Tag Archives: PETYA

Windows Applocker – The almost forgotten IT security workbench

5 January 2019

Dridex[1], Emotet[2], Locky[3], Destover[4], Petya[5], NotPetya, etc. share one feature: They are droppers[6]. A dropper installs malware to a target system and executes it then.

Droppers are delivered mainly by e-mail through phishing or spear phishing attacks. Since they are continuously refined to undergo malware detection the fight against droppers never stops.

The Achilles heel of droppers is that they are executed in the context of the current user during delivery. With this the dropped malware can only be stored in locations where the user has modify privileges, e.g. the user’s home directory.

Seven Phases Cyber Kill Chain

Seven Phases Cyber Kill Chain

If we can prevent the execution of objects from e.g. the user’s home directory the dropper can never execute the installed malware. With this we can block the malware during the delivery / exploitation phase of the Cyber Kill Chain, before the attacker becomes persistent in our network.

That is the idea behind Windows Applocker[7]. The Applocker default rules allow the execution of programs, scripts and dlls only from trusted directory systems, e.g. c:\Program Files, C:\Progam Files (X86), or c:\Windows. If activated, Applocker stops the execution of programs and scripts outside these trusted directories and thus Dridex, Emotet, Locky, Destover, etc.

But Applocker does more than blocking droppers. DLL injection is prevented if DLL rules are enforced. I strongly recommend to enforce the DLL rules from the start. Drive-by downloads, PuA, PuP  and Adware are blocked. Even the exploitation of zero-days like the latest Adobe pdf security flaw, CVE-2018-16011[8], can be mitigated. The entire network becomes more resilient against cyber attacks.

Applocker is perfectly suited to enhance the resilience against cyber attacks in production networks and critical infrastructures. In particular in GxP regulated industries Applocker is worth to be looked at. Since Applocker is integrated in the Windows OS a validation of a third party white-listing application is not required.

Applocker can be enforced on Windows Enterprise Edition installations (starting with Windows 7) with local group policies. To lower the administrative effort it is recommended to join the computers to a domain and enforce the Applocker rules through group policies.

Unfortunately, Microsoft compromises the Applocker approach by tools like Teams and OneDrive. Both are installed in user context, thus will be blocked by Applocker. Since  Applocker allows the definition of exceptions and their roll out with group policies such applications can be handled with manageable effort.

Besides modern applications at least two cyber security sins reduce the effectiveness of Applocker.

  • Users work with permanent admin privileges.

In this case the dropper can install the malware in trusted directories. Working with permanent admin privileges is one of the IT security deadly sins, thus should be avoided anyway.

  • Users have modify access to trusted directories and files.

Check trusted directories and files with AccessEnum. If objects can be modified by users either change the ACLs or define an Applocker exception for them.

Applocker provides great capabilities to enhance the resilience of organizations against cyber attacks. Just give it a try in 2019.

Have a great weekend.


References

  1. Proofpoint Threat Insight. High-Volume Dridex Banking Trojan Campaigns Return [Internet]. 2017 [cited 2018 Dec 29]. Available from: https://www.proofpoint.com/us/threat-insight/post/high-volume-dridex-campaigns-return
  2. Villaroman BC. Spoofed Banking Emails Arrive with EMOTET Malware [Internet]. TrendMicro Threat Encyclopedia. 2018 [cited 2019 Jan 4]. Available from: http://www.trendmicro.tw/vinfo/tr/threat-encyclopedia/spam/677/spoofed-banking-emails-arrive-with-emotet-malware
  3. Avast Threat Intelligence Team. A closer look at the Locky ransomware [Internet]. Avast Blog. 2016 [cited 2018 Dec 29]. Available from: https://blog.avast.com/a-closer-look-at-the-locky-ransomware
  4. Gallagher S. Inside the “wiper” malware that brought Sony Pictures to its knees [Update] [Internet]. Ars Technica. 2014 [cited 2018 Dec 29]. Available from: https://arstechnica.com/information-technology/2014/12/inside-the-wiper-malware-that-brought-sony-pictures-to-its-knees/
  5. Malwarebytes Labs. Keeping up with the Petyas: Demystifying the malware family [Internet]. Malwarebytes Labs. 2017 [cited 2018 Dec 29]. Available from: https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/
  6. Rouse M. What is dropper? – Definition from WhatIs.com [Internet]. WhatIs.com. 2015 [cited 2019 Jan 5]. Available from: https://whatis.techtarget.com/definition/dropper
  7. Lich B, Poggemeyer L, Justinha. AppLocker (Windows 10) [Internet]. WIidows IT Pro Center. 2017 [cited 2019 Jan 5]. Available from: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview
  8. The Hacker News. Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader [Internet]. Vulners Database. 2019 [cited 2019 Jan 4]. Available from: https://vulners.com/thn/THN:ADE75E1067458A6BD1C6FB7BD78E697D/
Advertisements

Chernobyl hit by Petya/NotPetya

2 July 2017

The short post New Ransomware Crippling Chernobyl Sensors published on 28 June 2017 by Jack Laidlaw at HACKADAY deeply frightened me. I was relieved to read, that no Industrial Control Systems (ICS) were affected.

Picture Credits: Chernobyl NPP Press Center, chnpp.gov.ua

ICS at the Chernobyl Power Plant. Picture Credits: Chernobyl NPP Press Center, chnpp.gov.ua

The following press statement was published at the Power Plants homepage:

As of 27.06.2017 due to the cyber attack: the SSE ChNPP’s official website was not accessible, servers for controlling the local area network and auxiliary systems of SSE ChNPP information resources (mail server, file-sharing servers, Internet resources’ access server, electronic document flow system server) were switched off. There was partial failure in operation of personal computers of workplaces of operators of individual radiation monitoring systems without loss of the control function as a whole.

From the recent cyber-attacks on industrial systems we know, that the attacks always start in the office network of a production site. Once an office computer is hijacked, the cyber criminals use it as a base to further probing the network until they find a weakness in the network configuration which allows them to attack the production network.

Thus, we should not take this matter lightly. In my opinion, the production network of nuclear power plants must be fully isolated from the office network, and the internet. Period.

Have a good week.