How to defeat antivirus evasion and privilege escalation techniques

4 February 2018

Last weekend I read two very informative posts on Antivirus Evasion by Mattia Campagnano. But part 2 [1] puzzled me somewhat.

“Following up to my previous post Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt. 1), we’re going now to perform the same attack on a genuine Windows 10 machine, where all latest updates have been installed.”

For a moment I thought ‘a security professional mistakes compliance for security’ because ‘fully patched’ means not that the system is resilient against cyber-attacks. But both posts show that even the most secure Windows ever is vulnerable against privilege escalation and AV evasion if the basic configuration is not changed and fundamental elements of cyber hygiene are missing.

Why are such attacks successful?

First, the user was logged in with permanent administrative privileges. This makes life easy for attackers and fosters lateral movement.

Revoking permanent administrative privileges on workstations and servers must be a basic element of any cyber security program. Under normal conditions, standard users should not have any administrative privileges for their devices at all. If needed, they can be temporarily granted through User Account Control (UAC).

Second, UAC was not set to the highest level “Always notify me”. Unfortunately this is the standard setting after a fresh installation of Windows. With this, privilege escalation is possible without user notification. If configured properly, UAC will notify the user even if he works with administrative privileges.

The BypassUAC method in the meterpreter attack framework will fail, if UAC is set to the highest level. The following excerpt of the code [2] makes this clear

case get_uac_level
 when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
 fail_with(Failure::NotVulnerable,
  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
 )
 when UAC_DEFAULT
    print_good('UAC is set to Default')
    print_good('BypassUAC can bypass this setting, continuing...')
 when UAC_NO_PROMPT
    print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
    shell_execute_exe
  return
end

Standards like the DISA STIG for Windows 10 [3] activate all UAC features to make life for the attackers as difficult as possible. From my point of view, the STIGs should be considered also in industry to create workplaces resilient against cyber-attacks. And Microsoft should raise the Windows default for UAC to “Always notify me” for all versions. If a user wants to reduce the security level, he should do this on his own responsibility.

Besides the secure configuration of IT systems and cyber hygiene is user awareness training the third essential pillar of a security program. Users and help desk staff must take proper actions if their system unexpectedly enters the secure desktop and asks for permissions of an action they never asked.

Have a good weekend.


  1. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 44: AV Evasion (pt 2). The S@vvy_Geek Tips Tech Blog
  2. Rapid7 bypassuac_vbs.rb  Metasploit Framework. (Accessed: 3rd February 2018)
  3. Windows 10 Security Technical Implementation Guide. STIG Viewer | Unified Compliance Framework® Available at: https://www.stigviewer.com/stig/windows_10/. (Accessed: 3rd February 2018)
  4. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt.1). The S@vvy_Geek Tips Tech Blog
Advertisements

Some thoughts on “Identity is the new perimeter”

28 January 2018

With the increasing adoption of cloud services, the traditional perimeter security approach becomes less and less effective. The on-premise security layer, which protects users against cyber-attacks, is just no longer existent if users have direct access to a company’s cloud services from any location, at any time and, in the best case, from any device.

The four “A”s, Authentication, Authorization, Administration and Audit, become more and more important in a [hybrid] cloud based working environment.

“When identity and access management (IAM) works well, it means the right people have the right access to the right resources when they need them with appropriate governance in place from wherever the data or application is needed.” [1]

The magic word is “right”: With IAM we control the access of well-known groups of people to well-known resources. Unfortunately, cyber attackers do often not belong to these groups.

NIST NVD Statistics: Privileges Required

From the NIST NVD we learn, that 67% of the vulnerabilities published in 2017 need no privileges for exploitation.

Privileges None means: “The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.” [2]

This holds e.g. for remote code execution (RCE) vulnerabilities. An RCE allows an attacker to get full control of the victim’s computer or service, in the worst case with administrative privileges. With this, the entire new perimeter is bypassed. For an RCE example see CVE-2017-11459. [3]

Identity becomes an important part of a new perimeter but can never replace the perimeter.

NIST NVD 2017 Statistics: User Interaction Required

The NIST NVD data give another important insight for shaping a company’s security strategy: In 41% (5958) of 14647 vulnerabilities the user must interact with the attacker for their exploitation.

This means that well-made user awareness training can prevent lots of cyber-attacks.

Have a great week.


[1] AusCERT 2017 – Identity is the new perimeter
Anthony Caruana, 05/30/2017, CSO Online
https://www.cso.com.au/article/619970/auscert-2017-identity-new-perimeter/
Last seen: 01/28/2018

[2] Common Vulnerability Scoring System v3.0: Specification Document
https://www.first.org/cvss/specification-document
Last seen: 01/28/2018

[3] CVE-2017-11459
https://nvd.nist.gov/vuln/detail/CVE-2017-11459
Last seen: 01/28/2018

Intel AMT flaw lets attackers take control of laptops in 30 seconds

20 January 2018

Intel’s Active Management Technology (AMT) offers impressive management features to company IT shops:

  • Asset discovery
  • Out-of-band management functions to fix systems even if the OS went down
  • Contain the impact of malware

As any other software, AMT has configuration issues and vulnerabilities. For example, in 2015 default factory settings could be leveraged by an attacker to gain full control over devices from the network. Last year, four vulnerabilities were published in the NVD Database.

The latest configuration issue published on January 12, 2018 by F-Secure researchers allows attackers with physical access to compromise systems easily:

Just press CTRL-P during boot and log into Intel Management Engine BIOS Extension (MEBx) using the default password “admin”. With this, an attacker can reconfigure the system to allow for example remote access once the system is booted and left unattended.

This type of attack is called Evil Maid Attack. It is used especially by cyber criminals and nation state actors to compromise systems.

Although Intel made recommendations to mitigate this issue, the F-Secure report makes clear, that the OEM’s did not implement them and that the system managers did not change the AMT password on delivery to the users.

With this, we have no choice but to set individual AMT and BIOS passwords on all laptops and mobile devices with AMT enabled. This is going to be a hard job in companies with some thousand devices.

A risk based approach makes sense: Start with the top management and employees which have access to business-critical information.

Have a great weekend.

Spectre and Meltdown – No need to enter Panic Mode

7 January 2018

Spectre Icon

Spectre

When I read about Meltdown and Spectre in the Reuters Technology News early on Wednesday morning I digged directly somewhat deeper to find details about the access vectors and severity. From a quick view of the published material I concluded that these vulnerabilities were only locally exploitable and would have medium to high impact. No need to panic.

Media coverage was very high the next morning. Even the German local radio stations brought details about Spectre and Meltdown in the news, although there was no ground for public panic.

The following table shows the Meltdown and Spectre vulnerability details:

Meltdown and Spectre Vulnerability Details, CVSS V3 Metrics

Meltdown and Spectre Vulnerability Details, CVSS V3 Metrics

Sources: [1] NIST NVD, [2] RedHat Customer Portal[3] NIST NVD
Abbreviation list: AV: Access Vector, AC: Access Complexity, PR: Privileges Required, UI: User Interaction, C: Confidentiality, I: Integrity, A: Avaliability

To exploit these vulnerabilities an attacker must have either local access to a system on your network (Access Vector Local) or access to your local network (Access Vector Adjacent Network).

But why should an attacker, who got access to a system on your network, exploit e.g. Meltdown to extract passwords from the memory of a process? The access complexity is high; thus, the likelihood of early detection goes up.

We can expect that cyber criminals don’t behave irrationally. They choose the attack method with low chance of detection. And recent publications suggest this:

According to the Ponemon 2017 Cost of Data Breach Study the Mean Time to Identify (MTTI) a data breach in 2016 was 191 days, down from 201 days in 2015. If cyber criminals would behave irrationally, the MTTI would be much shorter.

Thus, there is no need for panic. Just apply the latest patches and check the performance of critical systems.

Have a great week.

Concerns about using open source libraries from an IT security point of view

18 December 2017

Some days ago I participated in a discussion about the necessity of using open source libraries in industrial software development and the data scientist workbench. IT security is often perceived as spoil sport in such discussions …

To be honest, I like open software. I prefer for example Firefox on Windows 10 because the configuration of Edge is really annoying. However, when it comes to the use of open software libraries in scientific or industrial software development projects or by data scientists I have two major concerns:

1. I have just no clue what the open software libraries do in addition to their intended use.

This sounds a bit paranoid. The question is:

Can we make sure, that no malicious code snippets are hidden in an open software library which send the company’s secrets to a cyber criminal’s command and control server, or which encrypt all data?

In my opinion this is not possible. Reviewing e.g. the 300 thousand lines of code of the OpenSSL-1.0.2 project is a herculean task, which has to be repeated for every patch and release. We can automate the software review process with advanced code analyzers. With such analyzers, we can make sure that open source code has no or few critical errors. But analyzers cannot find malicious code snippets, they just make sure that such snippets cause no critical errors during program execution.

Advanced Persistent Threat (APT) solutions may detect malicious behavior. But when a developer or data scientist includes open software into his code, the threat type changes from external to insider threat, thus APT solutions are no longer effective.

Eventually, we have to trust the developers of open software. Thus, the use of open software depends largely on the risk appetite of an organization.

2. I have no idea how to fix vulnerabilities in software which uses open software libraries.

Firefox gets security patches immediately after vulnerabilities are published. For example, the remote code execution vulnerability CVE-2017-7827, published 11/15/2017, was patched on the morning of 11/17/2017. When I logged in to my Linux box in the evening, even a patch for the Firefox ESR version was installed.

The OpenSSL-1.0.2 library mentioned above can be used potentially in many applications, in the worst case, some of them may be connected directly to the internet. The developers of Firefox take care of security bugs in this library. Who cares in the case of self-developed software? And how fast? Just remember the Equifax data breach some months ago. The reason for this really costly data breach was an unpatched vulnerability in the Apache Struts framework …

The focus of open software developers is innovation. Thus, the use of open software will be a major driver in the digital transformation, and we should foster this use to stay at the cutting edge of digital transformation.

Nevertheless, we must be aware of the risks of this use and take proper precautions for their mitigation.

Have a great week.

Puzzling: Five years old critical vulnerabilities exploited in November 2017

26 November 2017

Section Exploited Vulnerabilities of the Recorded Future Cyber Daily is sometimes really frightening. On November 9th, 2017, 249 successful exploits of CVE-2012-1823, a vulnerability in PHP, were recorded. This is hard to believe because CVE-2012-1823 was published on May 11th, 2012. Although a patch was available at the date of publication, it seems that the operators of this systems were not able to implement them within the past five years.

However, it would have been of urgent need in this case. CVE-2012-1823 is a so-called RCE (Remote Code Execution) vulnerability, which allows remote attackers to execute arbitrary code on a victim’s computer, and, in the worst case, to hijack the victim’s network.

RCE vulnerabilities are included in the critical vulnerabilities. Critical vulnerabilities are

  • exploitable from the network
  • need only low or medium skills to exploit
  • need no authentication
  • cause great damage, have high severity
  • allow remote attackers to execute arbitrary code on the victims computer

If an application system is operated in the DMZ, critical vulnerabilities must be patched directly upon publication to prevent attackers from getting onto your network. Or at least, between the time of publication and an exploit or proof of concept shows up. Since examples of how to exploit this PHP vulnerability were available in early May 2012, immediate action was required.

The big question is: Why were this vulnerable PHP versions not directly patched?

Exploitation of older vulnerabilities is not an isolated case. The HPE 2016 Cyber Risk Report shows, that in 2016

  • 47% of successful exploits use five or more years old vulnerabilities.
  • 68% of successful exploits use three or more years old vulnerabilities, 47% of them were critical vulnerabilities.
  • Stuxnet, CVE-2010-2568, was used in 29% of successful exploits.

An analysis of the critical vulnerabilities by vendors shows, that more critical vulnerabilities were found in non-Microsoft products than in Microsoft products.

Critical vulnerabilities 2010 - 2016

Critical vulnerabilities 2010 – 2016 by vendors. Click to enlarge.

But automated patch management is only available for Microsoft and few of the other vendors’ (e.g. Adobe, Oracle, SAP) products. Thus, we can expect that many critical vulnerabilities remain unpatched, which results in an ever-growing pool of opportunities for cyber criminals.

An ever growing pool of opportunities

An ever-growing pool of opportunities. Click to enlarge.

1) For the chart above I assumed that 50% of critical vulnerabilities remain unpatched. This assumption is based on the analysis of the 2017 NIST NVD data as of August 31st, 2017.

Since no automated patch management exists for PHP we can expect, that CVE-2012-1823 was rarely patched. But the worst is yet to come: From the HPE 2016 Cyber Risk Report we learn, that even six years old Microsoft vulnerabilities (Stuxnet, CVE-2010-2568) are not patched.

How to tackle this issue? From my point of view, the cause is compliance driven security. We often do patching of everything to meet compliance with a certain standard, instead of focusing on the real important issues, e.g., the critical vulnerabilities. Or, in other words, we close a lot of mouse holes while the barn door remains wide open.

WIth this, we must move from patching to vulnerability management, and priority patching for the critical vulnerabilities. Through a differentiated inspection of vulnerabilities we get out of the patch treadmill and can start working on the important cyber security issues.

By the way, if you haven’t subscribed to the Recorded Future Cyber Daily yet, consider to do it this week.

Have a great week.

AutoIt Scripting Used By Overlay Malware to Bypass AV Detection

13 November 2017

Seven Phases Cyber Kill Chain

Cyber Kill Chain

Anti-Virus (AV) protection works fine if the attacker uses a well-known malware, e.g. Locky, or one of its variants. In this case, the AV scan engine computes the fingerprint of the malicious object and checks it against its fingerprint database. Since a fingerprint is available, the attack is stopped in the delivery phase of a cyber attack the latest.

In the case of the AutoIt Overlay Malware the attacker hides the pattern in an AutoIt script which results in a modified fingerprint. Since this fingerprint is not known in the database the AV scan engine cannot stop the attack. For details about the AutoIt Overlay Malware see this excellent report by Gadi Ostrovsky published on November 8, 2017 in the IBM Security Intelligence blog

Anti-Virus evasion techniques are well known for years. Thus companies are well advised to rely not only on an anti-malware system in their endpoint protection strategy.

My favorite add-on to Anti-Malware systems is still Blue Ridge Networks AppGuard because its available for consumers as well as for businesses. AppGuard would block the AutoIt Overlay Malware during the installation phase the latest because it just blocks the execution of whatever objects from inside a user’s home directory.

Have a great week.