Monthly Archives: February 2018

Dutch banks hit by massive DDoS attacks – Blaming is difficult in the case of cyber-attacks

24 February 2018

Huib Modderkolk’s report ‘Dutch agencies provide crucial intel about Russia’s interference in US-elections’ [1] dated 25 February 2018 is one of the best spy stories I ever read. Hackers from the Dutch intelligence service AVID spied on the Russian hacker group Cozy Bear for some years. They watched them hacking the Democratic Party and manipulating the U.S. elections in 2016. [2]

Some days later Dutch banks and the Dutch Tax Agency [3] were hit by massive DDoS attacks with a peak volume of 40 Gbps. The alleged nation-state threat actor responsible behind these attacks was rapidly found because the timing of the attacks was just too coincidental. In addition, it is widely assumed that only nation-state actors have the resources to run attacks of this size. Janene Pieters reported on 29 January 2018 that according to ESET the attacks came from servers in Russia. [4]

But blaming is difficult in the case of cyber-attacks.

On 6 February 2017 Janene Pieters reported that an 18-year-old man from Oosterhout was arrested in connection with the DDoS attacks. [5] Tijs Hofmans report [6] in ComputerWeekly.com reveals some remarkable background details:

“In messages to the Tweakers systems administrator, Jelle S claimed to have bought a ready-made “stresser” DDoS package on the dark web for which he had paid €50 a week to send 50-100Gb/s of data to victims.”

Crazy world! A script kiddie misused a professional tool for running stress tests against web sites to do the DDoS attacks. And for a very reasonable price.

Blaming becomes a big issue when it comes to DDoS on critical infrastructures. According to the new U.S. nuclear strategy [7] such kind of attack on the U.S. homeland could, in the worst case, result in a counter strike with nuclear weapons.

Have a great weekend.

    1.  Modderkolk H. Dutch agencies provide crucial intel about Russia’s interference in US-elections – Tech – Voor nieuws, achtergronden en columns [Internet]. De Volkskrant. 2018 [cited 2018 Jan 30]. Available from: https://www.volkskrant.nl/tech/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/
    2.  Cluley G. How Dutch intelligence spied on the Russian hackers attacking the DNC [Internet]. Graham Cluley. 2018 [cited 2018 Jan 30]. Available from: https://www.grahamcluley.com/dutch-intelligence-spied-russia-hackers-attacking-dnc/
    3. Cimpanu C. Dutch Banks, Tax Agency Under DDoS Attacks a Week After Big Russian Hack Reveal [Internet]. BleepingComputer. 2018 [cited 2018 Feb 24]. Available from: https://www.bleepingcomputer.com/news/security/dutch-banks-tax-agency-under-ddos-attacks-a-week-after-big-russian-hack-reveal/
    4. Pieters J. Russian servers linked to DDoS attack on Netherlands financial network: Report [Internet]. NL Times. 2018 [cited 2018 Feb 24]. Available from: https://nltimes.nl/2018/01/29/russian-servers-linked-ddos-attack-netherlands-financial-network-report
    5. Pieters J. Suspect arrested for cyber attacks on Dutch tax service; Bunq [Internet]. NL Times. 2018 [cited 2018 Feb 24]. Available from: https://nltimes.nl/2018/02/06/suspect-arrested-cyber-attacks-dutch-tax-service-bunq
    6. Hofmans T. Teenager suspected of crippling Dutch banks with DDoS attacks [Internet]. ComputerWeekly.com. 2018 [cited 2018 Feb 24]. Available from: http://www.computerweekly.com/news/252434665/Teenager-suspected-of-crippling-Dutch-banks-with-DDoS-attacks
    7. Sanger DE, Broad WJ. Pentagon Suggests Countering Devastating Cyberattacks With Nuclear Arms. The New York Times [Internet]. 2018 Jan 16 [cited 2018 Jan 30]; Available from: https://www.nytimes.com/2018/01/16/us/politics/pentagon-nuclear-review-cyberattack-trump.html

Critical vulnerability in Skype updater – Don’t panic!

17 February 2018

Media reported on a new vulnerability in the Skype updater service this week. Due to ZDNET (1), Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique.

Kanthak describes in his post (2) on SECLIST.org how the attack works:

“An unprivileged (local) user who is able to place UXTheme.dll or any of the other DLLs loaded by the vulnerable executable in %SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM account.”

Escalation of privilege to the SYSTEM account sounds dangerous. Why should Microsoft not care on this vulnerability?

From my point of view, Microsoft does not care, because this vulnerability is easy to mitigate. Let us look at the access vectors.

Access Vector: Local

An unprivileged local user is not able to place something in %SystemRoot%\Temp. I checked this on Windows 7 Enterprise Edition and Windows 10 Pro. In either case I got the error message “You don’t currently have permissions to access this folder.”

"Permissions denied" message

“Permissions denied” message

And in either case User Account Control prompts for the password of an administrator’s account to change the settings.

With this, the local version works only if the user works permanently with administrative privileges.

Access Vector: Network

ZDNET (1) reports that the vulnerability is remotely exploitable:

“The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.”

That sounds strange. From the discussion above we know that under normal conditions access to %SystemRoot%\Temp\ is limited to members of the administrators group. To access this folder remotely an attacker needs access to e.g. the \\systemname\c$ share. For this, either a local administrative account or a network account which is member of the local administrators group is required. In either case this mean that your network is already compromised.

Conclusion: In a Windows network with basic standard of cyber hygiene the likelihood is low that this vulnerability is easy exploitable.  

But the most important reason for Microsoft not caring of this is that an updated version of Skype exists where the bug is fixed. (3)

To say it with Shakespeare: Much ado about Nothing.

Have a good weekend.

1. Whittaker Z. Skype can’t fix a nasty security bug without a massive code rewrite [Internet]. ZDNet. 2018 [cited 2018 Feb 17]. Available from: http://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/

2. Kanthak S. Full Disclosure: Defense in depth — the Microsoft way (part 51): Skype’s home-grown updater allows escalation of privilege to SYSTEM [Internet]. 2018 [cited 2018 Feb 17]. Available from: http://seclists.org/fulldisclosure/2018/Feb/33

3. Kilbourne E. Update on Skype for Windows desktop installer – version 7.40 and lower [Internet]. Microsoft Skype Forum. 2018 [cited 2018 Feb 17]. Available from: https://answers.microsoft.com/en-us/skype/forum/skype_newsms/update-on-installer-for-skype-for-windows-desktop/242f1415-1399-42e1-a6a2-cd535c8b7ff8?tm=1518635969608&auth=1

How to defeat antivirus evasion and privilege escalation techniques

4 February 2018

Last weekend I read two very informative posts on Antivirus Evasion by Mattia Campagnano. But part 2 [1] puzzled me somewhat.

“Following up to my previous post Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt. 1), we’re going now to perform the same attack on a genuine Windows 10 machine, where all latest updates have been installed.”

For a moment I thought ‘a security professional mistakes compliance for security’ because ‘fully patched’ means not that the system is resilient against cyber-attacks. But both posts show that even the most secure Windows ever is vulnerable against privilege escalation and AV evasion if the basic configuration is not changed and fundamental elements of cyber hygiene are missing.

Why are such attacks successful?

First, the user was logged in with permanent administrative privileges. This makes life easy for attackers and fosters lateral movement.

Revoking permanent administrative privileges on workstations and servers must be a basic element of any cyber security program. Under normal conditions, standard users should not have any administrative privileges for their devices at all. If needed, they can be temporarily granted through User Account Control (UAC).

Second, UAC was not set to the highest level “Always notify me”. Unfortunately this is the standard setting after a fresh installation of Windows. With this, privilege escalation is possible without user notification. If configured properly, UAC will notify the user even if he works with administrative privileges.

The BypassUAC method in the meterpreter attack framework will fail, if UAC is set to the highest level. The following excerpt of the code [2] makes this clear

case get_uac_level
 when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
 fail_with(Failure::NotVulnerable,
  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
 )
 when UAC_DEFAULT
    print_good('UAC is set to Default')
    print_good('BypassUAC can bypass this setting, continuing...')
 when UAC_NO_PROMPT
    print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
    shell_execute_exe
  return
end

Standards like the DISA STIG for Windows 10 [3] activate all UAC features to make life for the attackers as difficult as possible. From my point of view, the STIGs should be considered also in industry to create workplaces resilient against cyber-attacks. And Microsoft should raise the Windows default for UAC to “Always notify me” for all versions. If a user wants to reduce the security level, he should do this on his own responsibility.

Besides the secure configuration of IT systems and cyber hygiene is user awareness training the third essential pillar of a security program. Users and help desk staff must take proper actions if their system unexpectedly enters the secure desktop and asks for permissions of an action they never asked.

Have a good weekend.

  1. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 44: AV Evasion (pt 2). The S@vvy_Geek Tips Tech Blog
  2. Rapid7 bypassuac_vbs.rb  Metasploit Framework. (Accessed: 3rd February 2018)
  3. Windows 10 Security Technical Implementation Guide. STIG Viewer | Unified Compliance Framework® Available at: https://www.stigviewer.com/stig/windows_10/. (Accessed: 3rd February 2018)
  4. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt.1). The S@vvy_Geek Tips Tech Blog