from the reverse engineering notes provided by Maksim, the value for size_t is obtained based on the length of the string provided by the authenticating client. This means that if a hacker were to craft a custom HTTP authentication packet with a null string instead of a MD5 of a password, the resulting function call would look something like this:

    Strncmp(“CorrectMD5PasswordHashFromDatabaseWithNonce”, “”, 0)

    As long as zero or more characters match between the null string and the correct password hash the authentication will succeed. Most likely, the fix for this vulnerability was either explicitly specifying 32 for size_t to ensure that 32 characters must always match, or changing the function to strcmp(str1, str2) which compares the strings without regard to length.

    Impact

    Attackers who identify and exploit this vulnerability will be able to bypass authentication to Intel’s management technology, as long as the user is authenticated using digest authentication. Given that there is a built-in admin account which must leverage digest authentication, all vulnerable versions of Intel’s firmware are likely at risk.

    Intel’s management system provides a number of capabilities designed to simplify administration of their endpoints, including remote keyboard, video, and mouse (KVM), secure disk wipe, mounting logical volumes over a network, and changing boot order. All capabilities are provided without requiring support from the operating system, thus it is unlikely that any operating system mitigations will impact the availability of this vulnerability.

    Based on the documented capability of Intel’s management technology, this means that impact to a vulnerable system may allow remote console sessions to be established, could enable a denial of service by wiping the machine’s drives, and could allow an attacker to boot the system off of media provided by the attacker.

    Mitigating Factors

    • Intel’s management technology is only available on enterprise SKU’s and is disabled by default
    • Intel’s management technology is published using TCP ports that are less likely to be published through an organization’s firewall (TCP ports 16992 and 16993)
    • Intel has published a mitigation guide to help affected customers address the vulnerability
    • Updated firmware has been provided by Intel that addresses these vulnerabilities

    Public Articles

    The vulnerability in question is published in the NIST National Vulnerability Database (NVD) and Mitre’s Common Vulnerabilities and Exposures database as CVE-2017-5689. Additionally, Intel confirmed the presence of this vulnerability and has published a security article, ID INTEL-SA-00075 discussing the condition and providing links to updated firmware, which should be deployed to any affected endpoints to resolve this issue.

    References

    1. NIST National Vulnerability Database – CVE-2017-5689 https://nvd.nist.gov/vuln/detail/CVE-2017-5689
    2. Mitre Common Vulnerabilities and Exposures – CVE-2017-5689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
    3. Intel Security Advisory INTEL-SA-00075 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
    4. Embedi White Paper Silent Bob is Silent https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
    5. Microsoft – How Digest Authentication Works https://technet.microsoft.com/en-us/library/cc780170(v=ws.10).aspx
    6. Strncmp() function on cplusplus.com http://www.cplusplus.com/reference/cstring/strncmp/
    7. Strcmp() function on cplusplus.com http://www.cplusplus.com/reference/cstring/strcmp/
    8. Intel Active Management Technology Start Here Guide https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9
    9. INTEL-SA-00075 Mitigation Guide https://downloadmirror.intel.com/26754/eng/Intel-SA-00075%20Mitigation%20Guide-Rev%201.2.pdf

    DISCLAIMER

    All information used for this article is available in the references section and is not a result of any form of code review or penetration test on my part. Opinions within this article are avoided, but where present do not represent that of any employers, business partners, or other business associates. The accuracy of this article is directly a result of the accuracy of the referenced articles. Although sources referenced are reputable and not expected to be incorrect, I apologize for any errata that may occur through use of incorrect data from these sources.

  • Recovering Active Directory after Targeted Attack Compromise

    Over the past few years, I have had the opportunity to assist various organizations in detecting and removing attackers from large enterprises.  Throughout these efforts, I have noticed that remediation of this condition is a difficult and technically challenging task.  As a result, I decided to take this on as a challenge and develop a generalized framework for recovering Active Directory after compromise by targeted attack as my final project for my master’s degree.

    (more…)