Sunday, February 16, 2020

Week 10 - TRICKBOT

There is a new Windows 10 Trojan on the move.

 Trickbot

 The Trickbot Trojan is one of the most advanced malware delivery vehicles currently in use. Attackers have leveraged it to deliver a wide variety of malicious code, in many different methods. Just yesterday, bleeping computer reported that news articles from president trump’s impeachment trial have been used to hide trickbot from antivirus scanners.



The wsreset UAC Bypass process begins with Trickbot checking to see if the system it’s on is running Windows 7 or Windows 10. If it is running under Windows 7, it will utilize the CMSTPLUA UAC bypass (the same one as in previous samples). It’s only when the system is running Windows 10 that Trickbot uses the wsreset UAC Bypass.


The WSReset UAC Bypass, discovered in March 2019, allows Trickbot authors to take advantage of the WSReset.exe process. The WSReset.exe process is a Microsoft signed executable that is used to reset Windows Store settings, according to its manifest file. What’s most important here, though, is that the ‘autoElevate’ property is set to “true.” This is what allows the WSReset UAC Bypass to be used for privilege escalation.


Trickbot decrypts its strings in order to use the WSReset UAC Bypass, such as the registry path and the command to execute.

The final step in this bypass is to execute WSReset.exe, which will cause Trickbot to run with elevated privileges without a UAC prompt. Trickbot does that using ‘ShellExecuteExW’ API. This final executable allows Trickbot to deliver its payload onto workstations and other endpoints.

How to keep this from being an exploit?

The Morphisec Unified Threat Prevention Platform blocks Trickbot before it is able to execute its process, including the WSReset UAC Bypass, through the power of moving target defense. By morphing the application memory structures on endpoints, we take away the attackers’ ability to accurately target our customers’ critical systems. This protects workstations, servers, VDIs, and cloud workloads against this and other damaging attacks.

keep a watch out for these hashes.
IOC: (SHA-1)
● b9cc1b651f579ff1afb11427f0ec1c882afde710
● 24263d91575bb825c33e3fd27f35bc7bd611cee3
● 864d3e3f7ad0f144f8d838ea9638d4c264c5c063
● f33c057d652aa70c5f1332e14c0b8d9c77a5aa1c
● b1f7f71b5f7fee1cf38e2591e50cb181f7bd5353
● 6de843fb12f456b0ea42876d82f39fe35b5cf6ca
Posted by at No comments:

Sunday, February 9, 2020

Week 9 - Operation Shadowhammer

There are many manufacturers of computer systems around the world.  One of my personal favorite vendors is ASUS.  Even though they are a great company, they are not immune to cyber threats, as well as hacking their software. 

In early 2019, ASUS was hit with a supply chain attack that leveraged ASUS Live Update software.  The attack took place between June and November 2018 and according to ASUS's telemetry, it affected a large number of users.

ASUS Live Update is an tool that comes pre-installed on most of ASUS computers.  It is used to automatically update certain components such as BIOS, UEFI, drivers and applications. According to a Gartner report, ASUS was the world’s 5th-largest PC vendor by 2017 unit sales. This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase. 

The goal of this attack is to specifically target an set pool of users, which were identified by their network adapters’ MAC addresses. To do this, the hackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. ASUS was able to extract more than 600 unique MAC addresses from over 200 samples used in the attack. Of course, there might be other samples out there with different MAC addresses in their list.

Are you affected?

ASUS created a tool which can be run to determine if your computer has been one of the surgically selected targets of the attack. To check this, it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware and alerts if a match was found.

If you were on the list of affected users, then the hack is no longer a threat.  At the end of March 2019, the 2 hosted updates servers where the attackers were using legitimate certificates to mask their packages have been found and removed.  The Live Update software now available is now safe to use.
Posted by at No comments:

Sunday, February 2, 2020

WEEK 8 - The WINRAR Bug

I am not sure what is the latest software used to unzip files, but I have been using WinRAR for the better part of the Millennium.  It is a great program that will unwrap many types of compressed files.  But lately someone has developed a hack that make the WinRAR program do some nasty things.

"By renaming an ACE file with a RAR extension, hackers could manipulate WinRAR to extract a malicious program to a computer's startup folder. The program would then run automatically when your computer started. Check Point says the flaw existed for 19 years. In response to the blog post, WinRAR was quick to patch the vulnerability, releasing a version 5.70 beta 1 in which it dropped support for ACE archives. Turns out the company was using a third party tool to unpack ACE archives anyway, and it hadn't been updated since 2005." (Fischer, 2019)

Luckily this bug has been fixed as long as you update to the latest version of 5.7.  It is funny to think that this flaw, although unused, has been out there for the past 19 years.

NOTE: WinRAR does not patch automatically – you have to manually update your software to be safe.

“Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.” (Muncaster, 2019)

Something else to note is that Saudi Arabian targets account for 42% of total attacks since 2016, but the US is a close second with 34% before a big drop off with Belgium (6%) in third.


Fisher, C. (2019, February 21). WinRAR patched 19-year-old bug that left millions vulnerable. Retrieved February 1, 2020, from https://www.engadget.com/2019/02/21/winrar-19-year-old-bug-patched/

 Muncaster, P. (2019, March 28). Hackers Queue Up to Exploit WinRAR Bug. Retrieved February 1, 2020, from https://www.infosecurity-magazine.com/news/hackers-queue-up-to-exploit-winrar-1/
Posted by at No comments:

Sunday, January 26, 2020

Week 7 - Windows CryptoAPI Spoofing Vulnerability aka CurveBall or Chain of Fools

Just recently  Microsoft discovered that it had an issue with API cryptography.  

 Now most of us know that Microsoft puts out patches every Tuesday.  this is why we call it "patch Tuesday".  But just the other day some reps from the company said to pay very close attention to updating your systems on the 14th of January, and it solely has to deal with CVE-2020-0601. 

 Curveball is a spoofing vulnerability within crypt32.dll.  This is a core cryptographic module in Microsoft Windows that is responsible for implementing certificate and cryptographic message functions in Microsoft’s CryptoAPI.  
Successful exploitation of this vulnerability would allow attackers to deliver malicious code that appears to be from a trusted entity. The analysis notes some examples of where validation of trust would be impacted:
  • HTTPs connections
  • Signed files and emails
  • Signed executable code launched as user-mode processes

Curveball bypasses Windows’ capability to verify the cryptographic trust.  This would allow the attacker to pass malicious applications off as legitimate, trusted code, putting Windows PC's at risk. The attacker would need to get into a system in another fashion to deploy malware that exploits this vulnerability. They would more than likely either use common phishing tactics to trick a trusted user into interacting with a malicious application or use a man-in-the-middle attack through another compromised device in the environment to spoof an intercepted update and replace it with malware.

How do you fix your system you ask?

"Microsoft has released software updates to address CVE-2020-0601. If patching the vulnerability enterprise-wide is not possible, the NSA has advised “prioritizing patching systems that perform Transport Layer Security validation, or host critical infrastructure like domain controllers, Domain Name System servers, Virtual Private Network servers, etc.” Additionally, Tenable suggests patching endpoints directly exposed to the internet or systems regularly used by privileged users."
This will keep your system safe from this particular vulnerability.




Posted by at No comments:

Sunday, January 19, 2020

Week 6 - Windows Task Scheduler Hacked

Luckily this particular nasty privilege escalation hack has been fixed and is part of the Windows Defender update released in the beginning of April 2019.

This hack was discovered by an anonymous hacker that goes by the name of Sandboxescaper.  

NOTE: Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.

What a hacker needs to do to get escalated privilege on your machine is they need to call up an RPC function,  SchRpcRegisterTask“.  This is a method that registers a task with the server.  

You can do this by importing a legacy task file in the .job format that are written with arbitrary DACL.  Arbitrary DACL writes allow a low-privileged user to change the system permissions, eventually, a local user gains complete control of the system.  

“If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system”
This exploit was confirmed by many different security experts.   


In order to keep yourself protected from this privilege escalation hack you will need to update your windows defender and your Windows OS.

 To do so, go to the search at the bottom left of your Windows 10 screen.  Type in "Check for Updates".  A window will pop up that will allow you to choose to download any updates for Windows, this will also include any security updates that are for windows defender.  Download and install the updates and then reboot your system.  Your PC should now be protected from this vulnerability.  

Posted by at No comments:

Sunday, January 12, 2020

Week 5 Clop Ransomeware

Week 5

A new ransomware that has been seen in the news is called Clop.  This malware is designed to encrypt data and rename each file by appending the ".Clop" extension.  

After successful encryption, Clop generates a text file ("ClopReadMe.txt") and places a copy in every existing folder. The text file contains a ransom-demand message.

The message reads as such:

"Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN ñ files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly.
If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Attention!!!
Your warranty - decrypted samples.
Do not rename encrypted files.
Do not try to decrypt your data using third party software.
We don`t need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Contact emails:
servicedigilogos@protonmail.com
or
managersmaers@tutanota.com
The final price depends on how fast you write to us.
Clop"

The ransomware is designed to get you to pay for someone to remove the program from your PC.  here were will show you how to remove it without paying a cent.

"Restart" your PC while holding "Shift" on your keyboard.  Once the "choose an option" window opens click on "Troubleshoot". 

Next select "Advanced options", and then select "Startup Settings" and click on the "Restart" button. 

In the following window you should click the "F5" button on your keyboard. This will restart your operating system in "Safe Mode" with networking.

Log in to the account that is infected with the Clop virus. If you do not have a anti-spyware program then start your internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.  As I have mentioned in my previous posts, Malwarebytes Anti-malware already has spyware definitions for Clop loaded into their latest update.  This will remove the spyware program and keep you from paying to these hackers.  

Make sure to always keep your anti-virus and anti-spyware programs up to date and running to keep your system protected.

If for any reason your anti-spyware program does not remove the program, do a full system restore from a previous back up prior to when the Clop program was installed.


References

Meskauskas, T. (2019, November 22). Clop Ransomware. Retrieved from https://www.pcrisk.com/removal-guides/14451-clop-ransomware.

Posted by at No comments:
Subscribe to: Comments (Atom)