Tag Archives: NotPetya

Windows Applocker – The almost forgotten IT security workbench

5 January 2019

Dridex[1], Emotet[2], Locky[3], Destover[4], Petya[5], NotPetya, etc. share one feature: They are droppers[6]. A dropper installs malware to a target system and executes it then.

Droppers are delivered mainly by e-mail through phishing or spear phishing attacks. Since they are continuously refined to undergo malware detection the fight against droppers never stops.

The Achilles heel of droppers is that they are executed in the context of the current user during delivery. With this the dropped malware can only be stored in locations where the user has modify privileges, e.g. the user’s home directory.

Seven Phases Cyber Kill Chain

Seven Phases Cyber Kill Chain

If we can prevent the execution of objects from e.g. the user’s home directory the dropper can never execute the installed malware. With this we can block the malware during the delivery / exploitation phase of the Cyber Kill Chain, before the attacker becomes persistent in our network.

That is the idea behind Windows Applocker[7]. The Applocker default rules allow the execution of programs, scripts and dlls only from trusted directory systems, e.g. c:\Program Files, C:\Progam Files (X86), or c:\Windows. If activated, Applocker stops the execution of programs and scripts outside these trusted directories and thus Dridex, Emotet, Locky, Destover, etc.

But Applocker does more than blocking droppers. DLL injection is prevented if DLL rules are enforced. I strongly recommend to enforce the DLL rules from the start. Drive-by downloads, PuA, PuP  and Adware are blocked. Even the exploitation of zero-days like the latest Adobe pdf security flaw, CVE-2018-16011[8], can be mitigated. The entire network becomes more resilient against cyber attacks.

Applocker is perfectly suited to enhance the resilience against cyber attacks in production networks and critical infrastructures. In particular in GxP regulated industries Applocker is worth to be looked at. Since Applocker is integrated in the Windows OS a validation of a third party white-listing application is not required.

Applocker can be enforced on Windows Enterprise Edition installations (starting with Windows 7) with local group policies. To lower the administrative effort it is recommended to join the computers to a domain and enforce the Applocker rules through group policies.

Unfortunately, Microsoft compromises the Applocker approach by tools like Teams and OneDrive. Both are installed in user context, thus will be blocked by Applocker. Since  Applocker allows the definition of exceptions and their roll out with group policies such applications can be handled with manageable effort.

Besides modern applications at least two cyber security sins reduce the effectiveness of Applocker.

  • Users work with permanent admin privileges.

In this case the dropper can install the malware in trusted directories. Working with permanent admin privileges is one of the IT security deadly sins, thus should be avoided anyway.

  • Users have modify access to trusted directories and files.

Check trusted directories and files with AccessEnum. If objects can be modified by users either change the ACLs or define an Applocker exception for them.

Applocker provides great capabilities to enhance the resilience of organizations against cyber attacks. Just give it a try in 2019.

Have a great weekend.

References

  1. Proofpoint Threat Insight. High-Volume Dridex Banking Trojan Campaigns Return [Internet]. 2017 [cited 2018 Dec 29]. Available from: https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return
  2. Villaroman BC. Spoofed Banking Emails Arrive with EMOTET Malware [Internet]. TrendMicro Threat Encyclopedia. 2018 [cited 2019 Jan 4]. Available from: http://www.trendmicro.tw/vinfo/tr/threat-encyclopedia/spam/677/spoofed-banking-emails-arrive-with-emotet-malware
  3. Avast Threat Intelligence Team. A closer look at the Locky ransomware [Internet]. Avast Blog. 2016 [cited 2018 Dec 29]. Available from: https://blog.avast.com/a-closer-look-at-the-locky-ransomware
  4. Gallagher S. Inside the “wiper” malware that brought Sony Pictures to its knees [Update] [Internet]. Ars Technica. 2014 [cited 2018 Dec 29]. Available from: https://arstechnica.com/information-technology/2014/12/inside-the-wiper-malware-that-brought-sony-pictures-to-its-knees/
  5. Malwarebytes Labs. Keeping up with the Petyas: Demystifying the malware family [Internet]. Malwarebytes Labs. 2017 [cited 2018 Dec 29]. Available from: https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/
  6. Rouse M. What is dropper? – Definition from WhatIs.com [Internet]. WhatIs.com. 2015 [cited 2019 Jan 5]. Available from: https://whatis.techtarget.com/definition/dropper
  7. Lich B, Poggemeyer L, Justinha. AppLocker (Windows 10) [Internet]. WIidows IT Pro Center. 2017 [cited 2019 Jan 5]. Available from: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview
  8. The Hacker News. Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader [Internet]. Vulners Database. 2019 [cited 2019 Jan 4]. Available from: https://vulners.com/thn/THN:ADE75E1067458A6BD1C6FB7BD78E697D/

Oh dear! Oh dear! I shall be too late! – The White Rabbit

29 October 2017

WannaCry, NotPetya, and now: Bad Rabbit. The good news is that Bad Rabbit isn’t spreading as fast as WannaCry and NotPetya. According to a DARKReading report from October 25th the outbreak appears to die down already.

The bad news is, that it happened again. Like the White Rabbit in Alice’s Adventure in Wonderland, IT departments seem to mutter only “Oh dear! Oh dear! I shall be too late!”, instead of increasing the security baseline of their company networks.

Bad Rabbit uses similar techniques as WannaCry and NotPetya for spreading in the networks:

Open SMB shares, Mimikatz alike ways to dump credentials from the affected systems, a hardcoded list of credentials, … For more technical details see this post from Malwarebytes Labs.

The methods to avoid this are well-known and easy and cheap to implement:

  • Run a user awareness campaign.
  • Reduce the number of users and administrators working with permanent administrative privileges to zero. This is a leadership task!
  • Apply the measures to mitigate Pass-the-Hash attacks to all Windows systems and networks.
  • Limit the functionality of technical users to local systems and the lowest possible privileges. Use individual passwords, eliminate default passwords.
  • Review all firewall rules. Question every required connection. Limit the use of the SMB protocol as far as possible. Eliminate the use of unsecured protocols as far as possible. Patch the systems at the endpoints of firewall rules.

The above list is not exhaustive, but if implemented, the attacker’s ability to explore the network is clearly reduced.

It appears to me, that everyone is waiting for Windows 10 to solve some of the issues. This however is the wrong approach. Windows 10 cannot be introduced with a big bang. In particular in the production, lab, and building automation domain, it will take a few years until we can shutdown Windows XP/7 completely. And during this years, our networks are at risk.

With this, there is no time to lose. The White Rabbits returns.

Have a great week.

Why is the industry such vulnerable against WannaCry and NotPetya style attacks? Part II.

16 July 2017

In part one of this post I discussed the impact of the aging IT infrastructure on the industry’s vulnerability against WannaCry and NotPetya style attacks. Part II deals with the OS basics.

Built-in features of the Windows operating system

Windows is the hacker’s paradise. Not because of the endless stream of vulnerabilities. I my opinion, Microsoft does a good job in managing this.

But because Windows is designed to support the efficient administration of networks with thousands of windows workstations, servers, users and applications.

The authorization subsystem (Active Directory) allows the assignment of fine grained permissions to users and groups to whatever resources, and the authorization check before access to resources in near real-time. It is highly scalable to support a single office LAN as well as a segmented global network.

Built-in utilities like Admin Shares, WMI (Windows Management Instrumentation), netsh, ipconfig, and the net command enable administrators to query and to change workstation, server and user settings across the network and to support efficient software distribution and troubleshooting. Windows Server Update Service (WSUS) supports the administrators in keeping the known vulnerabilities patched.

Everything is of course scriptable with the Windows Command Shell, Powershell and VBScript. All utilities can be leveraged up to a certain extent by every user and fully by administrators.

And of course, also by malware or cyber-criminals. Once a cyber-criminal managed to get on your network with e.g. a RAT (Remote Access Toolkit), he can walk across your network and do his malicious work with just the built-in tools. A download of utilities from a C&C (command and Control) server is not necessary. With this, the cyber-criminal is nearly invisible and he will stay nearly invisible for a long time if he makes no errors.

The Principle of least privilege is implemented in Windows at all levels of the OS stack. This is ensured by the Secure Development Lifecycle (SDL), which is the mandatory Microsoft development policy since 2004. Thus, under normal conditions, the Windows built-in security features would limit the impact of a malware.

Unfortunately, software failures cannot be avoided by the SDL because they are systemic errors – we build them during development right into the software. Once a process state triggers such a systemic error and someone finds a method to reproduce the error condition, the error becomes a vulnerability, e.g. MS017-10. This is no problem unless an exploit is published which allows a cyber-criminal to leverage the vulnerability for e.g. privilege escalation. With this, he gets full access to all the built-in tools and to all processes, including the authorization subsystem.

But even if exploiting a vulnerability leads not to a privilege escalation only some patience is needed. Just probe the network until a user is found who works with permanent administrative privileges. If such a session is hijacked, a cyber-criminal gets full access to all tools and the authorization subsystem on the computer.

With administrative privileges the attacker or malware can dump the authorization subsystem on the computer and extract either the password hashes or the clear text passwords. The example below shows an extract created by MIMIKATZ on a Windows 7 Enterprise Editon Workstation.

C:\Program Files (x86)\mimikatz\x64>mimikatz
.#####.   mimikatz 2.1.1 (x64) built on Jun 18 2017 18:46:28
.## ^ ##.  "A La Vie, A L'Amour"
## / \ ##  /* * *
## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
'#####'                                     with 21 modules * * */
....

Authentication Id : 0 ; 315690 (00000000:0004d12a)
Session           : Interactive from 1
User Name         : kjochem
Domain            : WIN-2OLSA000OLM
Logon Server      : WIN-2OLSA000OLM
Logon Time        : 16.07.2017 21:31:24
SID               : S-1-5-21-3248755352-2707638487-1840279341-1000
msv :
[00000003] Primary
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* NTLM     : dd94b116548a739e24ad775193c2d13b <--- Password hash
    ….. 
wdigest :
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* Password : #Not very12strange! <--- Clear text password
kerberos :
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* Password : (null)
ssp :
credman :

The extracted passwords can be used for direct login to further systems, the password hashes in Pass-the-Hash attacks on further nodes. In any case the chance of detection is low since the attacker behaves like a normal user.

This is the way NotPetya works and other malware worked in the past and will work in future.

Windows is highly optimized to allow cost effective operation of networks of thousands of computers. This leads automatically to misconfigurations, e.g. through domain based technical accounts with high privileges on all workstations and servers. In combination with users working with permanent administrative privileges the cyber criminal’s life is simplified.

What are mitigating measures?

The selection below makes no claim to be complete.

Migration to Windows 10.

Drop all old-style transportation and authentication protocols during this process. Migration to Windows 10 is the first choice because baseline security in Windows 10 is higher than in Windows 7. For example, the issue with the plain text passwords in the authorization subsystem is gone. But this is not helpful in industry because we must deal for at least 5 to 10 years with Windows 7 or Windows 2008 server and old-style protocols.

Short and mid-term mitigation measures.

  • Reduce the number of users working with permanent administrative rights to zero. This is a leadership task!
  • Implement priority patching of critical systems, especially for those on the perimeter to the production networks.
  • Review all firewall rules. Focus on required connections, limit the use of the SMB protocol as far as possible.
  • Review all technical users. Limit their functionality to the local systems and lowest possible privileges, if possible.
  • Roll out a security incident detection tool (SIEM) to all clients and servers. For example, dumping of processes in memory of a workstation or server is a clear indicator for a hacking attempt. Immediate action upon such events is required.
  • Implement privileged account and session management, in the best case with one-time passwords which are changed after the session ends.
  • Apply the measures to mitigate Pass-the-Hash attacks to all Windows networks. For details please see https://www.microsoft.com/en-us/download/details.aspx?id=36036.

Long-term measures.

  • Microsoft should build a production friendly Windows with limited functionality. This Windows should have a much smaller attack surface than the standard multi-purpose Windows systems of today.
  • The dependency on the SMB protocol for exchange of data between the office and the production networks should be reduced, in the best case to zero.

Have a great week!

Why is the industry such vulnerable against WannaCry and NotPetya style attacks? Part I

9 July 2017

“Germany’s BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week.” The report “Germany says cyber threat greater than expected, more firms affected” published in the Reuters Technology News on 7 July 2017 is worth reading.

But the big question is: Why is the industry such vulnerable against WannaCry and NotPetya style attacks?

In my opinion, the main reasons for this are

  • the aging IT infrastructure, and
  • the built-in features of the Windows operating system.

Aging IT infrastructure

SMB Version Introduced with Version Year of Release
V1.0 Windows 2000 2000
Windows XP / 2003 Server 2001 / 2003
V2.0 Windows Vista / 2008 Server 2007 / 2008
Windows 7 / 2008 Server R2 2009
V3.0 Windows 8 / 2012 Server 2012
Windows 10 / 2016 Server 2015 / 2016

Table 1: SMB Versions

The source of today’s problems, SMB V1.0, was introduced with Windows 2000. With the end of the extended support for Windows XP on 8 April 2014, and Windows 2003 Server on 14 July 2015, Windows XP/2003 Server became a big security issue.

Nevertheless, systems with XP or Windows 2003 Server are still operated in data centers and industrial networks. Since these systems must exchange data with other Windows-based systems, SMB V1.0 cannot be just switched off. Even Windows systems which support SMB V2.0 or higher must allow SMB V1.0 for data exchange with older versions.

The big question is: Why takes it so long to shut down Windows XP/2003 Server? The answer is easy: Software and hardware manufacturers have not sufficiently cared about the software life cycle, at least in the past. Let me illustrate this with an example.

A package unit in Healthcare industry is a large machine with lots of inbuilt computers. Since package units are very expensive, they are operated for many years and extensively changed to support new products. With this, a package unit delivered in 2008 with embedded Windows XP control units may still be in use 24 hours a day in 2017.

The hardware of the computers is designed to control a high-speed packaging process. To ensure sustained high operational quality the manufacturer often allows neither the installation of anti-malware software nor service packs for the OS, not to mention the upgrade to newer versions of the Windows OS.

Since the MES (Manufacturing Execution System) copies files to and from the packaging unit through files shares on the embedded Windows XP control stations, the MES must communicate through the SMB V1.0 protocol. The same is true for computers used in remote maintenance. With this, a single Windows XP machine reduces the security level of an entire network.

The big challenge is to design maintenance-friendly industrial computer systems: An exchange of hardware and software components, which are near End-of-Life or which have reached technical limits, must be easily possible. This requires a change in the design of software in industry. In addition, hardware should be dimensioned such that basic security features like anti-malware protection could be operated.

Manufacturers were often not aware of the software lifecycle and its impact on cyber security and integrity of product and production in the past. A change is desperately needed, in particular with regards to the increased use of IIoT devices.

Have a great week.

Chernobyl hit by Petya/NotPetya

2 July 2017

The short post New Ransomware Crippling Chernobyl Sensors published on 28 June 2017 by Jack Laidlaw at HACKADAY deeply frightened me. I was relieved to read, that no Industrial Control Systems (ICS) were affected.

Picture Credits: Chernobyl NPP Press Center, chnpp.gov.ua

ICS at the Chernobyl Power Plant. Picture Credits: Chernobyl NPP Press Center, chnpp.gov.ua

The following press statement was published at the Power Plants homepage:

As of 27.06.2017 due to the cyber attack: the SSE ChNPP’s official website was not accessible, servers for controlling the local area network and auxiliary systems of SSE ChNPP information resources (mail server, file-sharing servers, Internet resources’ access server, electronic document flow system server) were switched off. There was partial failure in operation of personal computers of workplaces of operators of individual radiation monitoring systems without loss of the control function as a whole.

From the recent cyber-attacks on industrial systems we know, that the attacks always start in the office network of a production site. Once an office computer is hijacked, the cyber criminals use it as a base to further probing the network until they find a weakness in the network configuration which allows them to attack the production network.

Thus, we should not take this matter lightly. In my opinion, the production network of nuclear power plants must be fully isolated from the office network, and the internet. Period.

Have a good week.