Archive

Archive for the ‘vulnerabilities’ Category

Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise

June 30th, 2021 No comments

The continuous improvement of security solutions has forced attackers to explore alternative ways to compromise systems. The rising number of firmware attacks and ransomware attacks via VPN devices and other internet-facing systems are examples of attacks initiated outside and below the operating system layer. As these types of attacks become more common, users must look to secure even the single-purpose software that run their hardware—like routers. We have recently discovered vulnerabilities in NETGEAR DGN-2200v1 series routers that can compromise a network’s security—opening the gates for attackers to roam untethered through an entire organization.

We discovered the vulnerabilities while researching device fingerprinting in the new device discovery capabilities in Microsoft Defender for Endpoint. We noticed a very odd behavior: a device owned by a non-IT personnel was trying to access a NETGEAR DGN-2200v1 router’s management port. The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario.

In our research, we unpacked the router firmware and found three vulnerabilities that can be reliably exploited. We shared our findings with NETGEAR through coordinated vulnerability disclosure via Microsoft Security Vulnerability Research (MSVR), and worked closely with NETGEAR security and engineering teams to provide advice on mitigating these issues while maintaining backward compatibility. The critical security issues (those with CVSS Score: 7.1 – 9.4) have been fixed by NETGEAR. See NETGEAR’s Security Advisory for Multiple HTTPd Authentication Vulnerabilities on DGN2200v1.

We are sharing details from our research with the broader community to emphasize the importance of securing the full range of platforms and devices, including IoT, and how cross-domain visibility continues to help us uncover new and unknown threats to continually improve security.

Obtaining and unpacking the firmware

The firmware was available from the vendor’s website, making it easier for us to obtain a copy for examination. It is a simple .zip file containing release notes (.html) and the firmware image itself (.chk file). Running binwalk on the .chk file ended up extracting the filesystem (squash-fs).

Screenshot of command line showing extraction of filesystem from the firmware

Figure 1. Extracting the filesystem from the firmware

The filesystem itself is a standard Linux root filesystem, with some minor additions. The relevant ones for our research are:

  1. /www – contains html pages and .gif pictures
  2. /usr/sbin – contains various custom binaries by NETGEAR, including HTTPd, FTPC, and others

Since we saw the anomalous communication use the standard port that HTTPd serves, we focused on HTTPd. The HTTPd itself is a 32-bit big-endian MIPS ELF, compiled against uClibc (the standard libc for embedded devices), stripped. It seems the entire server-side logic (CGI) was compiled into the HTTPd.

Screenshot of commandl ine showing HTTPd information

Figure 2. HTTPd information with some symbols

Exploration

When exploring an embedded web service, the first few questions that come to mind are:

  1. Does the web service present some pages without authentication? If so, how are they governed?
  2. How does the web service perform authentication?
  3. Does the web service handle requests correctly (that is, with no memory corruption bugs)?
  4. Does the web service implement certain security measurements, such as (anti-) cross-site request forgery tokens or Content Security Policy?

To answer these questions, we performed a static analysis of the HTTPd binary, along with some dynamic analysis by running QEMU, an open-source emulator, and hooking the specialized invocations (for example, NVRAM getters and setters).

Vulnerabilities in DGN-2200v1 routers

Accessing router management pages using authentication bypass

While examining how HTTPd dictates which pages should be served without authentication, we found the following pseudo code:

Screenshot of code showing pseudo code in HTTPd

Figure 3. Pseudo code in HTTPd

This code is the first page handling code inside HTTPd, and it automatically approved certain pages such as form.css or func.js. While there is no harm in approving those pages, one thing that stood out was the fact that NETGEAR decided to use strstr to check if a page has “.jpg”, “.gif” or “ess_” substrings, trying to match the entire URL.

We can therefore access any page on the device, including those that require authentication, by appending a GET variable with the relevant substring (like “?.gif”). For example: hxxps://10[.]0[.]138/WAN_wan.htm?pic.gif. This is a complete and fully reliable authentication bypass.

Deriving saved router credentials via a cryptographic side-channel

At this stage, we already had complete control over the router, but we continued investigating how the authentication itself was implemented.

If a page had to be authenticated, HTTPd would require HTTP basic authentication. The username and password would be encoded as a base64 string (delimited by a colon), sent in the HTTP header, and finally verified against the saved username and password in the router’s memory. The router stores this information (along with the majority of its configuration) in NVRAM, that is, outside the filesystem that we had extracted.

However, when we examined the authentication itself, we discovered a side-channel attack that can let an attacker get the right credentials:

Screenshot of code showing authentication process

Figure 4. Authentication process

Note that the username and the password are compared using strcmp. The libc implementation of strcmp works by comparing character-by-character until a NUL terminator is observed or until a mismatch happens.

An attacker could take advantage of the latter by measuring the time it takes to get a failure. For example, when measuring the times of the first character, we get the following graph:

Column graph showing time of reply per character attempt

Figure 5. Time of reply per character attempt

This indicates that the first character is “n”. An attacker could repeat this process (“na”, “nb”, “nc” and so on) to get the second character, until the entire username and password is revealed.

We recommended to NETGEAR that they can avoid such attacks by performing XOR-based memory comparison, as such:

Screenshot of code showing XOR-based memory comparison

Figure 6. XOR-based memory comparison

This function continues even upon a byte mismatch. Similar approaches can be seen in cryptography secure libraries, such as OpenSSL’s CRYPTO_memcmp.

Retrieving secrets stored in the device

After using the first authentication bypass vulnerability, we still wanted to see if we could recover the username and the password used by the router using other existing weaknesses. To that end, we decided to use the router’s configuration backup\restore feature. We can abuse the authentication bypass mentioned earlier to simply get the file: hxxp://router_addr:8080/NETGEAR_DGN2200[.]cfg?pic[.]gif.

The file itself has high entropy, which suggests it was either compressed or encrypted so we couldn’t read it directly. Additionally, binwalk did not produce any meaningful results:

Screenshot of command line showing high-entropy configuration file

Figure 7. High-entropy configuration file

Our suspicion became real when we reverse-engineered the backup\restore functionality:

Screenshot of code showing constant password used for DES encryption

Figure 8. Constant password used for DES encryption

After some preparatory steps, the contents are DES-encrypted with a constant key “NtgrBak”. This allows an attacker to get the plaintext password (which is stored in the encrypted NVRAM) remotely. The user name, which can very well be variations of ‘admin’, can be retrieved the same way.

Enhancing router security through CVD and threat intelligence-sharing

As modern operating system security continues to advance, attackers are forced to look for alternative ways to compromise networks, and network devices such as routers are a prime candidate. This makes an endpoint discovery solution a critical asset to any security operations.

The new endpoint and network device discovery capability in Microsoft Defender for Endpoint locates unmanaged devices to ensure organizations have comprehensive visibility into their environment. This lets security operators detect anomalous network activity, in this case, the attacker’s anomalous connection to the router’s management port.

Screenshot of Microsoft 365 Defender showing Device inventory

Figure 9. Device inventory in Microsoft 365 Defender

In addition, with ReFirm Labs recently joining Microsoft, we continue to enrich our firmware analysis and security capabilities across devices. ReFirm’s firmware analysis technology will enhance existing capabilities to detect firmware vulnerabilities and help secure IoT and OT devices via Azure Defender for IoT.

With this research, we have shown how a simple anomalous connection to a router, found through the endpoint discovery service, drove us to find several vulnerabilities on a popular router.

Routers are integral to networking, so it is important to secure the programs supporting its functions. Collaboration between vulnerability researchers, software vendors and other players is crucial to helping secure the overall user experience. This includes disclosing vulnerabilities to vendors under the guiding principles of Coordinated Vulnerability Disclosure (CVD). We would like to thank the NETGEAR security and engineering teams for their cooperation.

Learn how Microsoft Defender for Endpoint delivers a complete endpoint security solution that covers preventative protection, post-breach detection, automated investigation, and response.

 

Jonathan Bar Or

Microsoft 365 Defender Research Team

 

 

The post Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise appeared first on Microsoft Security Blog.

Analyzing attacks taking advantage of the Exchange Server vulnerabilities

March 25th, 2021 No comments

Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft released a one-click tool that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also built this capability into Microsoft Defender Antivirus, expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers – more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.

As organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:

  • Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.
  • Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.

Although the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: https://aka.ms/ExchangeVulns.

Mitigating post-exploitation activities

The first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in this blog. In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.

Figure 1. The Exchange Server exploit chain

In our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.

Attackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.

We have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: https://aka.ms/exchange-customer-guidance.

While performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:

  • Web shells – As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read Web shell attacks continue to rise. We have also published guidance on web shell threat hunting with Azure Sentinel.
  • Human-operated ransomware – Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: Human-operated ransomware attacks.
  • Credential theft – While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practices for building credential hygiene.

In the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It’s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement.

DoejoCrypt ransomware

DoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or “reseller” who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.

The web shell writes a batch file to C:\Windows\Temp\xx.bat. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.

Figure 2. xx.bat

Given configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.

The batch file saves the registry hives to a semi-unique location, C:\windows\temp\debugsms, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.

Figure 3. xx.bat actions

The xx.bat file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):

Figure 4. DoejoCrypt recon command

After these commands are completed, the web shell drops a new payload to C:\Windows\Help which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name new443.exe or Direct_Load.exe. When run, this payload injects itself into notepad.exe and reaches out to a C2 to download Cobalt Strike shellcode.

Figure 5. DoejoCrypt ransomware attack chain

During the hands-on-keyboard stage of the attack, a new payload is downloaded to C:\Windows\Help with names like s1.exe and s2.exe. This payload is the DoejoCrypt ransomware, which uses a .CRYPT extension for the newly encrypted files and a very basic readme.txt ransom note. In some instances, the time between xx.bat being dropped and a ransomware payload running was under half an hour.

Figure 6. DoejoCrypt ransom note

While the DoejoCrypt payload is the most visible outcome of this attackers’ actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where xx.bat was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with ntdsutil—an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.

Lemon Duck botnet

Cryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.

Lemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.

Using a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.

Fig 7. Example executions of Lemon Duck payload downloads

The Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the Set-MPPreference command to disable real-time monitoring (a tactic that Microsoft Defender Tamper protection blocks) and add scanning exclusions for the C:\ drive and the PowerShell process.

Figure 8. Lemon Duck payloads

One randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including Ramnit payloads.

Figure 9. Lemon Duck post-exploitation activities

In some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.

Figure 10. Email subjects of possibly malicious emails

Figure 11. Attachment variables

In one notable example, the Lemon Duck operators compromised a system that already had xx.bat and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers’ presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.

Pydomer ransomware

While DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.

In this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: “Chack[Word][Country abbreviation]”:

Figure 12. Example web shell names observed being used by the Pydomer attackers

These web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a test.bat batch file that performed a similar function in the attack chain to the xx.bat of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.

Figure 13. Pydomer post-exploitation activities

This access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.

On systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.

Figure 14. PowerShell downloader and spreader used to get the Pydomer payload

The script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.

The Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named decrypt_file.TxT.

Figure 15. Pydomer ransom note

Interestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative readme.txt onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.

Figure 16. Pydomer extortion readme.txt

Credential theft, turf wars, and dogged persistence

If a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:

Figure 17. Use of COM services DLL to dump LSASS process

The number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don’t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of more skillful groups utilizing credentials gained in these attacks for later attacks.

Attackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and dsquery to exfiltrate information about network configurations, user information, and email assets.

While Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing “malwareless” persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.

Defending against exploits and post-compromise activities

Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: https://aka.ms/ExchangeVulns.

As seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:

  • Investigate exposed Exchange servers for compromise, regardless of their current patch status.
  • Look for web shells via our guidance and run a full AV scan using the Exchange On-Premises Mitigation Tool.
  • Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.
  • Reset and randomize local administrator passwords with a tool like LAPS if you are not already doing so.
  • Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.
  • Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with exe in an attempt to hide their tracks.
  • Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.
  • Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.
  • Check mailbox-level email forwarding settings (both ForwardingAddress and ForwardingSMTPAddress attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.

While our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see https://aka.ms/exchange-customer-guidance.

Additionally, here are best practices for building credential hygiene and practicing the principle of least privilege:

  • Follow guidance to run Exchange in least-privilege configuration: https://adsecurity.org/?p=4119.
  • Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.
  • Randomize local administrator passwords to prevent lateral movement with tools like LAPS.
  • Ensure administrators practice good administration habits like Privileged Admin Workstations.
  • Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.

 

Appendix

Microsoft Defender for Endpoint detection details

Antivirus                                                                                                                                   

Microsoft Defender Antivirus detects exploitation behavior with these detections:

Web shells are detected as:

Ransomware payloads and associated files are detected as:

Lemon Duck malware is detected as:

Some of the credential theft techniques highlighted in this report are detected as:

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Suspicious Exchange UM process creation
  • Suspicious Exchange UM file creation
  • Suspicious w3wp.exe activity in Exchange
  • Possible exploitation of Exchange Server vulnerabilities
  • Possible IIS web shell
  • Possible web shell installation
  • Web shells associated with Exchange Server vulnerabilities
  • Network traffic associated with Exchange Server exploitation

Alerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:

  • DoejoCrypt ransomware
  • Pydomer ransomware
  • Pydomer download site

Alerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:

  • LemonDuck Malware
  • LemonDuck botnet C2 domain activity

The following behavioral alerts might also indicate threat activity associated with this threat:

  • Possible web shell installation
  • A suspicious web script was created
  • Suspicious processes indicative of a web shell
  • Suspicious file attribute change
  • Suspicious PowerShell command line
  • Possible IIS Web Shell
  • Process memory dump
  • A malicious PowerShell Cmdlet was invoked on the machine
  • WDigest configuration change
  • Sensitive information lookup
  • Suspicious registry export

Advanced hunting

To locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.

Processes run by the IIS worker process

Look for processes executed by the IIS worker process

// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance
DeviceProcessEvents
| where InitiatingProcessFileName == 'w3wp.exe'
| where InitiatingProcessCommandLine contains "MSExchange"
| where FileName !in~ ("csc.exe","cvtres.exe","conhost.exe","OleConverter.exe","wermgr.exe","WerFault.exe","TranscodingService.exe")
| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Search for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where InitiatingProcessFileName =~ "w3wp.exe"
| where InitiatingProcessCommandLine contains "MSExchange"
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Tampering

Search for Lemon Duck tampering with Microsoft Defender Antivirus

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("Set-MpPreference", "DisableRealtimeMonitoring", "Add-MpPreference", "ExclusionProcess")
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Batch script actions

Search for batch scripts performing credential theft, as observed in DoejoCrypt infections

DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where InitiatingProcessCommandLine has ".bat" and InitiatingProcessCommandLine has @"C:\Windows\Temp"
| where ProcessCommandLine has "reg save"
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Look for evidence of batch script execution that leads to credential dumping

// Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has ".bat" and InitiatingProcessCommandLine has @"\inetpub\wwwroot\aspnet_client\"
| where InitiatingProcessParentFileName has "w3wp"
| where FileName != "conhost.exe"
| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Suspicious files dropped under an aspnet_client folder

Look for dropped suspicious files like web shells and other components

// Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\inetpub\wwwroot\aspnet_client\
DeviceFileEvents
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath has "\\aspnet_client\\"
| where InitiatingProcessCommandLine contains "MSExchange"
| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp

Checking for persistence on systems that have been suspected as compromised

Search for creations of new local accounts

DeviceProcessEvents
| where FileName == "net.exe"
| where ProcessCommandLine has_all ("user", "add")
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Search for installation events that were used to download ScreenConnect for persistence

Note that this query may be noisy and is not necessarily indicative of malicious activity alone.

DeviceProcessEvents
| where FileName =~ "msiexec.exe"
| where ProcessCommandLine has @"C:\Windows\Temp\"
| parse-where kind=regex flags=i ProcessCommandLine with @"C:\\Windows\\Temp\\" filename:string @".msi"
| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Hunting for credential theft

Search for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.

let devices =
DeviceProcessEvents
| where InitiatingProcessFileName == "w3wp.exe" and InitiatingProcessCommandLine contains "MSExchange"
| distinct DeviceId;
//
DeviceLogonEvents
| where DeviceId in (devices)
| where LogonType in ("Batch", "Service")
| project AccountName, AccountDomain, LogonType, DeviceId, Timestamp

Search for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.

DeviceRegistryEvents
| where RegistryValueName == "UseLogonCredential"
| where RegistryKey has "WDigest" and RegistryValueData == "1"
| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Search for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("rundll32.exe", "comsvcs.dll")
| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Search for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.

DeviceProcessEvents
| where FileName == "reg.exe"
| where ProcessCommandLine has "save" and ProcessCommandLine has_any ("hklm\\security", "hklm\\sam")
| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Indicators

Selected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.

Files (SHA-256)

The following are file hashes for some of the web shells observed during attacks:

  • 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41
  • 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc
  • a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a
  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d

DoejoCrypt associated hashes:

  • 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
  • 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
  • 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
  • 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3
  • bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748
  • e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
  • fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
  • feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede

Lemon Duck associated hashes:

  • 0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc
  • 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec
  • 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9
  • 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c
  • 69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e
  • 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4
  • 893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e
  • 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719
  • 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd
  • a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85
  • d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09
  • db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd
  • dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd
  • f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501
  • f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f
  • fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0

Pydomer associated hashes:

  • 7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382
  • 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc
  • 910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db
  • a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287
  • b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f
  • c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a
  • c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908

Network indicators

Domains abused by Lemon Duck:

  • down[.]sqlnetcat[.]com
  • t[.]sqlnetcat[.]com
  • t[.]netcatkit[.]com

Pydomer DGA network indicators:

  • uiiuui[.]com/search/*
  • yuuuuu43[.]com/vpn-service/*
  • yuuuuu44[.]com/vpn-service/*
  • yuuuuu46[.]com/search/*

The post Analyzing attacks taking advantage of the Exchange Server vulnerabilities appeared first on Microsoft Security.

Analyzing attacks taking advantage of the Exchange Server vulnerabilities

March 25th, 2021 No comments

Microsoft continues to monitor and investigate attacks exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat actors ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft released a one-click tool that automatically mitigates one of the vulnerabilities and scans servers for known attacks. Microsoft also built this capability into Microsoft Defender Antivirus, expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers – more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.

As organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat actors from affected environments. Today, we are sharing intelligence about what some attackers did after exploiting the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage payloads. This blog covers:

  • Threat intelligence and technical details about known attacks, including components and attack paths, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they see them in their environments.
  • Detection and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation capabilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.

Although the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to take advantage of newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation guidance that we have collected and continue to update here: https://aka.ms/ExchangeVulns.

Mitigating post-exploitation activities

The first known attacks leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in this blog. In the three weeks after the Exchange server vulnerabilities were disclosed and the security updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code execution (RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.

Figure 1. The Exchange Server exploit chain

In our investigation of the on-premises Exchange Server attacks , we saw systems being affected by multiple threats. Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These actions might involve performing follow-on attacks via persistence on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other entry vectors.

Attackers who included the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalized on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.

We have built protections against these threats into Microsoft security solutions. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also provided additional tools and investigation and remediation guidance here: https://aka.ms/exchange-customer-guidance.

While performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are prevailing threat trends that Microsoft has been monitoring, and existing solutions and recommendations for prevention and mitigation apply:

  • Web shells – As of this writing, many of the unpatched systems we observed had multiple web shells on them. Microsoft has been tracking the rise of web shell attacks for the past few years, ensuring our products detect these threats and providing remediation guidance for customers. For more info on web shells, read Web shell attacks continue to rise. We have also published guidance on web shell threat hunting with Azure Sentinel.
  • Human-operated ransomware – Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to take advantage of the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities gives attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft solutions and guidance for improving defenses, read: Human-operated ransomware attacks.
  • Credential theft – While credential theft is not the immediate goal of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on the system. Attackers can use these stolen credentials for follow-on attacks later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practices for building credential hygiene.

In the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors using similar tactics or tools. While levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It’s important to note that with some post-compromise techniques, attackers may gain highly privileged persistent access, but many of the impactful subsequent attacker activities can be mitigated by practicing the principle of least privilege and mitigating lateral movement.

DoejoCrypt ransomware

DoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the patches were released. Ransomware attackers often use multiple tools and exploits to gain initial access, including purchasing access through a broker or “reseller” who sells access to systems they have already compromised. The DoejoCrypt attacks start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.

The web shell writes a batch file to C:\Windows\Temp\xx.bat. Found on all systems that received the DoejoCrypt ransomware payload, this batch file performs a backup of the Security Account Manager (SAM) database and the System and Security registry hives, allowing the attackers later access to passwords of local users on the system and, more critically, in the LSA Secrets portion of the registry, where passwords for services and scheduled tasks are stored.

Figure 2. xx.bat

Given configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled task configured with a highly privileged account to perform actions like backups. As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detection, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.

The batch file saves the registry hives to a semi-unique location, C:\windows\temp\debugsms, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file also enables Windows Remote Management and sets up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.

Figure 3. xx.bat actions

The xx.bat file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we saw reconnaissance commands being run via the same web shell that dopped the xx.bat file (in this instance, a version of Chopper):

Figure 4. DoejoCrypt recon command

After these commands are completed, the web shell drops a new payload to C:\Windows\Help which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name new443.exe or Direct_Load.exe. When run, this payload injects itself into notepad.exe and reaches out to a C2 to download Cobalt Strike shellcode.

Figure 5. DoejoCrypt ransomware attack chain

During the hands-on-keyboard stage of the attack, a new payload is downloaded to C:\Windows\Help with names like s1.exe and s2.exe. This payload is the DoejoCrypt ransomware, which uses a .CRYPT extension for the newly encrypted files and a very basic readme.txt ransom note. In some instances, the time between xx.bat being dropped and a ransomware payload running was under half an hour.

Figure 6. DoejoCrypt ransom note

While the DoejoCrypt payload is the most visible outcome of this attackers’ actions, the access to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where xx.bat was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with ntdsutil—an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.

Lemon Duck botnet

Cryptocurrency miners were some of the first payloads we observed being dropped by attackers from the post-exploit web shells. In the first few days after the security updates were released, we observed multiple cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were variations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new payloads or even move laterally.

Lemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.

Using a form of the attack that allows direct execution of commands versus dropping a web shell, the Lemon Duck operators ran standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.

Fig 7. Example executions of Lemon Duck payload downloads

The Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from the system, then creates scheduled tasks and WMI Event subscription for persistence. A second script is downloaded to attempt to evade Microsoft Defender Antivirus, abusing their administrative access to run the Set-MPPreference command to disable real-time monitoring (a tactic that Microsoft Defender Tamper protection blocks) and add scanning exclusions for the C:\ drive and the PowerShell process.

Figure 8. Lemon Duck payloads

One randomly named scheduled task connects to a C2 every hour to download a new payload, which includes various lateral movement and credential theft tools. The operators were seen to download RATs and information stealers, including Ramnit payloads.

Figure 9. Lemon Duck post-exploitation activities

In some instances, the operators took advantage of having compromised mail servers to access mailboxes and send emails containing the Lemon Duck payload using various colorful email subjects.

Figure 10. Email subjects of possibly malicious emails

Figure 11. Attachment variables

In one notable example, the Lemon Duck operators compromised a system that already had xx.bat and a web shell. After establishing persistence on the system in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers’ presence on the system and mitigating the CVE-2021-26855 (SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action prevents further exploitation of the server and removes web shells, giving Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were exposed, even if they have been fully patched and mitigated, per traditional incident response process.

Pydomer ransomware

While DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware family to capitalize on the vulnerabilities was Pydomer. This ransomware family was previously seen using vulnerabilities in attacks, notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has released security patches, to steal credentials and perform ransomware attacks.

In this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available. They then dropped a web shell, with a notable file name format: “Chack[Word][Country abbreviation]”:

Figure 12. Example web shell names observed being used by the Pydomer attackers

These web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage. The attackers then used their web shell to dump a test.bat batch file that performed a similar function in the attack chain to the xx.bat of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.

Figure 13. Pydomer post-exploitation activities

This access alone would be valuable to attackers for later attacks, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials gained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, meaning these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.

On systems where the attackers did move to second-stage ransomware operations, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.

Figure 14. PowerShell downloader and spreader used to get the Pydomer payload

The script fetches a payload from a site hosted on a domain generation algorithm (DGA) domain, and attempts to spread the payload throughout the network, first attempting to spread the payload over WMI using Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.

The Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random extension, and then drops a ransom note named decrypt_file.TxT.

Figure 15. Pydomer ransom note

Interestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative readme.txt onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failure in their encryption process, as some of the systems they accessed were test systems that showed no data exfiltration. The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data.

Figure 16. Pydomer extortion readme.txt

Credential theft, turf wars, and dogged persistence

If a server is not running in a least-privilege configuration, credential theft could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled tasks running on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral movement, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process:

Figure 17. Use of COM services DLL to dump LSASS process

The number of observed credential theft attacks, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don’t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had errors, there is still the possibility of more skillful groups utilizing credentials gained in these attacks for later attacks.

Attackers also used their access to perform extensive reconnaissance using built-in Exchange commandlets and dsquery to exfiltrate information about network configurations, user information, and email assets.

While Lemon Duck operators might have had the boldest method for removing other attackers from the systems they compromised, they were not the only attacker to do so. Others were observed cleaning up .aspx and .bat files to remove other attackers, and even rebuilding the WMI database by deleting .mof files and restarting the service. As the window on unpatched machines closes, attackers showed increased interest in maintaining the access to the systems they exploited. By utilizing “malwareless” persistence mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response efforts that might focus exclusively on web shells, AV scans, and patching.

Defending against exploits and post-compromise activities

Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: https://aka.ms/ExchangeVulns.

As seen in the post-exploitation attacks discussed in this blog, the paths that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take:

  • Investigate exposed Exchange servers for compromise, regardless of their current patch status.
  • Look for web shells via our guidance and run a full AV scan using the Exchange On-Premises Mitigation Tool.
  • Investigate Local Users and Groups, even non-administrative users for changes, and ensure all users require a password for sign-in. New user account creations (represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious user creation.
  • Reset and randomize local administrator passwords with a tool like LAPS if you are not already doing so.
  • Look for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management (WinRM) configuration of the system that might have been configured by the attacker to allow persistence.
  • Look for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with exe in an attempt to hide their tracks.
  • Look for new persistence mechanisms such as unexpected services, scheduled tasks, and startup items.
  • Look for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access clients.
  • Check mailbox-level email forwarding settings (both ForwardingAddress and ForwardingSMTPAddress attributes), check mailbox inbox rules (which might be used to forward email externally), and check Exchange Transport rules that you might not recognize.

While our response tools check for and remove known web shells and attack tools, performing a full investigation of these systems is recommended. For comprehensive investigation and mitigation guidance and tools, see https://aka.ms/exchange-customer-guidance.

Additionally, here are best practices for building credential hygiene and practicing the principle of least privilege:

  • Follow guidance to run Exchange in least-privilege configuration: https://adsecurity.org/?p=4119.
  • Ensure service accounts and scheduled tasks run with the least privileges they need. Avoid widely privileged groups like domain admins and backup operators and prefer accounts with access to just the systems they need.
  • Randomize local administrator passwords to prevent lateral movement with tools like LAPS.
  • Ensure administrators practice good administration habits like Privileged Admin Workstations.
  • Prevent privileged accounts like domain admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.

 

Appendix

Microsoft Defender for Endpoint detection details

Antivirus                                                                                                                                   

Microsoft Defender Antivirus detects exploitation behavior with these detections:

Web shells are detected as:

Ransomware payloads and associated files are detected as:

Lemon Duck malware is detected as:

Some of the credential theft techniques highlighted in this report are detected as:

Endpoint detection and response (EDR)

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Suspicious Exchange UM process creation
  • Suspicious Exchange UM file creation
  • Suspicious w3wp.exe activity in Exchange
  • Possible exploitation of Exchange Server vulnerabilities
  • Possible IIS web shell
  • Possible web shell installation
  • Web shells associated with Exchange Server vulnerabilities
  • Network traffic associated with Exchange Server exploitation

Alerts with the following titles in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign:

  • DoejoCrypt ransomware
  • Pydomer ransomware
  • Pydomer download site

Alerts with the following titles in the security center can indicate threat activity on your network specific to the Lemon Duck botnet:

  • LemonDuck Malware
  • LemonDuck botnet C2 domain activity

The following behavioral alerts might also indicate threat activity associated with this threat:

  • Possible web shell installation
  • A suspicious web script was created
  • Suspicious processes indicative of a web shell
  • Suspicious file attribute change
  • Suspicious PowerShell command line
  • Possible IIS Web Shell
  • Process memory dump
  • A malicious PowerShell Cmdlet was invoked on the machine
  • WDigest configuration change
  • Sensitive information lookup
  • Suspicious registry export

Advanced hunting

To locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.

Processes run by the IIS worker process

Look for processes executed by the IIS worker process

// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the created process is indicative of reconnaissance
DeviceProcessEvents
| where InitiatingProcessFileName == 'w3wp.exe'
| where InitiatingProcessCommandLine contains "MSExchange"
| where FileName !in~ ("csc.exe","cvtres.exe","conhost.exe","OleConverter.exe","wermgr.exe","WerFault.exe","TranscodingService.exe")
| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Search for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base64 encoding to obfuscate C2 domains

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where InitiatingProcessFileName =~ "w3wp.exe"
| where InitiatingProcessCommandLine contains "MSExchange"
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Tampering

Search for Lemon Duck tampering with Microsoft Defender Antivirus

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("Set-MpPreference", "DisableRealtimeMonitoring", "Add-MpPreference", "ExclusionProcess")
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Batch script actions

Search for batch scripts performing credential theft, as observed in DoejoCrypt infections

DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where InitiatingProcessCommandLine has ".bat" and InitiatingProcessCommandLine has @"C:\Windows\Temp"
| where ProcessCommandLine has "reg save"
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Look for evidence of batch script execution that leads to credential dumping

// Search for batch script execution, leading to credential dumping using rundll32 and the COM Services DLL, dsquery, and makecab use
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has ".bat" and InitiatingProcessCommandLine has @"\inetpub\wwwroot\aspnet_client\"
| where InitiatingProcessParentFileName has "w3wp"
| where FileName != "conhost.exe"
| project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Suspicious files dropped under an aspnet_client folder

Look for dropped suspicious files like web shells and other components

// Search for suspicious files, including but not limited to batch scripts and web shells, dropped under the file path C:\inetpub\wwwroot\aspnet_client\
DeviceFileEvents
| where InitiatingProcessFileName == "w3wp.exe"
| where FolderPath has "\\aspnet_client\\"
| where InitiatingProcessCommandLine contains "MSExchange"
| project FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp

Checking for persistence on systems that have been suspected as compromised

Search for creations of new local accounts

DeviceProcessEvents
| where FileName == "net.exe"
| where ProcessCommandLine has_all ("user", "add")
| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Search for installation events that were used to download ScreenConnect for persistence

Note that this query may be noisy and is not necessarily indicative of malicious activity alone.

DeviceProcessEvents
| where FileName =~ "msiexec.exe"
| where ProcessCommandLine has @"C:\Windows\Temp\"
| parse-where kind=regex flags=i ProcessCommandLine with @"C:\\Windows\\Temp\\" filename:string @".msi"
| project filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Hunting for credential theft

Search for logon events related to services and scheduled tasks on devices that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.

let devices =
DeviceProcessEvents
| where InitiatingProcessFileName == "w3wp.exe" and InitiatingProcessCommandLine contains "MSExchange"
| distinct DeviceId;
//
DeviceLogonEvents
| where DeviceId in (devices)
| where LogonType in ("Batch", "Service")
| project AccountName, AccountDomain, LogonType, DeviceId, Timestamp

Search for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.

DeviceRegistryEvents
| where RegistryValueName == "UseLogonCredential"
| where RegistryKey has "WDigest" and RegistryValueData == "1"
| project PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Search for the COM services DLL being executed by rundll32, which can be used to dump LSASS memory.

DeviceProcessEvents
| where InitiatingProcessCommandLine has_all ("rundll32.exe", "comsvcs.dll")
| project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Search for Security Account Manager (SAM) or SECURITY databases being saved, from which credentials can later be extracted.

DeviceProcessEvents
| where FileName == "reg.exe"
| where ProcessCommandLine has "save" and ProcessCommandLine has_any ("hklm\\security", "hklm\\sam")
| project InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Indicators

Selected indicators from attacks are included here, the threats may utilize files and network indicators not represented here.

Files (SHA-256)

The following are file hashes for some of the web shells observed during attacks:

  • 201e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41
  • 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc
  • a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a
  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d

DoejoCrypt associated hashes:

  • 027119161d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27
  • 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da
  • 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
  • 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3
  • bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748
  • e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
  • fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65
  • feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede

Lemon Duck associated hashes:

  • 0993cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc
  • 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec
  • 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9
  • 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c
  • 69ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e
  • 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4
  • 893ddf0de722f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e
  • 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719
  • 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd
  • a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85
  • d8b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09
  • db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd
  • dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd
  • f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501
  • f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f
  • fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0

Pydomer associated hashes:

  • 7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382
  • 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc
  • 910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db
  • a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287
  • b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f
  • c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a
  • c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908

Network indicators

Domains abused by Lemon Duck:

  • down[.]sqlnetcat[.]com
  • t[.]sqlnetcat[.]com
  • t[.]netcatkit[.]com

Pydomer DGA network indicators:

  • uiiuui[.]com/search/*
  • yuuuuu43[.]com/vpn-service/*
  • yuuuuu44[.]com/vpn-service/*
  • yuuuuu46[.]com/search/*

The post Analyzing attacks taking advantage of the Exchange Server vulnerabilities appeared first on Microsoft Security.

Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus

March 18th, 2021 No comments

As cybercriminals continue to exploit unpatched on-premises versions of Exchange Server 2013, 2016, and 2019, we continue to actively work with customers and partners to help them secure their environments and respond to associated threats. To date, we have released a comprehensive Security Update, a one-click interim Exchange On-Premises Mitigation Tool for both current and out-of-support versions of on-premises Exchange Servers, and step-by-step guidance to help address these attacks.

Today, we have taken an additional step to further support our customers who are still vulnerable and have not yet implemented the complete security update. With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on.

The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases. This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.

Microsoft will provide guidance to our security partners so that they have the option to make available similar, simple mitigations in their products as well.

We are deeply committed to protecting our customers.  To stay up to date please continue to review the content posted at https://aka.ms/exchangevulns.

Frequently Asked Questions

Q: If I have Microsoft Defender Antivirus installed on my Exchange Server do I need to take any further action to get this mitigation?

A: Customers that install Microsoft Defender Antivirus and have automatic definition updates enabled (default setting) do not have to take further action to receive the mitigation.

Q: My organization manages Microsoft Defender Antivirus definition updates.  What do I need to do to ensure I have this mitigation?

A: Customers that manage Microsoft Defender Antivirus definition updates need to select the new detection build (1.333.747.0 or newer) and deploy that to the Exchange Server.

Q: After this mitigation, do I still need to install the security update?

A: Yes.  This automatic mitigation breaks the attack chain by mitigating CVE-2021-26855.  Customers should still prioritize getting current on security updates for Exchange Server to comprehensively address the vulnerabilities.

Q: When does Microsoft Defender Antivirus apply the mitigation?

A: Microsoft Defender Antivirus will automatically identify if a vulnerable version of Exchange Server is installed and apply the mitigations the first time the security intelligence update is deployed.  The mitigation is deployed once per machine.

Q: Is cloud protection required to receive the mitigation?

A: No.  However, enabling cloud protection is a best practice that will keep you with the most current protections against the ever-changing threat environment.  Customers are encouraged to enable cloud protection.

Q: What can I do if I don’t have Microsoft Defender Antivirus?

A: Use the One-Click Microsoft Exchange On-Premises Mitigation Tool found here.

The post Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus appeared first on Microsoft Security.

#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:

 

*Edited 11/17/2017 to include other Microsoft antimalware products

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Keep Microsoft software up to date — and everything else too

September 14th, 2016 No comments

Many of the CIOs and CISOs that I talk to, have, over time, developed mature vulnerability assessment methodologies and security updating processes. But frequently, I find that the focus of these processes is squarely on keeping Microsoft operating systems and browsers up to date. Of course vulnerabilities in popular operating systems or browsers have the potential to affect a broad audience. Another reason for this focus is that Microsoft has made updating relatively easy by offering updates via Windows Update, Microsoft Update, and via various tools like Windows Server Update Services and others.

But data from our latest Security Intelligence Report suggests that customers need to keep all of their software up-to-date, not just Microsoft software.

In the last half of 2015 there were nearly 3,300 vulnerability disclosures across the industry, of which 305 were in Microsoft products. With more than 90 percent of reported vulnerabilities occurring outside the Microsoft portfolio, organizations need to monitor their entire technology stack to minimize their risk.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

This is consistent with previous years as well. The software industry worldwide includes thousands of vendors, and historically, vulnerabilities for Microsoft software have accounted for between three and ten percent of disclosures in any six-month period.

To find out what’s happening in the world of software vulnerabilities across your IT environment, take some time to review our latest Security Intelligence Report and the information available through the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

As strong as your weakest link: A look at application vulnerability

September 6th, 2016 No comments

When it comes to patching and updating software vulnerabilities, operating systems and web browsers seem to get all the love.

But in reality, vulnerabilities in those two types of software usually account for a minority of the publicly disclosed vulnerabilities published in the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data.

Where are the rest of the vulnerabilities? The majority are in applications (i.e. software that doesn’t ship as part of operating systems or browsers), and unless you’re spending time protecting those too, your application layer could be a big chink in your IT armor. CIOs, CISOs and their security teams need to focus on assessing and patching known vulnerabilities in all business apps, or they could in fact be missing the bulk of the vulnerabilities that exist in their environments.

Vulnerabilities in applications other than web browsers and operating system applications accounted for 44.2% of all disclosures in the second half of 2015.

Vulnerabilities in applications other than web browsers and operating system applications accounted for 44.2% of all disclosures in the second half of 2015.

But separating core OS applications and web browsers from the rest of the application layer can be a bit murky. Comparing vulnerabilities that affect a computer’s operating system to vulnerabilities that affect other components, such as applications and utilities, requires a determination of whether the affected component is part of an operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems.

For example, some programs (like photo editors) ship by default with operating system software, but can also be downloaded from the software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing.

To help companies navigate this issue and facilitate analysis of operating system and browser vulnerabilities, the Microsoft Security Intelligence Report distinguishes among four different kinds:

  • Core operating system vulnerabilities are those with at least one operating system platform enumeration in the NVD that do not also have any application platform enumerations.
  • Operating system application vulnerabilities are those with at least one OS platform enumeration and at least one application platform enumeration listed in the NVD, except for browsers.
  • Browser vulnerabilities are those that affect components defined as part of a web browser, including web browsers such as Internet Explorer and Apple’s Safari that ship with operating systems, along with third-party browsers such as Mozilla Firefox and Google Chrome.
  • Other application vulnerabilities are those with at least one application platform enumeration in the NVD that do not have any OS enumerations, except for browsers.

With those distinctions in mind, the latest SIR reports that disclosures of vulnerabilities in applications decreased in the second half of 2015, but remained the most common type of vulnerability during the period, accounting for 44.2 percent of all disclosures — a big number that any organization’s security team should be paying attention to.

Meanwhile, the other categories are important too. Core operating system vulnerability disclosures increased dramatically from the first half of the year, moving into second place at 24.5 percent. Operating system application disclosures decreased slightly to account for 18.6 percent, while browser disclosures increased by more than a third to account for 12.8 percent.

The key to keeping any organization safe is to stay on top of all disclosures, no matter which part of the stack they belong in. To stay on top of possible vulnerabilities across your software stack, take a look at our latest Security Intelligence Report and the information available through the NVD. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Rise in severe vulnerabilities highlights importance of software updates

August 17th, 2016 No comments

In the context of computer security, vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of either the software itself or the system it’s running on. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run malicious code without the user’s knowledge. The effects of this can range from the annoying (experiencing unwanted pop-up ads) to the catastrophic (leaking sensitive customer information).

For this reason, disclosing vulnerabilities to the public as they are found is an important part of the software industry. It’s an effort that goes well beyond the software companies who develop the code. Disclosures can come from a variety of sources, including publishers of the affected software, security software vendors, independent security researchers, and even malware creators.

Attackers and the malware they create routinely attempt to use unpatched vulnerabilities to compromise and victimize organizations, so it’s imperative that CIOs, CISOs and the rest of an organization’s security team pay close attention to disclosures as they are announced. Doing so can help the security team understand if their IT environment is at increased risk, and whether putting new mitigations in place is warranted.

Industry-wide vulnerability disclosures each half year into the second half of 2015

Industry-wide vulnerability disclosures each half year into the second half of 2015

This year the importance of tracking disclosures was highlighted as vulnerability disclosures across the industry increased 9.4 percent between the first and second half of 2015, to almost 3,300.

Even more troubling, disclosures of high-severity vulnerabilities increased 41.7 percent across the industry in the second half of 2015, to account for 41.8 percent of the total — the largest share for such vulnerabilities in at least three years.

These are the vulnerabilities that security teams dread as they enable attackers to gain easy access to software, PCs, devices, and servers. For organizations that work with sensitive customer data or that must comply with security regulations to maintain contracts, the results of such an infection are potentially dire.

Vendors with a known vulnerability in their products will generally issue a patch to close the door, so staying abreast of those updates is a critical concern for security professionals. With over 6,000 vulnerabilities publicly disclosed per year across the industry, it’s important that organizations assess all software in their IT environment and ensure that it is updated.

For an analysis of vulnerabilities disclosed in the latter half of 2015, take a look at our latest Security Intelligence Report and the information available through the NVD. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Learn more at Microsoft Secure.

Categories: cybersecurity, security, vulnerabilities Tags:

Economies of scale: A perspective on cross-platform vulnerabilities

July 31st, 2012 No comments

A year ago, we published a blog post titled ‘Backdoor Olyx – is it malware on a mission for Mac?‘. It explored the intriguing questions that lay behind this backdoor’s discovery, delivery and targets. We provided our observations and analysis, and suggested that this threat was used in a targeted attack against unknown victims. However, we found no clue at that time as to ‘how’ the threat was installed to its targets – an important missing piece that we’ve continued to investigate over time.

As shown in the timeline below, a succeeding variation of threats can be identified with the same suggested attack tactic – exploiting known vulnerabilities in software to install a backdoor to its target.

Upon closer inspection of this event, we observed that this malicious code may be delivered via the Web by exploiting Java vulnerabilities (referred to in CVE-2011-3544 and CVE-2012-0507). The second form of delivery we observed was via email attachment, where the malware distributors may attempt to take advantage of known Word document vulnerabilities (referred to in CVE-2010-3333) and the vulnerabilities resolved with the release of Microsoft Security Bulletin MS09-027. It is also important to point out that these vulnerabilities affect multiple platforms, and in this case, affect both Windows and Mac.

This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole.

If we look at this trend, then we start to notice that the following vulnerabilities in Java, Adobe PDF and Flash, and Microsoft Office documents, listed in the table below, may be used to target and attack multiple platforms. Note that these vulnerabilities have been patched; appropriate security updates for them have been released.

This highlights the importance of keeping security software up-to-date, and ensuring operating system and 3rd party security patches are installed (soon after they become available) in order to reduce the risk of malware infection. And, this best practice should extend to all devices and platforms, especially those in large enterprise networks.

Methusela Cebrian Ferrer
MMPC Melbourne

Security and Internet Explorer

March 11th, 2011 Comments off

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Security and Internet Explorer

March 11th, 2011 No comments

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Security and Internet Explorer

March 11th, 2011 No comments

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

image

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

image

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.