Learn how Adlumin’s Threat Research Team is dissecting emerging threats and providing invaluable insights that empower organizations to proactively defend against ever-evolving cyberattacks.
This month’s Patch Tuesday from Microsoft had a surprise patch for a vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT); you may remember this exploit from the recent Follina exploit (CVE-2022-30190). This vulnerability, however, takes a different exploit path than Follina.
What You Need to Know
CVE-2022-34713, nicknamed “DogWalk,” is an arbitrary file write vulnerability in MSDT, exploited via .diagcab files, which can lead to code execution. The vulnerability allows an attacker to send a file to a victim that, if double-clicked and opened, could drop an exploit in the user’s Startup folder (or any file anywhere else on the system that the user has permissions to write to). The exploit could be compounded by the fact that most web browsers and email clients do not warn the user of the risk of running a .diagcab file. The .diagcab is not identified with the web zone identifier property, which would otherwise help prevent accidental execution by a user.
The original Dogwalk vulnerability was found and reported to Microsoft by security researcher Imre Rad in December 2019. According to Rad, Microsoft initially decided Dogwalk was not a vulnerability and, at that point, allowed him to publish a blog post on the subject. Due to increased scrutiny of MSDT, Microsoft re-assessed the case this year and has now classified Dogwalk as a vulnerability.
Microsoft began blocking .diagcab file downloads in Microsoft Edge in July of this year. Google is also doing the same. It is now worthwhile to stop .diagcab files received via email altogether.
The Importance of Continuous Vulnerability Monitoring
Microsoft’s August Patch Tuesday includes a patch for the now publicly disclosed, two-year-old Dogwalk vulnerability (CVE-2022-34713). Adlumin’s Continuous Vulnerability Management (CVM) team took the proactive critical steps to examine this patch for now identified zero-day security threat and to alert customers of their potential vulnerability risk. Adlumin determined potential threats to Microsoft Office users, so they deployed the fix.
Adlumin’s CVM team created jobs to test customers’ Microsoft August Patch Tuesday patch and remediation (registry modification). Once Adlumin completed the test, the CVM team continued the deployment to the production environment. Once all was complete and remedied, Adlumin sent a report to the customer to notify them they were now clean of the vulnerability for their records. Adlumin recommends using its Continuous Vulnerability Management service to collect the needed data from endpoints to determine if they are running vulnerable .diagcab files in their versions of Microsoft Windows and Office. Adlumin’s managed detection and response security and services platform will proactively search for suspicious activity and possible vulnerability exploitation 24x7x365 days of the year.
Adlumin Data Science offers two main categories of anomaly detection – single-event, based on information collected from a single security log, and multi-event, which uses information extracted from an aggregation of individual logs. Since anomaly detection tends to have a higher false-positive-rate (FPR) than signature-based methods, it is often helpful to intersect detections from both approaches, which can reduce the total FPR while maintaining an acceptable true positive rate (TPR). The logic is that truly anomalous behavior is likely to appear anomalous from multiple independent perspectives.
An excellent example of this is the intersection between Lateral Movement (LM) and the Access-Events (AE), which are multi-event and single-event ML models, respectively, on the Adlumin security platform. Both models look at Windows “successful logon” events (event ID 4624). Still, LM looks at directed graphs based on an entire day’s worth of activity and draws attention to individual machines. In contrast, AE simply draws attention to individual access events between machines. Another important distinction is that LM individually models privileged users with enough historical data, whereas AE models all windows access events together, regardless of the user involved.
The LM detection shown below features a directed graph flagged by LM and the individual access events that make up the graph, some of which were also flagged by AE, indicated by the ‘Anomaly Score’ column.
This LM detection would not have occurred if none of the comprised events were flagged by AE, which highlights the mechanism for reducing false positives in these detections. If a user’s behavior is determined to be anomalous by LM, but none of the individual access events are considered anomalous, this is likely grounds to throttle the detection.
Aggregating Single-Event Detections
One of the pitfalls of LM is that it only models privileged users with sufficient access history. A recent penetration test performed on a customer by the Adlumin SOC team has highlighted the potential utility in aggregating AE detections to look for a specific behavior that is invisible to LM. During this penetration test, the actor gained access to a machine that allowed them to enumerate the domain and access many other machines. Below are all the customer’s AE detections on the day of the penetration test.
The “NODEZERO” machine used in the Adlumin SOC penetration test involves many anomalous logons to other machines. LM is blind to this behavior because it’s associated with the “anonymous logon” user, so we must rely on AE to create an alert in this case. Sending a separate alert for each detection would be problematic from a user-experience standpoint. However, calling for an aggregation strategy to be used here. One idea is to count the number of unique logons associated with each “remote_workstation_name.” An alert is sent to the customer if that number exceeds a predetermined threshold. In this case, “NODEZERO” is associated with seven unique anomalous logons to other machines, so setting the threshold to 6 would be sufficient for an alert.
While this example shows a blind spot for LM, aggregating AE detections is nonetheless not a sufficient replacement for LM detections. LM can detect much more subtle and complicated behavior associated with moving through a network, so AE aggregate detections should be related to their alert, possibly for targeting domain enumeration attacks. Sometimes these two alerts will describe the same behavior, validating the need for further investigation. As the Adlumin ML model suite grows, these alert intersections will become more sophisticated and widely deployed.
By Kevin O’Connor, Director of Threat Research at Adlumin, Inc.
The “Human Element” of cybersecurity is often one of the most challenging aspects to manage when considering the defense of a network. At Adlumin’s Threat Research group, we work to merge the science of cybersecurity with the mindset of how users and threats engage with Information Technology (IT) systems. Let’s dive deeper into how the human element manages both the defense of networks and the threat against them.
Defense
The most evident area where the Human Element plays into the defense of IT systems is anywhere there’s user interaction with the system, which has a security-relevant context. Users need not only to be trained on how to use their system – but also on the basics of end-user cybersecurity to prevent simple attacks like drive-by-downloads and attachment-based malware.
Phishing
One of the biggest threats facing the human-machine interface is phishing. The U.S. Department of Homeland Security’s Computer Information Security Agency (CISA) says that “phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization [or source].” While true, what’s missing in this definition is that phishing attacks are one of the most popular ways attackers will gain access to a user’s system through malicious attachments, such as macro-enabled malware or malicious links, to gain a foothold in a targeted network.
Defending Against Phishing
Technical controls exist which can help mitigate the threat of phishing-related attacks. Email filtering appliances/applications can automate the heavy lifting of denying known-bad actors that have engaged in more extensive and previously seen campaigns. The further application of machine learning in the message content is also promising. From there, security administrators can implement controls to scan or block attachments or mitigate specific technical vulnerabilities like macro-based malware by disabling macros or denying permissions to run downloaded attachments or other ‘online’ sourced software.
Getting closer to the human element controls that require users to participate in opening links actively can help. To avoid users accidentally clicking on a malicious link, applications like Outlook can disable links in emails requiring the user to manually copy and paste links from their email into their browser to visit sites ($LINK). This extra step can go a long way in getting the human behind the keyboard to think about the site they’re going to.
But these controls are either; incomplete, limiting, or require some level of user participation. Without proper training on identifying phishing and malicious emails, users can still fall prey to craftily composed messages or spoofed or compromised accounts from legitimate senders. The risk stemming from this human element-based threat must be mitigated through training, monitoring, continual awareness, and testing. Adlumin partners with KnowBe4, which offers user training, and we’ve integrated KnowBe4 phishing capabilities into our platform ($LINK).
Credential & Business Email Compromise
Another human element in cybersecurity that needs consideration is the Credential and Business Email Compromise (BEC). The FBI says Business Email Compromise is
“One of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.”
FBI, 2020
The risks BEC and other account compromises have to a business are potentially devastating. The FBI’s Internet Crime Complaint Center (IC3) reported $43 billion in cost between June 2016 and December 2021 (IC3, 2022 Business Email Compromise).
These are often fundamentally human-centric attacks relying on combinations of social engineering or stolen credentials to bypass the need for in-depth technical exploitation or gain an initial foothold against a target network or business.
Defending Against Credential & Business Account Compromise
Technical controls can help mitigate credential compromise or BEC, including implementing 2-Factor Authentication wherever possible. Mandatory password expiration can also limit the time an exposed account or credential can be used for malicious purposes.
Logging, monitoring, and Auditing user accesses can help identify potential cases of account compromise by looking at the user’s typical activity and alerting or taking Security Orchestration Automation and Response (SOAR) action when there’s abnormal or suspicious activity. Adlumin is an example of a Managed Detection and Response (MDR) platform that can help identify and act on such malicious activity. Adlumin uses machine learning algorithms for User & Entity Behavior Analytics (UEBA) to help detect and respond to illicitly used credentials and accounts. Adlumin will monitor, track, and alert on expired credentials and accounts.
Another vector for credential compromise and BAC is through Darknet and other public data breaches and account/credential dumps. As a Human Element, users often reuse passwords across multiple accounts or will use business emails (and possibly shared passwords) on platforms that are then compromised. These compromised credentials can be a great source of intelligence for attackers, potentially giving them validly credentialed access to the compromised account. Defending against this, tools like Adlumin’s Darknet Exposure Module can monitor for exposed credentials on the Darkweb and alert or take immediate SOAR action before attackers can exploit them.
Sources:
Computer Information Security Agency, CISA (2022, August 25). Security tip (ST04-014). CISA. Retrieved June 10, 2022, from https://www.cisa.gov/uscert/ncas/tips/ST04-014
FBI, Federal Bureau of Investigation (2020, April 17). Business email compromise. FBI. Retrieved June 10, 2022, from https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise
Internet Crime Complaint Center, IC3 (2022, February 16). Business email compromise: Virtual meeting platforms. Business Email Compromise: Virtual Meeting Platforms. Retrieved June 10, 2022, from https://www.ic3.gov/Media/Y2022/PSA220216
Internet Crime Complaint Center, IC3 (2022, May 4). Business email compromise: The $43 billion scam. Business Email Compromise: The $43 Billion Scam. Retrieved June 10, 2022, from https://www.ic3.gov/Media/Y2022/PSA220504
Adlumin is pleased to announce an integration with Cisco Duo. Duo is the leading provider of unified access security and multi-factor authentication delivered through the cloud. Duo’s solution verifies the identity of users and the health of their devices before granting them access to applications, helping prevent cybersecurity breaches.
Duo provides secure access to your applications and data, no matter where your users are – on any device, from anywhere. Duo’s adaptive Multi-Factor Authentication (MFA) creates trust in users, devices, and the applications they access. Cisco, one of the largest networking and communications suite of security products, provides a different suite of protection that is being added to the Adlumin product. Below is a view of a sample alert from Cisco Duo:
Adlumin’s integration with Duo allows users with a Duo account to import their authentication events into Adlumin’s centralized security system. This automatically provides machine learning-based threat analysis, incident management, custom threat detection filters, geolocation reports, and more. Our integration queries the public Duo API endpoint every 15 minutes for authentication logs, pulling data such as usernames, hostnames, IP addresses, authentication devices, and more.
The Center for Internet Security (CIS) describes Continuous Vulnerability Management as “a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.”
Cyber defenders must have timely threat information about software updates, patches, security advisories, threat bulletins, etc. They should consistently review their IT environment to look for these vulnerabilities before cybercriminals do.
Managing and understanding vulnerabilities is a continuous activity, requiring the focus of time, attention, and dedicated resources.
Organizations face challenges in scaling remediation across an entire enterprise, and prioritizing actions with conflicting priorities, while not impacting the enterprise’s business or mission.
Often, remediating vulnerabilities requires expertise beyond the deployment of a simple patch.
For example, a configuration change and deploying a patch to remediate the Spectre/Meltdown vulnerability are required. Also, vulnerabilities need different types of patches- for example, some need an update to a customer software or a registry key change without a patch.
Researching, understanding, and mapping the vulnerabilities to the remediation actions are complex and time-consuming tasks. Many organizations fail to complete this process quickly and efficiently because they don’t have an expert and dedicated team that can map the vulnerabilities to the proper remediation and, at the same time, evaluate the potential operational risk introduced by changes to the environment.
Organizations can minimize operational risk by moving towards a proactive remediation approach. This approach demands selecting the right vulnerability management solution that will deliver the capability to streamline the remediation process by automatically mapping the vulnerability to the correct patch(es) required in your specific environment.
Additionally, the solution should also streamline the application of patches for compliance by creating a zero-touch patch job to automate vulnerability remediation based on criteria that apply uniquely to your organization. This should reduce operational risk and remediation time, helping security teams align with regulatory and internal security policies.
Finally, the solution must make sure that endpoints are quickly and consistently patched, via the cloud, regardless of their location or connection to an organization’s network, which reduces the cost of securing a primary vector of attack. Eliminating the need to go over VPN for patching can save time and significantly reduce costs.
In today’s cyber world, full of uncertainty and constantly evolving threats and data obligations, have you ever wondered, “how can my organization protect itself against the unknown?” The quick answer to that question is threat intelligence, the human element that leverages cyber intuition and honed investigation skills to pre-empt attacks. Threat intelligence is actionable, timely, and provides context to threats. Let’s delve into the details and better understand all that threat intelligence has to offer the industry.
What is Threat Intelligence?
Threat intelligence gathers multi-source, raw, curated data about existing threat actors and their tactics, techniques, and procedures (TTPs). This cyber modus operandi helps analysts understand the tactics used by adversaries and identify signs or signals of their unauthorized presence in a target environment. In fact, it helps cyber analysts identify likely future targets by understanding their motivation, transferrable phishing campaigns, and other tools that could be applied from one target to another. For example, a campaign that uses stolen lawsuit information to target law firms could be modified to target healthcare organizations by using stolen malpractice litigation documents.
This knowledge and understanding of the adversary can prevent future attacks by helping organizations to develop defenses based on likely attack scenarios. In essence, threat intelligence is a way to proactively defend your organization and remain a few steps ahead of cybercriminals. It’s not a crystal ball, but it could be a money ball approach to cybersecurity.
Threat intelligence professionals threat hunt by proactively searching for suspicious activity indicating malicious or network compromise. It is often a manual process backed by automated searches and existing collected network data correlation. Other prevention and detection methods can only detect known and categorized threats. Below are some requirements for a threat hunting tool:
Practical Threat Hunting Tool Requirements:
Proactive threat hunting quickly establishes itself as a critical pillar in security strategies and ensures situational awareness that other methods do not offer. This approach requires the expertise of cybersecurity professionals who can draw from the knowledge of a system’s specific functionality and connectivity. In addition, they understand the attacker’s tactics, techniques, and procedures (TTPs) and capabilities to expose potential attacks and compromises. For additional context, below are a few threat intelligence challenges and benefits:
Threat Intelligence Challenges
Threat Intelligence Benefits
Who Should Invest in Threat Intelligence?
Threat intelligence adds value across security functions for companies of all sizes. When threat intelligence is integrated into an organization’s IT team, it can assist with adequately prioritizing and helping with incoming threats. Threat intelligence provides external insights and context when accurately prioritizing essential vulnerabilities. It also provides context around threat actors’ TTPs. Fraud protection, risk analysis, and high-level security processes become enriched by understanding threat intelligence’s high-level security knowledge.
Proactive threat intelligence and hunting require 24/7 continuous scanning, which is typically a challenge for organizations that struggle to source the right talent or have a low budget. A standard cost-effective solution can be to outsource the skill and expertise needed.
Move Beyond Automation: Take Charge
In today’s world, adding threat intelligence to your cybersecurity strategy is no longer a luxury; it is a necessity. It’s said to be the way of the future for detecting and responding to advanced threats. Threat intelligence assists with lowering cybercrime and data breach costs. There is a significant cybersecurity transformation, and organizations can’t be waiting around to be attacked anymore. The key is adding elements that strengthen your organization for battle— the human element within threat intelligence. Taking charge is more than a suggestion; it’s a critical move that, if not made correctly, will result in irreversible damages to pay.
At Adlumin, we are constantly monitoring trends in malware and the capabilities used by threat actors to attack customer networks. Ransomware poses a unique threat to customer environments and businesses as attackers’ use of the technique continually evolves and spreads while payouts increase.
The Threat
Ransomware is a popular method of computer network exploitation, extortion, and a potentially big payday for cybercriminals. In a ransomware attack, malware specializes in detecting local and network-shared user files and then encrypting the victims’ data implanted on a device. Once encrypted, unless there are unaffected backups, the user’s documents and data are rendered inaccessible and unreadable. That is until the victim pays up. Ransomware attackers set up payment portals through the clear, dark web and the bridges between them so that victims can ‘conveniently’ make an online payment to decrypt their files and access their data.
Foundations
While the widespread use of ransomware targeting businesses for financial gain is relatively new, modern examples started to trend in the mid-2000s and picked up in 2013– the first examples can trace their roots back to the 80s – decades before modern times, payment methods like cryptocurrencies existed. In 1989 Joseph Popp authored and deployed the “AIDS Trojan”. This first-of-its-kind malware hid the user’s files, encrypted their names, then displayed a message demanding a $189 payment to “PC Cyborg Corporation” to receive a repair tool under an expired software license. It’s worth noting that this early ransomware sample was vulnerable to extracting the decryption keys from the sample as it used symmetric encryption to encrypt the files. This meant that the same key was used to encrypt and decrypt data which had to be handled by the malware to encrypt the files.
By the mid-90s, researchers had introduced the idea of using public-key cryptography to enable ransomware’s encryption of data without the need to store the decryption keys in the malware, leaving it vulnerable to reverse engineering and key-recovery-based remediation. This was a critical step in the attacker’s ability to ensure decryption keys couldn’t be recovered reliably, and ransomware remained a profitable problem.
In 2006, multiple public-key enabled ransomware families caused trouble in networks worldwide. These attacks weren’t typically pointed at individual targets and often spread through file-sharing platforms. By 2009 ransomware variants had shifted to using secure 1024-bit RSA-driven encryption implementations, which essentially prevented the ability to recover decryption keys through static analysis.
In 2013 ransomware began its modern popularity with the explosion of the CryptoLocker malware. CryptoLocker propagated through a botnet or as an attachment to an email message which appeared to be sourced from a legitimate company. The ZIP file attached to the message contained a Window’s executable disguised as a PDF by changing the executable’s icon. CryptoLocker used public-key encryption to ensure the decryption key was only hosted on the malware command and control server. When paired with strong key strength and algorithms, decryption by means other than payment is impossible. The malware would encrypt files across the local and mapped network drives targeting only specific file extensions such as those associated with Microsoft Office Suite, documents, and images.
Since CryptoLocker, hundreds of ransomware families and variants have been introduced to networks worldwide. Locky followed as a spiritual successor to Crypto lockers; WannaCry affected networks globally and leveraged a zero-day to spread relentlessly across a network, bringing organizations like the British NHS to their knees. Ryuk appeared in 2018 and targeted specific organizations and industries for their deep pockets and ability to pay. Ryuk led to Conti, which recently announced its support of Russia and threatened to deploy “retaliatory measures” if cyberattacks were launched against the country in response to the 2022 Russian invasion of Ukraine. As these attacks grow, we’ve seen considerable impacts on business and industry, such as in the 2021 Colonial Pipeline attack, which led to the shutting down of control systems and oil delivery pipelines, leading to increased prices and limited availability, and panic-buying.
Trends
Adlumin’s Threat Research group has identified two primary trends in ransomware that increase the risk associated with ransomware attacks: the continued shift to ransomware-as-a-service (RaaS) and the growth of data-exposure driven double-extorsion models. These trends represent a widening in ransomware capabilities and prevalence and a decrease in an organization’s ability to control a breach.
Ransomware-as-a-Service (RaaS)
Ransomware as an attacker methodology has grown from initial custom development of tools for individual exploitation campaigns to large-scale availability as a commodity product with the sale of ransomware capabilities taking place on clear and darknet markets. Ransomware capabilities are now available for sale or lease, decreasing the technical capability required to conduct these attacks and lowering the barrier to entry for would-be attackers.
These capabilities can range from costing as little as $20 to thousands depending on the ransomware’s; capabilities, the scope of allowed usage, detection mitigations, automation, exclusivity rights, and inclusion of management or victim portals.
Ransomware has moved from a tailored and unique exploitation method to a pay-for-play access model.
Data Breach & Double-Extortion
Globally, ransomware groups and attacks have started to incorporate more direct extorsion methods – shifting from pay-for-decryption to a combination methodology involving the potential release of stolen, often sensitive, data. To ensure payout from victims, attackers have had to mitigate the impact increased defenses and updated cyber best practices have had on ransomware.
A defensive shift in segmenting devices and services to prevent lateral infection and the ability to restore from otherwise unaffected backups on non-critical systems have lessened businesses’ potential need to pay ransom to recover from an attack. To ensure their operations remain profitable, attackers have begun stealing data from companies and ransoming the possible public release of the stolen data. Such data might include customer PII, payment information, or business secrets – and public release of that data may have severe reputational, business, financial, and regulatory impacts on the affected business, further increasing the cost of a single breach.
This data exposure or “Double Extorsion” tactic means the attackers can choose to require two ransoms – one to decrypt the data and another to delete the data stolen before encryption. The potential release of data is an intense pressure to pay for victims who may not even know what information was stolen.
Explosive Growth
Ransomware as an attacker capability and exploitation method has experienced explosive growth since the introduction of cryptocurrency payments and continued profitable attacks. According to the FBI’s Internet Crime Complaint Center (IC3), CISA reported, ransomware incidents continue to rise, with 2,474 incidents reported for all of 2020 and 2,084 complaints between January and July of 2021 alone, a doubling of reported incidents. The cost and ransom amount have also grown with a 225 increase in ransom demands, and victims are on track to hit over $40M in losses.
What You Can Do
Your business or organization isn’t helpless in preventing ransomware attacks and limiting their impact when they make it past defenses. In a joint 2022 release by cybersecurity authorities in the United States, Australia, and the United Kingdom which included the FBI, the Cybersecurity and Infrastructure Agency (CISA), and the National Security Agency (NSA) – authorities recommended multiple best practices for protecting your network:
Keep all operating systems and software up to date If you use RDP or other potentially risky services, secure and monitor them closely. Implement a user training program and phishing exercises Require MFA Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth. Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud. Segment Networks help prevent the spread of ransomware by controlling traffic flows between – and access to – various subnetworks by restricting adversary lateral movement. Implement end-to-end encryption, which can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack. A network-monitoring tool identifies, detects, and investigates abnormal activity and potential traversal of the indicated ransomware. Document external remote connections. Enforce the principle of least privilege through authorization policies. Reduce credential exposure. Disable unneeded command-line utilities; constrain scripting activities and permissions, and monitor their usage. Maintain offline (i.e., physically disconnected) backups of data and regularly test backup and restoration Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure Collect telemetry from cloud environments
On Friday, May 27, 2022, a new zero-day remote code execution vulnerability was reported by security researcher “nao_sec” on Twitter. Validated by the community and given the Common Vulnerabilities and Exposure (CVE) designation CVE-2022-30190, the vulnerability dubbed Follina, takes advantage of a flaw in Microsoft Office. It allows attackers to call the Microsoft Support Diagnostics Tool (msdt.exe) to launch malicious executions, including PowerShell commands.
The vulnerability has been confirmed as present and effective against Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 and affects the following operating systems: Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. It leaves most combinations of Office and Windows susceptible to exploitation and should be assumed that all versions of Office are vulnerable.
Technical Details
Follina was first observed as active in the wild and took advantage of a flaw in Microsoft Office and Windows, which allows for arbitrary remote code execution giving attackers potential control of the victim’s machine. Unlike traditional Microsoft Office-based attacks, which typically leverage document macro functionality to gain execution—a generally mitigated strategy—Follina takes advantage of Office’s remote template feature to gain initial execution.
The office template feature allows the infected file to retrieve a remote HTML file containing JavaScript code that executes malicious code in the command line using the Microsoft Support Diagnostics Tool (MSDT / msdt.exe). As a result, PowerShell scripts are typically run at the opening user’s privilege level, allowing the attacker to modify, view, or destroy data and install additional programs and malware.
Detection, Defenses, and Mitigations with Adlumin
Adlumin allows security administrators to collect and query security-relevant logs from multiple sources, including network endpoints and process executions. Using this capability, we can develop a query to look for potential instances of exploitation of this vulnerability.
The exploitation of Follina / CVE-2022-30190 should create multiple recorded artifacts, which can be searched to see if the vulnerability has been used in a network. To query for these instances, we can search for endpoint process executions where the parent process is a Microsoft Office product and the child process launched by it is the process msdt.exe or sdiagnhost.exe.
Adlumin stores historical customer data to identify if this vulnerability was leveraged months before the exploit was publicly released. Searching the data set, Adlumin’s Threat Research team could not find any examples of exploitation among our customers.
Defenses
At the time of the vulnerability’s disclosure to the public, there was not, and still is no, official patch from Microsoft to address the vulnerability. Microsoft has come forward recommending disabling the MSDT URL protocol as potential mitigation to the vulnerability.
Disabling the MSDT URL Protocol
Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links through the operation system. The following steps will disable the MSDT URL protocol protecting systems from the Follina vulnerability:
Run Command Prompt as Administrator
Backup the registry key:
reg export HKEY_CLASSES_ROOTms-msdt backup
Delete the following registry key:
reg delete HKEY_CLASSES_ROOTms-msdt /f
Additionally, Microsoft recommends customers with Microsoft Defender Antivirus turn on cloud-delivered protection and automatic sample submission to help quickly identify and stop new unknown threats. Microsoft Defender for Endpoint customers can enable attack surface reduction by setting the rule for “Block All Office applications from creating child processes” (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a).
Continuous Monitoring
Adlumin recommends using a Continuous Vulnerability Management product to collect the needed data from endpoints to determine if they are running vulnerable versions of Microsoft Windows and Office. The Continuous Vulnerability Management software can also be used to identify those assets which have or do not have the official Microsoft mitigation in place.
Adlumin also recommends leveraging our managed security services product to continually search and alert for suspicious executions, which may result from the exploitation of the vulnerability.
Dive deeper into the Follina vulnerability – read Adlumin’s latest customer use case here.
In the book Charlie and the Chocolate Factory, a young boy receives a “golden ticket” that provides him access to Willy Wonka’s chocolate factory. In a cybersecurity context, a Golden Ticket attack means a cybercriminal has gained access to an organization’s entire Active Directory (AD) domain for up to 10 years. As the name and description suggest, these attacks can be devastatingly invasive and leave a network at the attacker’s mercy for long periods of time.
A core concept in the mechanism of these attacks is the Kerberos Key Distribution Center (KDC). The KDC functions as a trusted third-party authentication service as part of every domain controller within an AD. Kerberos grants a Ticket Granting Ticket (TGT) to prove recent authentication, allowing users to access resources without constantly reauthenticating.
Kerberos
The user requests a TGT from the Authentication Server encrypted with the user’s password to access a resource.
Kerberos checks for user access rights and prepares a TGT and session key, including a timestamp to dictate the duration of a session is valid. Before being sent, the TGT is encrypted with the KRBTGT password hash (this is shared amongst all the domain controllers in the AD).
The user then requests a service granting ticket with the TGT they received.
The Ticket Granting Service (TGS) then verifies this request using the TGT and returns a service ticket and session key for the requested Resource Server.
The user sends a request with this ticket and session key to the Resource Server.
The Resource Server verifies the ticket and session key match and then grants access, thus providing mutual authentication.
The Attack
During a Golden Ticket incident, attackers bypass steps 1 and 2 in the above example and forge the TGTs themselves. Forging TGTs can be done manually but is commonly done using an exploitation software called mimikatz, which needs four information parameters to forge a TGT convincingly:
Domain name
Domain Security Identifier (SID)
An account with ‘Replicating Directory Changes All’ and ‘Replicating Directory Changes’ privileges enabled (typically admins)
The KRBTGT Password hash
Assuming parameter 3 is met, the other parameters can be gathered by simple PowerShell commands and mimikatz. Running the whoami /user command, using the account provides an attacker with the domain name and domain SID. Running a DCSync attack with mimikatz will lead to the KRBTGT password hash. Mimikatz can then use this information to generate a Golden Ticket. An attacker can then access network resources as a domain administrator on any account within the domain.
Adlumin Defense
Golden Ticket Attacks are hard to detect because there are many ways to gather the above parameters beyond the standard technique. Adlumin Data Science takes a practical approach to build a defense – instead of tracking an attacker’s journey to obtaining fake credentials, parsing Windows event logs for end-result signatures of a Golden Ticket attack can be more fruitful. For example, attackers will look to obfuscate their activity by reusing an existing SID with an account that may or may not have an account name similar to that of the original SID owner. Thus, evidence of SID duplication can be a warning sign.
Adlumin Data Science is developing a suite of alerts based on attack signatures like the one mentioned above—being holistically deployed as a comprehensive defense against Windows authentication exploits. Watch our announcement forums for more on this soon.
Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.
An increasingly remote workforce spurred by the COVID-19 pandemic has brought changes to the information security landscape. Users have shifted from working in carefully constructed walled gardens to café hotspots and home networks with no security assurances. Adlumin’s Threat Research group outlines some of the new and rising challenges of increased Remote Work adoption in the security landscape.
Increased Attack Surface
Every additional web application or service introduced to an environment increases businesses’ risk and attack surface. The increased risk and potential threat of any added service should be tied to the service’s permissions and role in the network. Many applications introduced to support remote work requirements would be categorized as high-risk introductions to a typical network. Virtual Desktop Interface (VDI) solutions, Remote Desktops, Virtual Private Networks (VPNs), and other remote access solutions are critical to many Remote Work architectures. Typically, they are associated as high risk due to their attractive accesses, permissions, and location in data’s lifecycle.
Administrators and security staff must ensure that all internet-facing devices are patched promptly. They should regularly monitor the systems logs, accesses, connections, and behavior to ensure its security. Additionally, it is essential to continually monitor the organization’s web exposure to ensure that only documented and secured services, not malicious backdoors, or outdated products, are associated. (Note: Adlumin offers Adlumin Perimeter Defense, which gives you insight into your network from an attacker’s perspective.)
User Origin Tracking
Gone are the days of employees working out of a single central office with a sprinkling of branch offices and remote sites diversifying the network’s architecture. Modern remote work requirements include supporting remote employees on a state, country, or globally diverse level.
The mentioned techniques are the processes of monitoring for suspicious traffic by geolocating access and login requests. Requests are compared to a baseline or set of rules which can alert to potentially malicious access indicated by a remote endpoint connecting or acting from outside the business’s pre-defined operating area. The expansion of the security domain complicates but does not prohibit user origination tracking and access origination monitoring and alerting.
To overcome the challenge of manually creating alerting mechanisms for logins outside a central office or branch location, more complex machine learning algorithms are required to learn about a user’s access behavior over time. This includes continually analyzing a user’s current and historical access location, behavior, and relationships in the network to draw conclusions beyond an endpoint’s origination. (Note: Adlumin User & Entity Behavior Analytics (UEBA) – Adlumin uses proprietary UEBA data science to identify, detect, analyze, and prioritize anomalous behavior—without any input from your cybersecurity team—that will likely present a risk to your network’s security in real-time)
Crossing Security Domains – Split Tunneling and Introduction of Remote Endpoints
Removing endpoints into your business network can bring additional risk through added surface area and exposure. The usage of split tunneling in Virtual Private Networks (VPNs) and the abstracted idea of letting a device live in two security domains or jump between them is an added risk. Split tunneling is an example concerning just network traffic related to VPN access, whereby some traffic is routed securely to the business network. In contrast, other traffic routes to the local network or internet. This creates a potential vulnerability where a device is bridging a trusted and untrusted network, potentially linking the security domains. This same potential vulnerability can be abstracted to any device or user access to a business application from networks or sources that cannot always be trusted.
Administrators and security staff must ensure that any systems matching this pattern, such as business-owned and issued laptops used in remote work situations by connecting to the business through an employee’s local home intranet, are secured. This involves strong log management and analysis, aggressive patching, endpoint protection products, and security-oriented architectures.
Data in Transit
With a partially or fully remote workforce accessing business assets from locations distant to hosted infrastructure, businesses are forced to send data that was once transiting dedicated ethernet connects and leased fiber MPLS circuits over untrusted infrastructure. From coffee shops or home wireless networks to cellular-based-access and remote data centers, modern remote access requirements are diverse and may change for users regularly.
Nearly all remote services supporting remote work require sending sensitive data across unmonitored, unmanaged, and potentially hostile networks. Rooted in applications requiring high reliability, network routes that traffic takes from the remote user to the business are dynamic, difficult, or impossible to predict or manage. They are often subject to interception by arbitrary service providers and attackers.
In a recent February 2022 attack suspected to be of Chinese origin, the routing protocol used to direct traffic over the internet was abused. As a result, traffic was validly routed to transit locations thought friendly to attacker intercept and inspection1. This technique isn’t new and has been used by multiple nation-state attackers and e-crime organizations alike since at least 2004.2 In addition to threats from APTs and eCrime actors, ISPs along the transit route, which can’t be controlled, also can inspect, or inject network traffic.3
To help mitigate the risks of sending business data over untrusted infrastructure, a business should consider at least one layer of encryption mandatory for all business traffic. This can be provided at the application level, commonly through TLS/SSL, or at the transport layer through IPsec and TLS VPNs. Businesses should also consider layering encryption to provide a double-wrapping of sensitive traffic. Such as requiring remote web applications to only be accessible over an IPsec-backed VPN connection layered with an HTTPS TLS/SSL back connection to the remote resource. When possible, businesses should diversify the encryption algorithms and supporting libraries and implementations to ensure that a single vulnerability or compromise does not expose data. (Note: Adlumin supports ingestion of security logs from VPN appliances and firewalls)
Data At Rest
Even when paying careful attention to implementing secure remote access, some critical business data related to IT or other sensitive operations is left locally stored on the device. Outside of the most stringent thin-client solutions and implementations, users will typically have locally stored data on their business device and, at a minimum, will typically have some sensitive data stored in its internet, application, and memory caches. Data could include sensitive business information, customer, or employee PII, chats, emails, credentials, and accounts.
To ensure data at rest remains protected, organizations should adopt Full Disk Encryption (FDE) policies backed by secure implementations and encryption algorithms. Most operating systems now support native full disk encryption solutions, including Windows through BitLocker, MacOS through FileVault 2, and Linux through dm-crypt with LUKS (Note: Adlumin supports ingestion and alerting of logs related to FDE features)
What happened?
Bob is an employee of Business Bank who recently shifted many of its onsite staff to a work-from-home setup with a company-owned laptop. Bob has a home computer with an out-of-date antivirus and several update cycles behind.
His home computer gets infected with malware, and an attacker leverages his home machine to stage an attack against the Business Bank laptop over an SMB vulnerability. The next time he connects his laptop to Business Bank’s internal network through the VPN connection, a ransomware attack is launched against the domain.
Future Prevention Method
In this case, Business Bank could have saved itself by implementing tighter security controls and monitoring. In addition to modifying its host-based access policies to restrict inbound traffic not required to establish the VPN connection, it should have implemented a monitoring solution and SIEM to identify the abnormal connection from Bob’s home computer.
Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.