Category Archives: Opinion

Two unpatched remote code execution flaws in Adobe Type Manager Library affect all Windows Versions. Keep the mitigations forever!

29 March 2020

Mohit Kumar‘s post (1) that was published past Monday on The Hacker News should instill fright to all users who haven’t migrated to Windows 10 yet.

The good news is that this vulnerability requires user interaction. Microsoft states in security advisory ADV200006 (2) that “There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.” As always, user training is as crucial!

In addition, the impact on Windows 10 users is limited because the malicious code runs in an AppContainer which is destroyed once the preview is closed.

The bad news is that Microsoft recognized attacks where this vulnerability is leveraged (the vulnerability is in the Wild). And, a patch is not available yet.

In the meantime, Microsoft provides important mitigations in ADV200006. These mitigations must be kept on all pre-Windows 10 systems where no Extended Security Update (ESU) support is available.

The most interesting mitigation is to “Disable the Preview Pane and Details Pane in Windows Explorer”. I always disable preview features in Explorer and Outlook. Simply put, preview requires that documents are “executed”, so preview may also execute embedded malicious code.

My advice for all critical infrastructure operators is:

  • Deactivate all preview features in the Windows OS and in all applications.
  • Deactivate any kind of macros and scripting without notification.
  • Deactivate all trusted locations in all applications.
  • And, of course, the user should not be able to reverse this settings.

With this, the security baseline is raised at moderate effort.

Have a great week.


1. Kumar M. Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions [Internet]. The Hacker News. 2020 [cited 2020 Mar 29]. Available from: https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html

2. MSRC. ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability [Internet]. Microsoft Security Response Center. 2020 [cited 2020 Mar 29]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006

CVE-2020-0796 – New Critical SMB V3 Vulnerability. Time to Panic?

22 March 2020

On March 12, 2020 Microsoft published a CVSS V3.1 severity 10 vulnerability in the SMBv3 protocol. CVE-2020-0796 (1), also called CoronaBlue, impacts the Windows 10 client and server versions 1903 and 1909.

The bad news first. CoronaBlue is like Eternalblue/WannaCry a wormable remote code execution vulnerability. A single Windows 10 system with SMBv3 protocol installed and port 445 open to the internet is enough for infiltration of a network.

The good news is that only few systems with Windows 10 version 1903 or 1909 have port 445 exposed to the internet. Theses Windows versions are just too new.

Nevertheless, immediate patching is required because a proof of concept exploit code was published on March 14, 2020.

In addition, Microsoft recommends deactivating SMBv3 compression unless the patches are installed and activated (2).

But the most important advice Microsoft gives is:

Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks.

This advice holds for all SMB versions. There is no need to access Windows systems through the SMB protocol from the internet. Therefore, this protocol should be blocked by the internet facing firewall of DMZs. No exceptions! Apparently, some thousand CISOs do not care:

Windows systems with SMB ports open to the internet.

Windows systems with SMB ports open to the internet.

Have a great week. And check your firewall rules!


References

  1. NIST NVD. NVD – CVE-2020-0796 [Internet]. NIST Information Technology Laboratory. 2020 [cited 2020 Mar 22]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2020-0796
  2. MSRC. CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability [Internet]. Microsoft Security. [cited 2020 Mar 22]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Microsoft previews Microsoft Defender ATP for Linux – No reason to celebrate!

7 March 2020

At the Ignite 2019 Microsoft announced that “Defender ATP is coming to Linux in 2020” (1). The preview version is available since the end of February (2).

To be clear, I think Microsoft Defender ATP is a good product. It benefits from millions of sensors installed on consumer and company computers. And, with the entire Defender suite installed, companies can gain a good security level.

COVID-19 Virus ultrastructural morphology

COVID-19 Virus ultrastructural morphology. Picture by CDC/ Alissa Eckert, MS; Dan Higgins, MAMS

Just to recap on why we need anti-malware products: We live in an operating system monoculture. Windows is everywhere, on the clients, on the servers, in the cloud. All windows systems are networked for reasons of efficiency. The drawback of all mononcultures is that they are vulnerable against diseases. Covid-19 is a current example in the real world, WannaCry and NotPetya are well known examples in cyber space.

Microsoft loves Linux, and starts implanting genes from the Windows DNA into the Linux DNA; the .Net framework, PowerShell, Windows Defender ATP. Since the cost pressure in IT is high, companies will start using this products.

Good for the EBIT, bad for cyber security. PowerShell for example is often used in malware attacks (3). It’s merely a matter of time before cyber attackers start leveraging PowerShell on Linux. Living off the Land attacks will work on Linux and Windows, in the worst case with no changes to the code. With that, Linux is getting vulnerable against attacks that were so far only known from Windows.

Especially for operators of critical infrastructures is a clear strategy for operating Microsoft products on Linux required to keep the risk from this cross-over at an acceptable level.

For advice in securing PowerShell see publication “Securing PowerShell in the Enterprise” of the Australian Cyber Security Center (4).

Have a great weekend!


References

  1. Tung L. Microsoft: Defender ATP is coming to Linux in 2020 [Internet]. ZDNet. 2019 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-defender-atp-is-coming-to-linux-in-2020/
  2. Vaughan-Nichols SJ. Microsoft previews Microsoft Defender ATP for Linux [Internet]. ZDNet. 2020 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-previews-microsoft-defender-atp-for-linux/
  3. Help Net Security. 91% of critical incidents involve known, legitimate binaries like PowerShell [Internet]. Help Net Security. 2018 [cited 2020 Mar 6]. Available from: https://www.helpnetsecurity.com/2018/06/28/incidents-legitimate-binaries/
  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [cited 2020 Mar 6]. Available from: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise

Mean Time to Hardening: The Next-Gen Security Metric falls short in tackling the patching problem

12 January 2020

In report “Mean Time to Hardening: The Next-Gen Security Metric”,(1) published at 12/30/2019 on ThreatPost, Richard Melick proposes a new metric MMTH (Mean time to Hardening) to tackle the patch problem. I like the 24/72 MTTH approach. But when it comes to attacks of APTs on critical infrastructures this approach is from my point of view not effective.

Let me illustrate this with an example. CVE-2017-5638, a remote command execution vulnerability in the Apache Struts framework, was used in the Equifax attack (2) in 2017. In the case of remote command execution vulnerabilities, especially if the systems are operated in the DMZ, the 24/72 MTTH approach is the best strategy to survive. But let us look on the timeline.

NVD Exploit-DB Exploit-DB
CVE-2017-5638 EDB-ID 41570 EDB-ID 41614
Published NDV Published Exploit-DB Published Exploit-DB
3/11/2017 3/7/2017 3/15/2017

Exploit 41570 was published 4 days before the CVE was published. The 24/72 MTTH strategy will fail in this case. Exploit 41614 was published 4 days after the CVE was published, so the 24/72 MTTH strategy is successful.

Figure 1

Figure 1

This is not an isolated case. Between 2013 and 2019 56% of the exploits were published before or at the same day the vulnerability was published in the NVD. For mapping the exploits in the Exploit-DB to the CVEs the NVD reference map for the Exploit-DB (3) is used. Figure 2 shows the details in the range 30 days before and after the CVE publication date.

Figure 2

Figure 2

Figure 3

Figure 3

34% of the exploits for Remote Code/Command Execution (RxE) vulnerabilities like CVE-2017-5638 or CVE-2017-0144 (WannaCry) were published before or at the same day the vulnerability was published. Figure 4 shows the details. RxEs are selected from the NVD as follows: CVSS V2.0: Attack Vector: Network, Attack Complexity: Low + Medium, Authentication: None, Loss of Integrity: Complete, Keywords “remote code execution” or “exec arbitrary”.

Figure 4

Figure 4

So, the 24/72 MMTH approach falls short if the exploit is published before the vulnerability.

Please keep in mind that we only investigated published vulnerabilities and exploits. We can expect, that many yet unpublished, and unused, vulnerabilities exist in the arsenals of the APTs.

In the case of critical infrastructures, we are well advised to invest in solutions which increase the resilience against cyber-attacks. A simple Apparmor profile would probably have prevented the attack on Equifax. Whitelisting solutions should be considered in environments where industrial control systems are operated. This makes the 24/72 MTTH approach to patching not obsolete. We just buy time.

Have a great week.


References

  1. Melick R. Mean Time to Hardening: The Next-Gen Security Metric [Internet]. threatpost. 2019 [cited 2020 Jan 12]. Available from: https://threatpost.com/mean-time-hardening-next-gen-security-metric/151402/
  2. Brook C. Equifax Confirms March Struts Vulnerability Behind Breach [Internet]. threatpost. 2017 [cited 2020 Jan 12]. Available from: https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/
  3. NIST NVD. CVE – CVE Reference Map for Source EXPLOIT-DB [Internet]. [cited 2020 Jan 12]. Available from: https://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html

World Cafe@IMI 2019: No Backup, No Mercy!

24 November 2019

IMI 2019: Presentation DOW Cyber Security Framework

IMI 2019: Presentation DOW Cyber Security Framework

The motto of the IT meets Industry 2019 (IMI) conference in Mannheim was What happens if shit happened. During the World Cafe session, the participants dealt with the following scenario:

  1. The cyber-criminal overcame all hurdles you put in place to protect your production systems from attacks.
  2. The anomaly detection capabilities in place recognized the attack late.
  3. The engineering station (ES) is compromised.
  4. You isolated the engineering station from the network for further analysis.
  5. The good news is that the process control system (PCS) is still operable.
  6. The bad news is that it’s not clear whether the control program in the PCS is also compromised.

You decide to download the control program from the backup into the PCS. This is no uncommon scenario. The Rogue7 (1) attack described at the Black Hat 2019 and Triton (2) work this way. One of the participants put it this way: No Backup, No Mercy! Unfortunately, it’s not that simple.

Where is the current backup stored?

Under normal conditions, the current control program is stored on the engineering station. But this version is not usable because the engineering station is compromised.  If the backup is well organized, a copy of the control program is available from a NAS or a dedicated backup system

Is it really the current version?

This is very important if you want to recover the PCS to the state before the attack happened. Unfortunately, the Recovery Point Objective (RPO) in production is zero. That means, that the latest version of the control program is required for recovery. Older versions require, in the best case, manual reworking, thus a longer downtime and higher financial loss.

Is the PCS restorable from this version and fully operable afterwards?

Have you ever tried a restore test during scheduled maintenance to make sure that the PCS is fully operable after the restore of the control program? Is it clear what is meant by fully operable? Do you have a procedure and check list in place to verify this?

But the worst is yet to come. If you do daily backups there is a small chance that all backup versions are compromised.  In the above scenario, the anomaly detection system detected the attack late. If you keep for instance the latest 10 versions online and the attacker was active for 14 days, then all backups are potentially compromised. So, you must retrieve a backup from a tape library, if any.

Summary

Backup in the age of cyber attacks and ransomware is a hard job, especially in production. Without a strategy and preparation for the worst case a cyber attack may become a financial disaster. The 7 Ps Rule shows the direction in incident response:

Prior Preparation and Planning Prevents Piss Poor Performance!

Want to participate in real peer to peer knowledge exchange and a World Cafe on hot topics? Join the IMI 2020 in Mannheim.

Have a great week.


References

  1. Biham E, Bitan S, Carmel A, Dankner A, Malin U, Wool A. PPT: Rogue7: Rogue Engineering-Station attacks on S7 Simatic PLCs [Internet]. Powerpoint Presentation presented at: Black Hat USA 2019; 2019 Aug 8 [cited 2019 Aug 16]; Mandalay Bay / Las Vegas. Available from: https://i.blackhat.com/USA-19/Thursday/us-19-Bitan-Rogue7-Rogue-Engineering-Station-Attacks-On-S7-Simatic-PLCs.pdf
  2. Sobczak B. SECURITY: The inside story of the world’s most dangerous malware [Internet]. 2019 [cited 2019 May 11]. Available from: https://www.eenews.net/stories/1060123327

Application control solutions for protecting critical infrastructures

13 October 2019

Application Control Solutions (ACS) are easy to deploy and manage protective security controls in process automation. From my point of view, they are essential when it comes to critical infrastructures. The major SCADA vendors recommend and certify them for use with their product suites.

Rick Gorskie, Global Sales Manager Cybersecurity at Emerson Automation Solutions, recommends “using both solutions for an effective “one-two” punch against malware infection. Using applications whitelisting to protect from “zero-day” attacks as well as using antivirus blacklisting to scan for malware yields the best result.”(1)

Schneider Electric recommends the application control for their Power SCADA systems: “Power SCADA has been validated with the McAfee Application Control whitelisting application. Power SCADA and McAfee whitelisting can make your system more resilient to zero-day threats.”(2)

In addition to the protection against zero-days, application control allows to reduce the patch frequency and to extent the life of legacy systems.

The ACS kicks in during the exploitation phase of the Cyber Kill Chain. It checks every object at execution time whether it is known in the white list. Since new malware is not on the list, ACS just blocks the execution. This is a plain, but very effective approach.

Cyber Kill Chain - Application Control Solutions

Cyber Kill Chain – Application Control Solutions

This works for file-less malware like Nodersok (3) as well as for file-based malware like Reductor (4) or COMpfun (5). Even crypto worms like WannaCry are blocked.

In the case of COMpfun, for example, two DLLs are loaded into the users AppData directory. Both DLLs are not on the white list, so the execution is blocked although they are defined as COM objects.

Reductor uses two delivery methods, COMpfun and infected software installers. If COMpfun is used for delivery, the ACS blocks the malware.

But if the Reductor is delivered through infected software installers, ACSs will not work because they have their Achilles heels.

ACSs must be suspended during deployment or update of software.

A malware, for example a trojan disguised as part of a software suite, will become a legitimate program after the ACS is enforced again. Thus, the malware will never be blocked because it’s on the white list.

ACSs allow exceptions.

Some SCADA vendors request exceptions for the execution of some of their software tools. If malicious actors exploit these exceptions, they can inject malware outside regular installations.

So, we have a residual risk, depending on the threat actor and the environment.

For non-critical infrastructures, ACSs provides great protection against all threat actors. But in the case of critical infrastructures, APT and, to some extent, cyber criminals have the resources and the know how to exploit the Achilles heels of ACSs.

Additional security controls must be implemented to reduce this risk. Operators and engineering service providers must work together to solve this issue.

This may include an extended integrity check of all software before installation in the SCADA network and the encryption of all media during transport.

By the way, ACSs provide effective protection against zero-days only if they are not suspended. So, it’s a good idea to check regularly if the ACS agents are operated in enforced mode on the systems.

Have a great week.


References

  1. Gorskie R. Should You Be Using Application Whitelisting? [Internet]. Emerson Exchange 365. 2017 [zitiert 22. September 2019]. Verfügbar unter: https://emersonexchange365.com/products/control-safety-systems/f/deltav-discussions-questions/6792/should-you-be-using-application-whitelisting
  2. Schneider Electric. Power SCADA Operation 9.0 System Guide | Schneider Electric [Internet]. 2019 [zitiert 22. September 2019]. Verfügbar unter: https://www.schneider-electric.com/en/download/document/PowerSCADAOperationSystemGuide/
  3. Microsoft. Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware [Internet]. Microsoft Security. 2019 [zitiert 28. September 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/
  4. GReAT. COMpfun successor Reductor infects files on the fly to compromise TLS traffic | Securelist [Internet]. Kaspersky Securelist. 2019 [zitiert 12. Oktober 2019]. Verfügbar unter: https://securelist.com/compfun-successor-reductor/93633/
  5. G Data. COM Object hijacking: the discreet way of persistence [Internet]. G Data Blog. 2014 [zitiert 12. Oktober 2019]. Verfügbar unter: https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence

How to get the best ROI for investments in cyber security?

28 September 2019

During a workshop this week we had a discussion on risk management and investment in cyber security. Risk is the product of likelihood of occurrence (LoO) and severity of impact (SoI). So, to reduce the risk we can either try to reduce the SoI, or the LoO, or both.

We do risk management because we have limited resources. The big question is always: Where shall I spent my resources?  Or, where can I gain the best ROI? Shall I reduce the likelihood of occurrence or the severity of the impact? Or both?

The Cyber Kill Chain is a great model to study this.

Cyber Kill Chain - Risk Management - Cost

Cyber Kill Chain – Risk Management – Cost

We can reduce the likelihood of occurrence starting during the delivery phase up to the command & control phase. Once the attacker crosses the red line the LoO is 100 %.

The severity of impact can be reduced starting at the midst / end of the exploitation phase. WannaCry, for example, started the encryption immediately during installation of the malware and contacted in parallel its command & control server. Once the attacker crosses the red line, the impact and thus the costs for recovery are high.

The big problem with reducing the likelihood of occurrence is that we have in the best case only some seconds to minutes until the attacker crosses the red line. For efficient use of this time we need to invest in preventive or proactive means.

Cyber security awareness training, for example, is a very efficient preventive measure to reduce the LoO during the delivery and exploitation phase, because the exploitation of about 35% (Data NIST NVD, CVSS V3, UI:R) of vulnerabilities published in 2018 requires user interaction. Priority patching is another preventive measure with can stop an attacker early.

Backup and emergency recovery are great means to reduce the severity of impact. But the latest attack on Norsk Hydro makes clear that, even with the best crisis management, the recovery of some thousand systems from scratch takes some time.

When used in context with the existing security controls, the Cyber Kill Chain provides support in setting priorities in cyber security investment. The Mitre ATT@CK framework, which is based on the Cyber Kill Chain, brings the required methodology in the planning process. Give it a try.

Have a great weekend.