Modern processors are extremely complicated devices and aren’t single purpose number crunching machines as they were in the past. A modern CPU contains subsystems responsible for power management, remote administration, hardware security, and much more. Intel brands this collection of technologies as vPro. The subsystem with perhaps the most attack surface is branded as Intel Active Management Technology (AMT), a system designed to allow for remote administration of corporate computer assets. It provides out of band administration, meaning an authorized administrator can perform any number of tasks on the machine without requiring specific operating system features like a functioning Windows install or separate software running on the system. This week researchers discovered a critical flaw in the AMT system allowing for an unauthorized user to completely takeover affected machines.
Intel AMT runs on a dedicated microprocessor embedded in the normal CPU and as such isn’t something a normal user ever has to deal with. It is able to piggyback on the normal networking stack exposed to the operating system to allow for out of band management of the machine without any user interaction. Due to it being embedded in the processor it has almost complete and unrestricted access to the system. This makes finding flaws in it extremely valuable to researchers and hackers. Luckily the flaw found this week was discovered by internal Intel researchers whose goal it is to discover critical vulnerabilities before attackers do. CVE-2020-8758 was disclosed in a security advisory and ranks a 9.8/10 on the CVSS scale. The flaw is the result of improper buffer restrictions in the network component of the AMT subsystem and could allow for privilege escalation and complete takeover of a system running the vulnerable version. The critical flaw requires that AMT has been previously provisioned by a system administrator and that an attacker can reach the system over the network.
While the main vulnerability disclosed requires AMT to be provisioned, a second attack scenario was also disclosed which is able to attack an un-provisioned AMT instance. In this attack scenario an attacker would require local access to the machine to exploit the flaw. While not nearly as critical of a remote over-the-network exploit, it can pose a threat for systems exposed to public access such as shared computing resources or cases where a machine may be left unattended for an amount of time.
While no known attacks utilizing the flaw have been seen yet ,Intel recommends that systems running the affected firmware versions are patched immediately.
No matter what operating system you use, there will be vulnerabilities lurking in the nooks and crannies we may never consider. If you're using Windows 10, here are two you should know about.
The first bug affects all Windows 10 editions except for Home, as it leverages Hyper-V, a feature that provides hardware virtualization. In order to create and modify files in certain areas of Windows a user needs elevated privileges. This is to protect sensitive areas of the operating system. Enabling Hyper-V circumvents the need for admin credentials, as researcher Jonas Lykkegaard showed how he was able to drop an arbitrary file into the System32 folder and then modify it with user-level credentials.
Luckily, Hyper-V is disabled by default, so if you don't use any sort of virtualization you won't be vulnerable. However, if you enable the Windows Sandbox feature, which is often used for testing software, Hyper-V will automatically be enabled as well. The risk of this bug is low enough that the researcher decided not to submit it directly to Microsoft, so it is unclear if or when a patch will be released. The best advice here would be to keep your system up to date and to disable features that you aren't using.
The next bug involves a feature on Windows 10 that most users have used - Themes. Whether it's selecting a pre-packaged theme to get away from that default blue, or using our own wallpapers to customize, nearly everyone makes some sort of change to the appearance of their desktop. Some users go a step further and export their custom themes to share or import custom themes that others have built. This is where the vulnerability comes in. Researcher Jimmy Bayne recently showed that modified Windows 10 themes could be used in Pass-the-Hash attacks.
Bayne demonstrated how an attacker could create a theme file with a modified wallpaper setting that would request a remote resource requiring authentication. If user tries to install the theme, Windows will automatically attempt to access the remote resource using the credentials of the user that is currently logged into Windows. From there an attacker can harvest the credentials. Even worse, this attack will work with Microsoft account credentials, meaning attackers would be able to access users' online resources as well. The easiest way to mitigate the threat is to enable two-factor authentication and avoid custom themes from third parties.
Today’s technological landscape has led to an explosion of cyber security products and services to automatically detect and deal with threats and malware. How-ever, as more and more emphasis is put on automated systems, attackers have to modify their strategies to combat this. Threat detection and analysis company, Huntress Labs, discovered a piece of malware that hides in plain sight and would likely not be detected by most automatic defenses, requiring a human analysis element.
The malware involves maintaining persistence on a system rather than the initial infection. Once inside the system, the malware creates services that seem to be legitimate, BfeOnService.exe and engine.exe, as well as a log file a.chk. The description also seems to be legitimate: however, these services are actually copies of two other services, mshta.exe and powershell.exe. These programs have not been modified except for the name, so an antivirus program wouldn’t flag them as malware. The name change keeps the processes from being flagged by security programs looking for running instances of mshta and powershell which could indicate a threat presence. They parse the log file, which at first glance seems harmless, to extract a payload used by powershell to connect to https://dns.google.com/resolve?name=dmarc.jqueryupdatejs.com&type=txt and retrieve another payload using Google’s DNS service.
The DNS response is actually a DNS TXT record response that contains further information embedded within it. The data field contains what appears to be a ture, which is used to authenticate e-mails from specific domains. However, it is a cleverly hidden base-64 encoded string that, after multiple layers of decoding, Reveals multiple decimal numbers that don’t appear to be anything but are actually IP addresses. For instance, one of the numbers analyzed was 1484238687, but this translates to 220.127.116.11 when entered in a browser address bar. These are the IP addresses for Command & Control servers hosting further payloads. This allows the attacker to rotate servers used for malware delivery, as well as changing the payloads themselves, without having to directly access the victim. Also, while many organizations filter DNS activity on their network, it is much less likely that they would lock down HTTPS access to google.com.
John Hammond, Senior Security Researcher at Huntress Labs, comments, “We found this malware from our own manual analysis. Obviously, there is an incredible benefit from having an automated, always on antivirus and endpoint protection suite... but this lacks the context that humans have. Manual investigation is a must”. The best defense lies somewhere in the balance between automated and human-controlled security practices.
Peraton CyberIntelligence Program (CIP)
The saying goes, “Once is chance, twice is a coincidence, and three times is a pattern.” But do we really need three times when the repetition is so clearly similar? Researchers at Trustwave have found spyware within the Golden Tax Invoicing system provided by Baiwang and have named the spyware Golden Helper. A Golden Tax Invoicing system is required to log invoices and expenses for accurate centralized Value Added Tax reporting. Baiwang is joined by Aisin as the only two providers of the Golden Tax Invoicing system. The Aisino version was found last month to have the Golden Spy which had several similar infection avenues but different capabilities.
The Golden Spy malware had several obfuscation and detection avoidance capabilities:
• a two hour delay in malware installation,
• two auto-start services for self-monitoring and restarting,
• persistence beyond the tax software itself,
• communication with domains that were not tax related, and
• running with system level privileges for remote code execution.
A malware uninstaller was pushed in an update by Aisino by the time Golden Helper became public. Golden Helper, is planted in the Baiwang edition of the Golden Tax Invoicing system. The malware, itself, is curiously signed by an Aisino subsidiary, NouNou Technology. Golden Helper takes extensive efforts to stay hidden. It obfuscates the files produced with randomly generated filenames and obfuscates metadata by randomly generating “creation” and “last write” timestamps. It masks executable payload as .gif, .jpg, and .zip files while in transit and uses the Victim’s IP to algorithmically randomize download locations and communicate those locations to command and control servers. It has no need for User permission to install and escalate to SYSTEM level privilege and can perform remote code execution as well. Golden Tax software may also be delivered to companies pre-installed in computers provided by their bank. This makes sense to offer up a tool to make business easier so that the customer doesn’t have to go through the trouble of installing the software. But unfortunately, it also comes bundled with Golden Helper. Trustwave researchers are still looking for samples of the final payload installed by GoldenHelper, named taxver.exe.
What was computer-related life like in 2003? For starters: the iTunes store just opened, miniSD cards and DDR2 SDRAM were just hitting the market, and AMD released their first 64-bit processor. A vulnerability affecting Windows DNS, dubbed SigRed, has remained undetected for 17 years until found by Check-Point researchers earlier this year.
Security researchers at Checkpoint were looking for a vulnerability that would allow an attacker to compromise a Windows Domain environment in a different way than the usual Server Message Block or Remote Desktop Protocol exploits when they came upon this vulnerability. They certainly found a winner, with SigRed receiving a CVSS score of 10, the highest possible severity on the scale and fairly rare. Not only does this vulnerability allow an attacker to achieve re-mote code execution on the server, but it is also wormable. This means that with just one exploit of the system, malware can spread quickly throughout the entire network without any human interaction. For instance, WannaCry and NotPetya were both wormable pieces of malware.
The vulnerability itself lies in the DNS module dns.exe and relies on an integer-overflow bug that leads to a heap-based buffer overflow. How the DNS server parses incoming DNS queries and how it parses responses for forwarded que-ries both provide avenues of attack to take advantage of. One of the response types for a Secure Internet Access (SIG) query was used by CheckPoint research-ers to exceed the maximum request size of 65,535 bytes, leading to the name SigRed. Another path for exploiting this vulnerability can be done remotely us-ing HTTP requests that are carrying DNS queries. While Google Chrome and Mozilla Firefox aren’t vulnerable to this attack, Microsoft Internet Explorer and Edge browsers can be used. The malicious request can be sent to TCP port 53 (UDP port 53 is the common DNS port) on a vulnerable server and the data will be interpreted as if it were a DNS query since Windows DNS support DNS over TCP.
SigRed can allow an unauthenticated attacker to run commands on the vulnera-ble Windows Server system as a local system admin, and with the wormable attribute it can compromise an entire organization within minutes of the initial exploit. This, coupled with the high chances of exploitation especially with the flaw being public knowledge now, led to the recommendation that all Windows Server 2003-2019 systems be updated with the new patch Microsoft released this week. If the patch can’t be implemented quickly, there is a workaround involving changing a registry key to limit the size of DNS TCP packets that are received.
Overview: As you build your cybersecurity career, take advantage of important new and proactive security configuration and management capabilities that will help your organization ‘move left’ on understanding and reducing risk.
The post Microsoft Security: Use baseline default tools to accelerate your security career appeared first on Microsoft Security.