Microsoft bringing EMET back as a built-in part of Windows 10

Enlarge / The new security analytics dashboard. (credit: Microsoft)

The Windows 10 Fall Creators Update will include EMET-like capabilities managed through a new feature called Windows Defender Exploit Guard.

Microsoft's EMET, the Enhanced Mitigation Experience Toolkit, was a useful tool for hardening Windows systems. It used a range of techniques—some built in to Windows, some part of EMET itself—to make exploitable security flaws harder to reliably exploit. The idea being that, even if coding bugs should occur, turning those bugs into actual security issues should be made as difficult as possible.

With Windows 10, however, EMET's development was essentially cancelled. Although Microsoft made sure the program ran on Windows 10, the company said that EMET was superfluous on its latest operating system. Some protections formerly provided by EMET had been built into the core operating system itself, and Windows 10 offered additional protections far beyond the scope of what EMET could do.

Read 6 remaining paragraphs | Comments

New Variant of Petya Ransomware Spreading Like Wildfire

The world woke up today to another ransomware outbreak wreaking havoc throughout companies’ networks. This time, the family causing the fuss is Ransomware Petya, a nasty variant that encrypts files and the computer’s master boot record (MBR), rendering the machine unusable.

Ransomware Petya has been around since at least March 2016 and differs from usual ransomware families because it encrypts a system’s MBR in addition to encrypting files. This double stroke renders the disk inaccessible and prevents most users from recovering anything on it.

The new variant found today has further increased its nastiness by adding a spreading mechanism similar to what we saw in WannaCry just a few weeks ago. Petya comes as a Windows DLL with only one unnamed export, and uses the same Eternal Blue exploit when it attempts to infect remote machines, as we can see below:

In the preceding image we can see the typical transaction occurring right before the exploit is sent—as we discussed in our WannaCry blog.

Once the exploit succeeds, the malware copies itself to the remote machine under C:\Windows, and starts itself using rundll32.exe. The process is executed under lsass.exe, the Windows process injected by the Eternal Blue exploit.

Because the WannaCry outbreak caused many people to apply all the latest Windows patches, Petya introduces a few more spreading mechanisms to be more successful. The next method Petya attempts is to copy itself and a copy of psexec.exe to the remote machine’s ADMIN$ folder. If it is successful, the malware attempts to start psexec.exe using a remote call to run it as a service, as we can see below:

The preceding image first shows the DLL being copied to the remote host. And the following image shows psexec being copied and then attempting to start it using the svcctl remote procedure call.

Both files are copied to the C:\Windows folder.

One last method attempted by the malware is to use the Windows Management Instrumentation Command-line (WMIC) to execute the sample directly on the remote machine, using stolen credentials. The command used by the malware looks like this:

  • exe %s /node:”%ws” /user:”%ws” /password:”%ws” process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\%s\” #1

where “%ws” is a variable representing a wide string, which will be generated based on the current machine and credential being exploited.

Once the malware runs on the machine, it will drop psexec.exe to the local system as c:\windows\dllhost.dat, and another .EXE (either 32- or 64-bit version depending on the operating system) to the %TEMP% folder. This binary is a modified version of a password dump tool, similar to Mimikatz or LSADump.

The preceding code shows the LSA functions used during password extraction.

This .EXE accepts as parameter a PIPE name similar to the following:

  • \\.\pipe\{df458642-df8b-4131-b02d-32064a2f4c19}

This pipe is used by the malware to receive the stolen passwords, which are then used by the WMIC shown above.

All these files are present in the resource section of the main DLL in a compressed form, as follows:

The malware then encrypts local files and the MBR, and installs a scheduled task to reboot the machine after one hour using schtasks.exe, as seen below:

The encryption used by the malware is AES-128 with RSA. This is different from previous variants, which used SALSA20. The RSA public key used to encrypt the file encryption keys is hardcoded and can be seen below:

The malware also attempts to clear Event logs to hide its traces, by executing the following commands:

  • wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

After the machine is rebooted, the ransom message appears and demands US$300 in Bitcoins:

At this moment there are few transactions to this account, but this could change quickly once more people start to notice they are infected:

We will update this blog as more information arrives. For now, McAfee product users with McAfee ENS 10.5 and WSS should be protected from known samples if their products are up to date and by McAfee Global Threat Intelligence. (This Knowledge Center article has more information.) McAfee ATP detects both the main DLL as well as the dropped EXE, as seen below:

Detection for the main DLL is shown above, and for the sample dropped in %TEMP% is shown below:

Indicators of compromise

Known hashes

  • 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 (main 32-bit DLL)
  • 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1 (main 32-bit DLL)
  • f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5 (signed PSEXEC.EXE)
  • 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f (64-bit EXE)
  • eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 (32-bit EXE)

Files

  • c:\windows\dllhost.dat
  • c:\windows\<malware_dll> (no extension)
  • %TEMP%\<random name>.tmp (EXE drop)

Other indicators

  • PIPE name: \\.\pipe\{df458642-df8b-4131-b02d-32064a2f4c19}
  • Scheduled task running “shutdown -r -n”

 

The post New Variant of Petya Ransomware Spreading Like Wildfire appeared first on McAfee Blogs.

Ohio Gov. Kasich’s website, dozens of others defaced using year-old exploit

Enlarge

The official website of Ohio Governor John Kasich and the site of Ohio First Lady Karen Kasich were defaced on June 25 by a group calling itself Team System DZ. The group is a known pro-Islamic State "hacktivist" group that has repeatedly had its social media accounts suspended for posting IS propaganda videos and other activity. Kasich's site was but one of a number of state and local government websites that were hijacked by Team System DZ early this week, all of which had one thing in common: they were running on an outdated version of the DotNetNuke (DNN) content management platform.

DNN Platform is a popular content management system (particularly with state and local governments) based on Windows Server and the ASP.NET framework for Microsoft Internet Information Server. DNN Platform is open source and available for free—making it attractive to government agencies looking for something low cost that fits into their existing Windows Server-heavy organizations. A review of the HTML source of each of the sites attacked by Team System DZ showed that they were running a vulnerable version of the content management system DNN Platform—version 7.0, which was released in 2015.

A critical security update issued by DNN in May of 2016 warned that an attacker could exploit vulnerabilities to create new "superuser" accounts through the content management system, giving them unfettered remote access to modify websites. DNN urged customers to upgrade to the latest version of the software at the time. A May 2015 alert also warned that an attacker could use the software's Installation Wizard page for some server configurations to create new user accounts on the Windows Server host.

Read 4 remaining paragraphs | Comments