Tag Archives: cyber hygiene

HiddenWasp malware targets Linux systems – Don’t Panic!

23 June 2019

Ignacio Sanmillan’s excellent post(1) on the HiddenWasp malware could have been truly frightening: HiddenWasp targets Linux systems, the technology used is really impressive, and the detection rate on VirusTotal was zero as of 29 May 2019.

Unfortunately, the infected systems were already under the attacker’s control. Even if anti-malware solutions for Linux would have better detection capabilities it would hardly have mattered. Also, there is no need to implement sophisticated anti-malware evasion technologies. In the easiest case, the attacker must only define an anti-malware exception for the files to be downloaded.

Pattern based anti-malware solutions are reactive protective means. The anti-malware solution provider must first analyze the new malware and create a detection pattern. Thus, it is unsurprising that the detection rate on VirusTotal was and is still low.

The big questions remain open:

How was the RAT (Remote Access Trojan), the precondition for the infection with HiddenWasp, initially installed?
How did the attackers get root privileges?

Very often, it is lack of cyber hygiene that results in the takeover of a system. Implementation of cyber security best practice will raise the bar. Extended by a restrictive SELinux configuration will reduce the likelihood of getting compromised dramatically.

It’s free, and ready-to-use.

Have a great week.

References

Sanmillan I. Intezer – HiddenWasp Malware Stings Targeted Linux Systems [Internet]. Intezer. 2019 [cited 2019 Jun 2]. Available from: https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

LockerGoga. Mysterious and Dangerous. Part One.

31 March 2019

On 19 March 2019 Norsk Hydro was attacked with a ransomware called LockerGoga which partly took down operations. Although the manufacturing sites were hardly hit in the attack, the company reported(1) on 26 March in Reuters Technology News that the initial loss may exceed $40 million. SC Magazine reports(2) that earlier in March two U.S. based chemical companies were hit by a ransomware attack where LockerGoga was probably used.

To evaluate the effectiveness of existing preventive and protective measures in defending LockerGoga we have to take a closer look on the ransomware and the attack vector.

Facts on LockerGoga.

1) LockerGoga does not self-propagate. In a report(3) published in Wired, Kelly Fiveash quotes cyber security expert Robert Pritchard: “There is no replication mechanism, this is not a worm, it is a targeted attack by the criminals.” In addition, it doesn’t use Command and Control (C2) servers.

2) LockerGoga relocates itself in the %TEMP% folder. For details see the post(4) on LockerGoga by TrendMicro. Security tools like Microsoft AppLocker or Blue Ridge Networks AppGuard are able to stop LockerGoga at an early stage.

3) LockerGoga is signed, hence its trustworthiness is increased. For details on the certificate see the post(5) of Nick Biasini in the Talos Intelligence Blog.

4) LockerGoga requires admin rights to run. For details on the manifest file see the post(6) of Pedro Tavares on LockerGoga. With this, UAC (User Account Control) prompts for the password of a privileged account on startup of the malware.

In the worst case, if the user works with permanent administrative privileges and UAC is not set to Always notify me, the malware starts encrypting files without the user noticing.

Even if the user has to call the help desk for support, the probability is high that the help desk inputs the required credentials because the malware is signed, hence appears trustworthy.

5) LockerGoga kills the antivirus system on the target machine. For details see Alan Greenberg’s post(7) in Wired.

6) LockerGoga disables all network interfaces after the files on the infected system are encrypted. For details see the analysis(8) on the F-Secure Lab blog. With this, remote access and recovery is no longer possible. The infected system must be re-imaged from the console.

7) LockerGoga changes the user password and logs out the current user. With this the user is locked out of all computers connected to the Active Directory. For details see the TrendMicro post(4).

Speculations on how the attackers gained initial access.

The initial infection is subject of many speculations. In the TrendMicro post(4) we read “This could mean that the network was already compromised, and that the attackers conducted lateral movement. Since PsExec requires credentials to work, the attackers may have already obtained the credentials either through brute force, spearphishing, or a previous malware infection or attack.”

Kevin Beaumont provides more details on the initial attack vector in his worthwhile post(9) published on DoublePulsar.

Andy Greenberg speculates in a post(7) published on Wired that “Once the intruders have an initial foothold, they use the common hacking toolkits Metasploit and Cobalt Strike to move to other computers on the network and also exploit the program Mimikatz” to gain access to more privileged accounts.

That is somewhat baffling. Performing a deep dive into a network in the search of privileged accounts is a risky process, in particular if tool kits have to be loaded. Lateral movement takes some time, and in general, it is controlled through a C2 server. With this, the chance of success for the entire operation goes down to the extent the chance of detection of the attacker goes up during lateral movement..

In addition, why should an attacker start a ransomware attack after he gained full access to the Active Directory, hence access to all information on the network? Was the ransomware attack just a red herring?

How to protect against LockerGoga?

Due to Dolman(10), the tactical thinker operates on the principle “Knowing completely what cannot be done allows for an investigation of what can be done.”

In the case of LockerGoga this means:

[1] Deny all users on all computers to work with whatever administrative privileges. If required, grant administrative privileges only for the time the elevated privileges are needed, in the best case with local administrative rights provided by trained help desk staff.

[2] Remove the domain and enterprise admin groups from the local administrators groups. No member of these groups is allowed to logon to workstations. The best approach is to work always with local administrative accounts because these are not usable in lateral movement. Implement Microsoft LAPS(11) to keep the administrative overhead as small as possible.

[3] Set UAC to Always notify me. Train the users and supporters in proper action upon UAC requests from whatever processes.

[4] Disable the WDIGEST protocol on all computers to prevent storage of the WDIGEST passwords in plain text in the LSASS memory.

[5] Invalidate all passwords once [1], [2] and [4] are implemented. This makes sure that the password hashes and plain text passwords stored in the LSASS memory are no longer valid.

Implementation of measures [1] .. [5] dramatically reduces the attackers options to do a deep dive into the network. Critical details for the initial attack and the later execution of the malware are no longer accessible to the attacker.

Seven Phases Cyber Kill Chain

[6] Collect IoC (Indicators of Compromise) from all computers. Killing the AntiVirus process or resetting an eventlog are indicators of compromise. They must trigger security incidents. Direct action upon this incidents is required.

[7] To increase the resilience against new kind of malware implement preventive solutions like AppLocker or AppGuard. Such solutions are able to block a large set of malware at least during the exploitation phase of the cyber kill chain.

By the way, measures [1] .. [5] should already be in place because they are basic parts of cyber hygiene.

To be continued.

Have a great week.

References

1. Adomaitis N. Norsk Hydro’s initial loss from cyber attack may exceed $40 million. Reuters Technology News [Internet]. 2019 Mar 26 [cited 2019 Mar 26]; Available from: https://www.reuters.com/article/us-norway-cyber-idUSKCN1R71X9

2. Barth B. U.S. chemical companies reportedly infected with LockerGoga ransomware [Internet]. SC Media. 2019 [cited 2019 Mar 26]. Available from: https://www.scmagazine.com/home/security-news/ransomware/two-u-s-chemical-companies-disclose-cyberattack-lockergoga-ransomware-reportedly-the-culprit-following-norsk-hydro-ransomware-attack-two-u-s-chemical-companies-disclose-reportedly-similar-inciden/

3. Fiveash K. The Norsk Hydro cyber attack is about money, not war. Wired UK [Internet]. 2019 Mar 21 [cited 2019 Mar 26]; Available from: https://www.wired.co.uk/article/norsk-hydro-cyber-attack

4. TrendMicro. What You Need to Know About the LockerGoga Ransomware – Security News – Trend Micro USA [Internet]. 2019 [cited 2019 Mar 26]. Available from: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-know-about-the-lockergoga-ransomware

5. Biasini N. Ransomware or Wiper? LockerGoga Straddles the Line [Internet]. Talos Intelligence Blog. 2019 [cited 2019 Mar 26]. Available from: http://blog.talosintelligence.com/2019/03/lockergoga.html

6. Tavares P. [SI-LAB] LockerGoga is the most active ransomware that focuses on targeting companies and bypass AV signature-based detection [Internet]. Segurança Informática. 2019 [cited 2019 Mar 26]. Available from: https://seguranca-informatica.pt/si-lab-lockergoga-is-the-most-active-ransomware-that-focuses-on-targeting-companies-and-bypass-av-signature-based-detection/

7. Greenberg A. A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Wired [Internet]. 2019 Mar 25 [cited 2019 Mar 30]; Available from: https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/

8. Khasaia. Analysis of LockerGoga Ransomware [Internet]. F-Secure News from the Lab. 2019 [cited 2019 Mar 30]. Available from: https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/

9. Beaumont K. How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business [Internet]. DoublePulsar. 2019 [cited 2019 Mar 26]. Available from: https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880

10. Dolman EC. Pure strategy: power and principle in the space and information age. London ; New York: Frank Cass; 2005. 218 p. (Cass series–strategy and history).

11. Archiveddocs. LAPS [Internet]. [cited 2019 Mar 31]. Available from: https://docs.microsoft.com/en-us/previous-versions/mt227395(v%3dmsdn.10)

How to defeat antivirus evasion and privilege escalation techniques

4 February 2018

Last weekend I read two very informative posts on Antivirus Evasion by Mattia Campagnano. But part 2 [1] puzzled me somewhat.

“Following up to my previous post Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt. 1), we’re going now to perform the same attack on a genuine Windows 10 machine, where all latest updates have been installed.”

For a moment I thought ‘a security professional mistakes compliance for security’ because ‘fully patched’ means not that the system is resilient against cyber-attacks. But both posts show that even the most secure Windows ever is vulnerable against privilege escalation and AV evasion if the basic configuration is not changed and fundamental elements of cyber hygiene are missing.

Why are such attacks successful?

First, the user was logged in with permanent administrative privileges. This makes life easy for attackers and fosters lateral movement.

Revoking permanent administrative privileges on workstations and servers must be a basic element of any cyber security program. Under normal conditions, standard users should not have any administrative privileges for their devices at all. If needed, they can be temporarily granted through User Account Control (UAC).

Second, UAC was not set to the highest level “Always notify me”. Unfortunately this is the standard setting after a fresh installation of Windows. With this, privilege escalation is possible without user notification. If configured properly, UAC will notify the user even if he works with administrative privileges.

The BypassUAC method in the meterpreter attack framework will fail, if UAC is set to the highest level. The following excerpt of the code [2] makes this clear

case get_uac_level
 when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
 fail_with(Failure::NotVulnerable,
  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
 )
 when UAC_DEFAULT
    print_good('UAC is set to Default')
    print_good('BypassUAC can bypass this setting, continuing...')
 when UAC_NO_PROMPT
    print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
    shell_execute_exe
  return
end

Standards like the DISA STIG for Windows 10 [3] activate all UAC features to make life for the attackers as difficult as possible. From my point of view, the STIGs should be considered also in industry to create workplaces resilient against cyber-attacks. And Microsoft should raise the Windows default for UAC to “Always notify me” for all versions. If a user wants to reduce the security level, he should do this on his own responsibility.

Besides the secure configuration of IT systems and cyber hygiene is user awareness training the third essential pillar of a security program. Users and help desk staff must take proper actions if their system unexpectedly enters the secure desktop and asks for permissions of an action they never asked.

Have a good weekend.

Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 44: AV Evasion (pt 2). The S@vvy_Geek Tips Tech Blog
Rapid7 bypassuac_vbs.rb Metasploit Framework. (Accessed: 3rd February 2018)
Windows 10 Security Technical Implementation Guide. STIG Viewer | Unified Compliance Framework® Available at: https://www.stigviewer.com/stig/windows_10/. (Accessed: 3rd February 2018)
Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt.1). The S@vvy_Geek Tips Tech Blog

IBM Webinar: Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching

22 October 2016

On Tuesday, I watched the IBM webinar ‘Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching’.

On slide 3 one could read the really interesting statement ‘NSA: no zero days were used in any high profile breaches over last 24 months’.

Slide 3 – Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Curtis Dukes, deputy national manager of security systems within the NSA, said that NSA has been involved in incident response or mitigation efforts for all ‘high profile incidents’ one has read about in the Washington Post or the New York times.

In all this incidents hacker used somewhat simple technology like spear phishing, water holing and USB-drive delivery to get onto the victim’s networks.

In the last 24 months, not one zero day has been used in these high profile intrusions.

That is a very interesting insight. Moreover, Curtis Dukes said that

The fundamental problem we faced in every one of those incidents was poor cyber hygiene.

The central idea of the webinar is to harden all systems by applying at least all existing patches to the known vulnerabilities, and in a timely manner. For most of the organizations this is a great challenge: Applying an endless stream of operating system and application patches to thousands of servers and endpoints is a never-ending nightmare. But essential to hinder an attacker, who managed to get on the network, in his lateral movement across the network.

If an attacker cannot exploit existing vulnerabilities, he is forced to install hacking tools from his C&C server. But this will increase the likelihood of detection because the attacker creates anomalies which can be detected e.g. by a current anti-malware solution or a well-tuned SIEM system.

It is important to recognize that cyber hygiene shall not be restricted to patching and password rules. Operating systems offer lots of powerful inbuilt tools, e.g. PowerShell, which can be used by an attacker to move laterally across the network. Such movements a much harder to detect, because they are very similar to standard user behavior. Pass-the-hash attacks are another example where patching is of limited value only.

It is very important to understand what threats a security solution mitigates. But it is of crucial importance to know the gaps and to have some ideas on how to deal with them effectively.

Have a good weekend.

Tips for Dealing with the Ransomware

21 May 2016

Nearly every day one can read horror stories about new ransomware variants in the media. The new variations encrypt not only the victim’s files. In addition, they change the computer’s configuration to make recovery with windows tools harder, thus to add weight to their ransom demand.

The PETYA ransomware overwrites the master boot record of the computer’s hard disk. The 7ev3n ransomware e.g. disables the Windows default recovery options by executing some bcdedit commands. In addition, this variant allows components to run with elevated rights without displaying a UAC (User Account Control) prompt.

With this, recovery from a ransomware attack becomes much more difficult and elaborate. But this is also a clear indicator for the lack of basic cyber hygiene.

When signed in as standard user one will just get the error message ‘Access is denied’ when a bcdedit command is run from shell program. The same is true for the PETYA ransomware that overwrites the master boot record of the computer’s hard disk.

Without administrative privileges and with UAC set to ‘Always notify me’ it is just not possible to destroy the master boot record, or to get elevated rights by using the auto-elevation capabilities of Windows. Period.

Basic cyber hygiene will not avoid the risks of ransomware, but it is a good preventive means for reducing this and lots of other risks.

The FBI published some really remarkable Tips for Dealing with the Ransomware Threat. Here is an excerpt from the list:

Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
Disable macro scripts from office files transmitted over e-mail.

Great tips, easy to implement, even for SME and end users.

Have a good weekend.

IT Security Matters

Klaus Jochem

Tag Archives: cyber hygiene

HiddenWasp malware targets Linux systems – Don’t Panic!

LockerGoga. Mysterious and Dangerous. Part One.

How to defeat antivirus evasion and privilege escalation techniques

IBM Webinar: Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching

Tips for Dealing with the Ransomware

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: