Week 7 - Windows CryptoAPI Spoofing Vulnerability aka CurveBall or Chain of Fools

Just recently  Microsoft discovered that it had an issue with API cryptography.  

Now most of us know that Microsoft puts out patches every Tuesday.  this is why we call it "patch Tuesday".  But just the other day some reps from the company said to pay very close attention to updating your systems on the 14th of January, and it solely has to deal with CVE-2020-0601. 

Curveball is a spoofing vulnerability within crypt32.dll.  This is a core cryptographic module in Microsoft Windows that is responsible for implementing certificate and cryptographic message functions in Microsoft’s CryptoAPI.  

Successful exploitation of this vulnerability would allow attackers to deliver malicious code that appears to be from a trusted entity. The analysis notes some examples of where validation of trust would be impacted:

• HTTPs connections
• Signed files and emails
• Signed executable code launched as user-mode processes

Curveball bypasses Windows’ capability to verify the cryptographic trust.  This would allow the attacker to pass malicious applications off as legitimate, trusted code, putting Windows PC's at risk. The attacker would need to get into a system in another fashion to deploy malware that exploits this vulnerability. They would more than likely either use common phishing tactics to trick a trusted user into interacting with a malicious application or use a man-in-the-middle attack through another compromised device in the environment to spoof an intercepted update and replace it with malware.

How do you fix your system you ask?

"Microsoft has released software updates to address CVE-2020-0601. If patching the vulnerability enterprise-wide is not possible, the NSA has advised “prioritizing patching systems that perform Transport Layer Security validation, or host critical infrastructure like domain controllers, Domain Name System servers, Virtual Private Network servers, etc.” Additionally, Tenable suggests patching endpoints directly exposed to the internet or systems regularly used by privileged users."

In short, download and install the patch from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

This will keep your system safe from this particular vulnerability.

Week 6 - Windows Task Scheduler Hacked

Luckily this particular nasty privilege escalation hack has been fixed and is part of the Windows Defender update released in the beginning of April 2019.

This hack was discovered by an anonymous hacker that goes by the name of Sandboxescaper.  

NOTE: Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals.

What a hacker needs to do to get escalated privilege on your machine is they need to call up an RPC function,  “SchRpcRegisterTask“.  This is a method that registers a task with the server.  

You can do this by importing a legacy task file in the .job format that are written with arbitrary DACL.  Arbitrary DACL writes allow a low-privileged user to change the system permissions, eventually, a local user gains complete control of the system.  

“If on windows 10 you want to import a .job file into the task scheduler you have to copy your old .job files into c:\windows\tasks and run the following command using “schtasks.exe and ‘schedsvc.dll” copied from the old system”


This exploit was confirmed by many different security experts.   


In order to keep yourself protected from this privilege escalation hack you will need to update your windows defender and your Windows OS.

To do so, go to the search at the bottom left of your Windows 10 screen.  Type in "Check for Updates".  A window will pop up that will allow you to choose to download any updates for Windows, this will also include any security updates that are for windows defender.  Download and install the updates and then reboot your system.  Your PC should now be protected from this vulnerability.  

Week 5 Clop Ransomeware

Week 5

A new ransomware that has been seen in the news is called Clop.  This malware is designed to encrypt data and rename each file by appending the ".Clop" extension.  

After successful encryption, Clop generates a text file ("ClopReadMe.txt") and places a copy in every existing folder. The text file contains a ransom-demand message.

The message reads as such:

"Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorithm.

Backups were either encrypted or deleted or backup disks were formatted.

Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.

We exclusively have decryption software for your situation

No decryption software is available in the public.

DO NOT RESET OR SHUTDOWN ñ files may be damaged.

DO NOT RENAME OR MOVE the encrypted and readme files.

DO NOT DELETE readme files.

This may lead to the impossibility of recovery of the certain files.

Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly.

If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files

(Less than 5 Mb each, non-archived and your files should not contain valuable information

(Databases, backups, large excel sheets, etc.)).

You will receive decrypted samples and our conditions how to get the decoder.

Attention!!!

Your warranty - decrypted samples.

Do not rename encrypted files.

Do not try to decrypt your data using third party software.

We don`t need your files and your information.

But after 2 weeks all your files and keys will be deleted automatically.

Contact emails:

servicedigilogos@protonmail.com

or

managersmaers@tutanota.com

The final price depends on how fast you write to us.

Clop"

The ransomware is designed to get you to pay for someone to remove the program from your PC.  here were will show you how to remove it without paying a cent.

"Restart" your PC while holding "Shift" on your keyboard.  Once the "choose an option" window opens click on "Troubleshoot". 

Next select "Advanced options", and then select "Startup Settings" and click on the "Restart" button. 

In the following window you should click the "F5" button on your keyboard. This will restart your operating system in "Safe Mode" with networking.

Log in to the account that is infected with the Clop virus. If you do not have a anti-spyware program then start your internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.  As I have mentioned in my previous posts, Malwarebytes Anti-malware already has spyware definitions for Clop loaded into their latest update.  This will remove the spyware program and keep you from paying to these hackers.  

Make sure to always keep your anti-virus and anti-spyware programs up to date and running to keep your system protected.

If for any reason your anti-spyware program does not remove the program, do a full system restore from a previous back up prior to when the Clop program was installed.

References

Meskauskas, T. (2019, November 22). Clop Ransomware. Retrieved from https://www.pcrisk.com/removal-guides/14451-clop-ransomware.