Category Archives: Advice for SMEs

Windows Applocker – The almost forgotten IT security workbench

5 January 2019

Dridex[1], Emotet[2], Locky[3], Destover[4], Petya[5], NotPetya, etc. share one feature: They are droppers[6]. A dropper installs malware to a target system and executes it then.

Droppers are delivered mainly by e-mail through phishing or spear phishing attacks. Since they are continuously refined to undergo malware detection the fight against droppers never stops.

The Achilles heel of droppers is that they are executed in the context of the current user during delivery. With this the dropped malware can only be stored in locations where the user has modify privileges, e.g. the user’s home directory.

Seven Phases Cyber Kill Chain

Seven Phases Cyber Kill Chain

If we can prevent the execution of objects from e.g. the user’s home directory the dropper can never execute the installed malware. With this we can block the malware during the delivery / exploitation phase of the Cyber Kill Chain, before the attacker becomes persistent in our network.

That is the idea behind Windows Applocker[7]. The Applocker default rules allow the execution of programs, scripts and dlls only from trusted directory systems, e.g. c:\Program Files, C:\Progam Files (X86), or c:\Windows. If activated, Applocker stops the execution of programs and scripts outside these trusted directories and thus Dridex, Emotet, Locky, Destover, etc.

But Applocker does more than blocking droppers. DLL injection is prevented if DLL rules are enforced. I strongly recommend to enforce the DLL rules from the start. Drive-by downloads, PuA, PuP  and Adware are blocked. Even the exploitation of zero-days like the latest Adobe pdf security flaw, CVE-2018-16011[8], can be mitigated. The entire network becomes more resilient against cyber attacks.

Applocker is perfectly suited to enhance the resilience against cyber attacks in production networks and critical infrastructures. In particular in GxP regulated industries Applocker is worth to be looked at. Since Applocker is integrated in the Windows OS a validation of a third party white-listing application is not required.

Applocker can be enforced on Windows Enterprise Edition installations (starting with Windows 7) with local group policies. To lower the administrative effort it is recommended to join the computers to a domain and enforce the Applocker rules through group policies.

Unfortunately, Microsoft compromises the Applocker approach by tools like Teams and OneDrive. Both are installed in user context, thus will be blocked by Applocker. Since  Applocker allows the definition of exceptions and their roll out with group policies such applications can be handled with manageable effort.

Besides modern applications at least two cyber security sins reduce the effectiveness of Applocker.

  • Users work with permanent admin privileges.

In this case the dropper can install the malware in trusted directories. Working with permanent admin privileges is one of the IT security deadly sins, thus should be avoided anyway.

  • Users have modify access to trusted directories and files.

Check trusted directories and files with AccessEnum. If objects can be modified by users either change the ACLs or define an Applocker exception for them.

Applocker provides great capabilities to enhance the resilience of organizations against cyber attacks. Just give it a try in 2019.

Have a great weekend.


References

  1. Proofpoint Threat Insight. High-Volume Dridex Banking Trojan Campaigns Return [Internet]. 2017 [cited 2018 Dec 29]. Available from: https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return
  2. Villaroman BC. Spoofed Banking Emails Arrive with EMOTET Malware [Internet]. TrendMicro Threat Encyclopedia. 2018 [cited 2019 Jan 4]. Available from: http://www.trendmicro.tw/vinfo/tr/threat-encyclopedia/spam/677/spoofed-banking-emails-arrive-with-emotet-malware
  3. Avast Threat Intelligence Team. A closer look at the Locky ransomware [Internet]. Avast Blog. 2016 [cited 2018 Dec 29]. Available from: https://blog.avast.com/a-closer-look-at-the-locky-ransomware
  4. Gallagher S. Inside the “wiper” malware that brought Sony Pictures to its knees [Update] [Internet]. Ars Technica. 2014 [cited 2018 Dec 29]. Available from: https://arstechnica.com/information-technology/2014/12/inside-the-wiper-malware-that-brought-sony-pictures-to-its-knees/
  5. Malwarebytes Labs. Keeping up with the Petyas: Demystifying the malware family [Internet]. Malwarebytes Labs. 2017 [cited 2018 Dec 29]. Available from: https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/
  6. Rouse M. What is dropper? – Definition from WhatIs.com [Internet]. WhatIs.com. 2015 [cited 2019 Jan 5]. Available from: https://whatis.techtarget.com/definition/dropper
  7. Lich B, Poggemeyer L, Justinha. AppLocker (Windows 10) [Internet]. WIidows IT Pro Center. 2017 [cited 2019 Jan 5]. Available from: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview
  8. The Hacker News. Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader [Internet]. Vulners Database. 2019 [cited 2019 Jan 4]. Available from: https://vulners.com/thn/THN:ADE75E1067458A6BD1C6FB7BD78E697D/
Advertisements

Adobe Flash zero day exploited in the wild. Remote code execution vulnerabilities are hacker’s favorites!

8 December 2018

On December 5th, 2018 Adobe published security bulletin APSB18-41[1] for critical vulnerability CVE-2018-15928 in the widely used Flash Player. Gigamon Applied Threat Research (ATR) reported the vulnerability on November 29th, 2018 to Adobe. They detected the issue some days before while analyzing a malicious word document that was uploaded to VirusTotal from a Ukrainian IP address. For a detailed analysis of the attack and the vulnerability see [2][3].

Successful exploitation of CVE-2018-15928 could lead to Arbitrary Code Execution in the context of the current user. Due to RedHat the CVSS3 Base Metrics is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H with a CVSS3 Base Score of 8.8.

Zero days are not a rare phenomenon. Between 2013 and 2017[4] about 60% of the exploits were disclosed before the related CVE was published.

For about 20% of vulnerabilities in the NVD exploits are published in the exploit database[5]. Only about 1% of the vulnerabilities are exploited in the wild. Thus CVE-2018-15928 is a really rare event.

Remote code/script execution (RxE) vulnerabilities like CVE-2018-15928 represent about 20% of all vulnerabilities. 43% of the exploits published between 1988 and 2018 are related to RxE vulnerabilities.

Remote Code Execution Vulnerabilities. Data: 1988-2018

RxE Vulnerabilities. Data: 1988-2018

Exploits for Remote Code Execution Vulnerabilities. Data: 1988-2018

Exploits for RxE Vulnerabilities. Data: 1988-2018

About 5% of the RxE vulnerabilities are exploited in the wild.

This means, that RxE vulnerabilities are 5 times more often exploited in the wild then Non-RxE vulnerabilities. They are hacker’s favorites!

What does the mean for our vulnerability management strategy?

  • The remediation process must be started directly upon publication of an RxE vulnerability in the NVD or the disclosure of an exploit for an RxE in the exploit database.
  • In scope for the first remediation wave must be at least all systems facing the internet, e.g. workstations, servers in the DMZ or in public clouds.
  • Gathering intelligence about new vulnerabilities from a plethora of publicly available sources (OSINT) is a time-consuming task. A threat intelligence service can speed-up information gathering and reduces the workload of your IT security staff.
  • In addition, since remediation takes some time, it makes sense to invest in means for enhancing the resilience of application systems.

Expect the worst and be prepared. Or, to echo Hamlet:

To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing, end them? To die: to sleep;

Have a good weekend.


  1. Adobe. Security updates available for Flash Player | APSB18-42 [Internet]. 2018 [cited 2018 Dec 8]. Available from: https://helpx.adobe.com/security/products/flash-player/apsb18-42.html

  2. Gigamon Threat Research Team. Adobe Flash Zero-Day Exploited In the Wild [Internet]. Gigamon ATR Blog. 2018 [cited 2018 Dec 8]. Available from: https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/

  3. Qihoo 360 Advanced Threat Response Team. Operation Poison Needles – APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day [Internet]. 2018 [cited 2018 Dec 8]. Available from: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN.html

  4. Jochem K. About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy? [Internet]. IT Security Matters. 2018 [cited 2018 Dec 8]. Available from: https://klausjochem.me/2018/11/04/about-60-of-exploits-are-published-before-the-cve-what-does-this-mean-for-your-cyber-security-strategy/

  5. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

Vulnerabilities in self-encrypting SSDs let cyber criminals bypass BitLocker Full Disk Encryption. Don’t Panic!

25 November 2018

Full disk encryption (FDE) applications like BitLocker represent the final bastion in protection against theft and loss of laptops.

No wonder that post “Flaws in Popular SSD Drives Bypass Hardware Disk Encryption”[1], published by Lawrence Abrams on 11/5/2018 at Bleeping Computer, irritated the security community largely.

I scanned the announcement from Radboud University[2] and the preliminary version of the research paper and found no need to enter panic mode.

Hard Drive Lock by Hello Many from the Noun Project

Hard Drive Lock by Hello Many from the Noun Project

What happened. Researchers from Radboud University in The Netherlands found two critical security weaknesses, CVE-2018-12037 and CVE-2018-12038, in the encryption of some SSDs allowing access to the data without knowledge of any secret. Windows 8/10 BitLocker is able to make use of the hardware encryption capabilities to speed up the encryption process. Thus, BitLocker is compromised.

During normal operating conditions it is hardly possible to exploit these vulnerabilities because a cyber criminal must remove the SSD from the computer and connect a hardware debugger to reach the secrets.

Thus we face an increased risk if the device is left unattended, e.g. evil maid attack[3], lost or stolen. Or, if the device was lost some time ago and kept unchanged for whatever reasons.

Actually, you should have procedures in place to deal with stolen or lost devices. These must be updated now:

  • Users must change their passwords directly after the loss of a device is reported.
  • All certificates, soft and hard tokens used for securing remote access or access to sensitive data and services must be invalidated directly after a loss is reported.
  • The help desk must be notified of the loss and advised to report a security incident in the case of requests regarding the stolen device or the affected user accounts.

In any case, to keep the impact of a loss small the best advice for users is to store as little as possible sensitive data on portable devices.

For details on how to handle this issue please refer to the Microsoft security advisory ADV180028[4], published on 11/6/2018.

The big question is: Who takes care of the self encrypting external usb disks with keypad based on the buggy SSDs?

Have a great week.


  1. Abrams L. Flaws in Popular SSD Drives Bypass Hardware Disk Encryption [Internet]. BleepingComputer. 2018 [cited 2018 Nov 17]. Available from: https://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/
  2. Radboud University. Radboud University researchers discover security flaws in widely used data storage devices [Internet]. Radboud University. 2018 [cited 2018 Nov 17]. Available from: https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
  3. Rouse M. What is evil maid attack? – Definition from WhatIs.com [Internet]. SearchSecurity. 2018 [cited 2018 Nov 25]. Available from: https://searchsecurity.techtarget.com/definition/evil-maid-attack
  4. MSRC M. ADV180028 | Guidance for configuring BitLocker to enforce software encryption [Internet]. Security TechCenter. 2018 [cited 2018 Nov 17]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

About 60% of exploits are published before the CVE. What does this mean for your cyber security strategy?

4 November 2018

Some days ago Cisco published a vulnerability CVE-2018-15454[1][2] in software running on their security products Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Cisco discovered the flaw while investigating a support case, in other words, the attackers used a zero-day exploit.

How frequent are zero-days? This question is not easy to answer because it takes some time until malicious activity is detected. However, we can compare the date an exploit is published in the Exploit Database[3] with the date the vulnerability is published in the NVD.

Figure 1. Exploit publication date relative to CVE publication date.

Figure 1. Exploit publication date relative to CVE publication date. Data: 2013 – 2017

Between 2013 and 2017 about 60% of the exploits were published before the CVE. With this, about 60% of the exploits are candidates for zero-day exploits.

Figure 2. Exploit publication date relative to CVE publication date details.

Figure 2. Exploit publication date relative to CVE publication date details. Data: 2013 – 2017

Figure 2 shows the details within 30 days prior and after the CVE was published.

This is no reason to panic. In general, this means that we should directly start the remediation process once an exploit is published. Do not waste time!

In addition, since remediation takes some time, it makes sense to invest in means enhancing the resilience of application systems. Expect the worst and be prepared.

Find out more in the following posts.

Have a great week.


  1. MITRE. NVD – CVE-2018-15454 [Internet]. 2018 [cited 2018 Nov 3]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-15454
  2. Cisco Security. Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability [Internet]. Cisco Security Advisory. 2018 [cited 2018 Nov 3]. Available from: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
  3. Offensive Security. Offensive Security’s Exploit Database Archive [Internet]. Exploit Database. [cited 2018 Nov 4]. Available from: https://www.exploit-db.com/

Chrome’s new Site Isolation feature protects users from the Spectre vulnerability

14 July 2018

Spectre

Spectre

A new variant Spectre V1.1 (1) was published on July, 10 2018 by Vladimir Kiriansky and Carl Waldspurger. The vulnerability is tracked in CVE-2018-3693 (2). The good news is that the CVSS V3 score is 5.6 (Medium) with attack vector Local.

As with the original Spectre vulnerability CVE-2017-5753 (3) published in January 2018 the greatest risk for business users and consumers bears in malicious websites weaponized with drive-by downloads or viruses (4) using the Spectre POC code.

The virus issue is easy to mitigate. The inbuilt auto-update feature of anti-malware solutions ensures that the latest pattern updates are available within few hours after a virus shows up in the wild.

But the internet issue is much harder to solve, in particular for consumers and SME. Fortunately, Goggle announced on July 11, 2018 a new feature Site Isolation for the Chrome browser that mitigates the risk borne from the Spectre vulnerability.

Chrome is based on a multi-process architecture. Different tabs are rendered by different renderer processes. With site isolation enabled, cross-site iframes are rendered in different processes than the parent frame and data exchange between the parent and the iframe processes is blocked. For a technical overview see Charlie Reis’s post ‘Mitigating Spectre with Site Isolation in Chrome’ (5). Further details are available from the Chromium Projects (6).

Site Isolation is available since Chrome 67. Input chrome://flags/#enable-site-per-process to check if the feature is enabled:

Chromium Strict Site Isolation Feature

Chromium Strict Site Isolation Feature

If you use an older version of Chrome Site Isolation is the best opportunity to update to the latest version.

Have a great weekend.


  1. Beltov M. CVE-2018-3693: New Spectre 1.1 Vulnerability Emerges [Internet]. SensorsTechForum. 2018 [cited 2018 Jul 14]. Available from: https://sensorstechforum.com/cve-2018-3693-new-spectre-1-1-vulnerability-emerges/
  2. CVE-2018-3693 Detail [Internet]. NIST NVD. 2018 [cited 2018 Jul 14]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-3693
  3. CVE-2017-5753 Detail [Internet]. NIST NVD. 2018 [cited 2018 Jul 14]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2017-5753
  4. FortiGuard SE Team. Meltdown/Spectre Update [Internet]. Fortinet Blog. 2018 [cited 2018 Jul 14]. Available from: https://www.fortinet.com/blog/threat-research/the-exponential-growth-of-detected-malware-targeted-at-meltdown-and-spectre.html
  5. Reis C. Mitigating Spectre with Site Isolation in Chrome [Internet]. Google Online Security Blog. 2018 [cited 2018 Jul 14]. Available from: https://security.googleblog.com/2018/07/mitigating-spectre-with-site-isolation.html
  6. The Chromium Projects. Site Isolation – The Chromium Projects [Internet]. [cited 2018 Jul 14]. Available from: https://www.chromium.org/Home/chromium-security/site-isolation

Windows 2008 Server End of Life: The best chance to move to the cloud

30 June 2018

Windows 2008 Server End of Life is near. Within the next months many companies are busy with the replacement of Windows 2008 based infrastructure and application servers to avoid the next Wannacry or NotPetya.

It appears to me that this is the best opportunity to migrate at least application servers to the cloud. And, in the best case, to get rid of the servers at all by transforming the application to SAAS. If technical or the organizational limitations do not allow this at least the transformation to PAAS and IAAS should be considered.

What stops us from doing this? Very often it is the fear of loss of access to critical business data or the fear of loss of the data at all. At least in the latter case technical protection measures can be applied to mitigate this issue.

Transparent database encryption

Transparent database encryption (TDE) is often the matter of choice. All encryption is performed transparently by the database service, with no impact on the application and the users because only the database files or critical attributes in tables are encrypted. User interaction is required only during database startup to activate the encryption engine.

Unfortunately, TDE provides only encryption at rest. Thus TDE stops infrastructure admins from using unauthorized copies of a database or a virtual database server because they cannot activate the encryption engine. Once the database is started all users and database administrators have access.

Application level encryption

With Application level encryption (ALE) all encryption is performed by the application. Data is encrypted when entered in or retrieved through the application. Thus data is encrypted during transfer and at rest.

As long as the access is not routed through the application server the data are accessible for no one. Even infrastructure or database admins are barred unless they have access to the encryption key.

The security problem is shifted towards that of operational security of the application server. A solution to this problem could be to encrypt the data in the database with a key that is encrypted against the users access keys. This ensures that the encrypted data cannot be decrypted without access to at least one users key.

The remaining risk is that an attacker reads the keys or the plain text data from the process memory of the application service.

The effort to implement application level encryption is high because the application has to be changed. In addition, a key infrastructure must be set up to avoid data loss in the case a user key is e.g. inaccessible. But the gain in information and operational security is high.

The pros and cons of the encryption concepts in summary.

Table 1: Database Encryption Concepts Summary

Table 1: Database Encryption Concepts Summary

With Application Level Encryption, outsourcing or cloud adoption is made easy.

Have a good weekend.

Puzzling: Five years old critical vulnerabilities exploited in November 2017

26 November 2017

Section Exploited Vulnerabilities of the Recorded Future Cyber Daily is sometimes really frightening. On November 9th, 2017, 249 successful exploits of CVE-2012-1823, a vulnerability in PHP, were recorded. This is hard to believe because CVE-2012-1823 was published on May 11th, 2012. Although a patch was available at the date of publication, it seems that the operators of this systems were not able to implement them within the past five years.

However, it would have been of urgent need in this case. CVE-2012-1823 is a so-called RCE (Remote Code Execution) vulnerability, which allows remote attackers to execute arbitrary code on a victim’s computer, and, in the worst case, to hijack the victim’s network.

RCE vulnerabilities are included in the critical vulnerabilities. Critical vulnerabilities are

  • exploitable from the network
  • need only low or medium skills to exploit
  • need no authentication
  • cause great damage, have high severity
  • allow remote attackers to execute arbitrary code on the victims computer

If an application system is operated in the DMZ, critical vulnerabilities must be patched directly upon publication to prevent attackers from getting onto your network. Or at least, between the time of publication and an exploit or proof of concept shows up. Since examples of how to exploit this PHP vulnerability were available in early May 2012, immediate action was required.

The big question is: Why were this vulnerable PHP versions not directly patched?

Exploitation of older vulnerabilities is not an isolated case. The HPE 2016 Cyber Risk Report shows, that in 2016

  • 47% of successful exploits use five or more years old vulnerabilities.
  • 68% of successful exploits use three or more years old vulnerabilities, 47% of them were critical vulnerabilities.
  • Stuxnet, CVE-2010-2568, was used in 29% of successful exploits.

An analysis of the critical vulnerabilities by vendors shows, that more critical vulnerabilities were found in non-Microsoft products than in Microsoft products.

Critical vulnerabilities 2010 - 2016

Critical vulnerabilities 2010 – 2016 by vendors. Click to enlarge.

But automated patch management is only available for Microsoft and few of the other vendors’ (e.g. Adobe, Oracle, SAP) products. Thus, we can expect that many critical vulnerabilities remain unpatched, which results in an ever-growing pool of opportunities for cyber criminals.

An ever growing pool of opportunities

An ever-growing pool of opportunities. Click to enlarge.

1) For the chart above I assumed that 50% of critical vulnerabilities remain unpatched. This assumption is based on the analysis of the 2017 NIST NVD data as of August 31st, 2017.

Since no automated patch management exists for PHP we can expect, that CVE-2012-1823 was rarely patched. But the worst is yet to come: From the HPE 2016 Cyber Risk Report we learn, that even six years old Microsoft vulnerabilities (Stuxnet, CVE-2010-2568) are not patched.

How to tackle this issue? From my point of view, the cause is compliance driven security. We often do patching of everything to meet compliance with a certain standard, instead of focusing on the real important issues, e.g., the critical vulnerabilities. Or, in other words, we close a lot of mouse holes while the barn door remains wide open.

WIth this, we must move from patching to vulnerability management, and priority patching for the critical vulnerabilities. Through a differentiated inspection of vulnerabilities we get out of the patch treadmill and can start working on the important cyber security issues.

By the way, if you haven’t subscribed to the Recorded Future Cyber Daily yet, consider to do it this week.

Have a great week.