Researcher Bypasses Windows Controlled Folder Access Anti-Ransomware Protection

Discussion in 'Security and Anti-Virus Software' started by Dr. AMK, Feb 7, 2018.

  1. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,401
    Messages:
    1,009
    Likes Received:
    2,266
    Trophy Points:
    181
    Researcher Bypasses Windows Controlled Folder Access Anti-Ransomware Protection
    https://www.bleepingcomputer.com/ne...led-folder-access-anti-ransomware-protection/
    February 6, 2018
    [​IMG]

    A security researcher has found a way to bypass the "Controlled Folder Access" feature added in Windows 10 in October 2017, which Microsoft has touted as a reliable anti-ransomware defensive measure.

    This feature, described in more depth in this Bleeping Computer review, is part of the Windows Defender antivirus built into all versions of Windows 10.

    Users who updated to the Windows 10 Fall Creators Update received an update for Windows Defender named Controlled Folder Access (CFA) that allows them to block any modifications to files found in user-designated directories.

    The user must manually approve any app that's allowed to edit files located in CFA folders by adding each app's executable to a whitelist managed through the "Allow an app through Controlled folder access" option.

    [​IMG]

    But Yago Jesus, a Spanish security researcher with SecurityByDefault, has discovered that Microsoft has automatically whitelisted all Office apps on this list. This means that Office apps can modify files located in a CFA folder, either the user likes it or not.

    Ransomware can use Office OLE objects to bypass CFA
    Jesus says that a ransomware developer could easily bypass Microsoft CFA anti-ransomware feature by adding simple scripts that bypass CFA via OLE objects inside Office files.

    In research published over the weekend, Jesus includes three examples that utilize boobytrapped Office documents (received via spam email) to overwrite the content of other Office documents stored inside CFA folders; password-protect the same files; or copy-paste their content inside files located outside the CFA folder, encrypt those, and delete the originals.

    While the first example is just destructive, the last two will work as an actual ransom, with victims having to pay the ransomware author for the password/decryption code that unlocks the files.

    Jesus displeased with Microsoft
    Jesus said he notified Microsoft about the issue he discovered. In a screenshot of the email he received from Microsoft, Jesus said the OS maker didn't classify the issue as a security vulnerability but said it would improve CFA in future releases to address the reported bypass method.

    "That really means Microsoft will fix the vulnerability that should be classified as Mitigation bypass without acknowledgment," said Jesus, referring to the fact that he'll get no credit or bug bounty reward for the issue he pointed out.

    [​IMG]
     
    slimmolG, Vistar Shook and hmscott like this.
  2. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,483
    Messages:
    15,704
    Likes Received:
    19,322
    Trophy Points:
    931
    Earlier, attackers used hacked systems to conduct DDoS attacks or to distribute so-called “ransomware” to servers and blackmailed companies. Nowadays, there is another way for hackers to make money. They simply create crypto-mining farms on hacked systems.

    Are you sure your ERP is not a crypto mining farm?
    FEBRUARY 6, 2018, ERP Security
    https://erpscan.com/press-center/blog/sure-erp-not-crypto-mining-farm/

    Hackers are not walking past the hype. While cryptocurrency becomes a new hot topic in the financial world, hackers are said to start using vulnerable systems for cryptocurrency mining.

    Mining malware is distributed to victim servers through various vulnerabilities. For example, unpatched Oracle WebLogic servers can work for perfect loopholes to be exploited with Monero mining applications.
    By now, some group of cybercriminals has already managed to net 666.286 XMR in cryptocurrency worth from $220,000 to $350,000 depending on the rate of exchange. Figure 1 depicts the payment history of cryptocurrency mining malware.

    [​IMG]
    Figure 1. Payment history of cryptocurrency mining malware
    Still, we can see that the balance was replenished once again. It means that many companies haven’t noticed an attack yet.

    A new malware – RubyMiner – was also found on the Internet. It helps to mine cryptocurrency by scanning and identifying Linux and Windows servers that run outdated software.

    Earlier, attackers used hacked systems to conduct DDoS attacks or to distribute so-called “ransomware” to servers and blackmailed companies. Nowadays, there is another way for hackers to make money. They simply create crypto-mining farms on hacked systems. ERP systems and servers make a great payoff for malefactors as they are more productive than common PCs. Such incident refers to mass attacks, and they are intended to infect as many systems as possible. After a breach, hacked systems expect commands from attackers.

    An infection with cryptocurrency mining malware turns to be less critical for business than targeted attacks. In most cases, targeted attacks aim to steal critical business data, such as HR information, business, sales and financial data. The consequences might be the worst-case scenario for any company. In our whitepaper “Hardcore SAP Penetration Testing”, we detailed the ways in which an attacker can conduct targeted attacks on SAP systems with the help of a 0-day vulnerability chain. Previously, we made a research that described how to execute a remote command on SAP system anonymously. It is essential, but insufficient, as an attack requires other steps. You can find them in the whitepaper.
    [​IMG]
    Figure 2. The malicious request to the target system
    Therefore, an attacker can execute malicious code on the targeted system. Instead of a calculator, there may be a cryptocurrency mining malware.

    [​IMG]
    Figure 3. Executing code on the target system
    It is not a secret that ERP systems have many vulnerabilities, and developers constantly release updates and patches to close them.

    Figure 4 illustrates the growing number of detected vulnerabilities in SAP solutions. The graph depicts the total number of SAP Security Notes. Each of them may include a patch for more than one loophole. Just imagine how much work it takes to perform hundreds of security checks!

    [​IMG]
    Figure 4. Cumulative total of SAP Security Notes
    Customers sometimes seem reluctant to install necessary patches, because they need to conduct numerous checks before installing a patch in a production system. This means that 1-day vulnerabilities always exist in production systems.

    On top of vulnerabilities, ERP systems have various settings, and nothing prevents errors during the process of setting them up. Therefore, systems become vulnerable.

    Keep in mind various types of attackers. They may be outside the company and black-hat hackers, who found 0-day vulnerabilities in ERP systems. Former employees that know critical data of ERP systems can also perform a breach as well as Worker of a victim organization – be it programmer, administrator or another staff member with access to ERP servers. For example, programmers can add backdoors to a source code and administrators can install malware to the systems.

    Protection
    As protection measures from cryptocurrency mining malware, it is recommended to:
    • monitor outbound connections to a mining pool (but attackers can use the proxy);
    • carefully analyze processes with high and constant CPU consumption (but attackers can launch their malware during off-hours);
    • check energy consumption for abnormal magnification (but it is difficult to determine for large companies).
    While all the mentioned methods are important, they contain disadvantages and in order to have a complex approach, it is recommended to enquire with regular Security Audit to detect vulnerabilities on systems and identify configuration errors. Proper code analysis can also help to detect backdoors in source code."
    A giant botnet is forcing Windows servers to mine cryptocurrency
    The Smominru miner has infected at least half a million machines -- mostly consisting of Windows servers -- and spreads using the EternalBlue exploit.
    By Danny Palmer | February 1, 2018 -- 12:40 GMT (04:40 PST) | Topic: Security
    http://www.zdnet.com/article/a-giant-botnet-is-forcing-windows-servers-to-mine-cryptocurrency/

    "A massive cyptocurrency mining botnet has taken over half a million machines, and may have made its cybercriminal controllers millions of dollars. The whole operation is powered by EternalBlue, the leaked NSA exploit which made the WannaCry ransomware outbreak so destructive.

    The Smominru miner botnet turns infected machines into miners of the Monero cryptocurrency and is believed to have made its owners around $3.6m since it started operating in May 2017 -- about a month after EternalBlue leaked and around the same time as the WannaCry attack."
    While it isn't uncommon for cybercriminals to leverage the power of hijacked networks of computers to acquire cryptocurrency, this particular network is significant due to its individual size -- double that of theAdylkuzz mining botnet.

    Researchers at Proofpoint say the botnet was made up of 526,000 nodes at its peak. Despite efforts to take it down, the botnet is particularly resilient and keeps regenerating itself, and therefore remains a powerful Monero mining tool for its operators.

    Such is the power of the Smominru, its operators have mined 8,900 Monero, which is currently valued between $2.8m and $3.6m, with around 24 Monero (around $8,500) currently added each day.


    Part of Smominru's power lies in the types of machines it takes control of, with a large proportion of the nodes in the network consisting of Windows servers.

    What makes the servers such an appealing target for cryptocurrency miners is their processing power and, because unlike a desktop computer -- which regularly gets turned off and is therefore prevented from mining -- the servers are always on, providing a continuous, lucrative stream of Monero.

    Meanwhile, organisations may remain unaware that their servers have become part of the Smominru botnet, despite the mining botnet potentially causing performance levels to drop and raising the costs of the energy used by the servers, which are suddenly operating far closer to capacity.

    Researchers note that at least 25 of the infected hosts have been seen conducting additional attacks via EternalBlue, using its worm-like features to infect new nodes and increase the size of the botnet by attacking vulnerable machines with publically-available IP addresses.

    Attacks have also been taking place via EsteemAudit, an exploit that leverages vulnerabilities in RDP on Windows Server 2003 and Windows XP.

    While efforts have been made to shut down the botnet -- cybersecurity personnel have managed to take down about one-third of Smominru with sinkhole operations and banning IP addresses -- its operators have been able to recover.

    It's the use of EternalBlue which helps the attackers regenerate their network so quickly, and could potentially allow it to grow to incorporate a larger network of devices than its current half a million.

    The highest number of infected systems are found in Russia, India, and Taiwan. It's unlikely the attackers have targeted these countries specifically, but rather they simply represent areas of the globe where the patching of systems against the EternalBlue exploit has been lax.

    "Robust patching regimens remain the best defense against EternalBlue. While we expect the number of vulnerable machines to decrease over time, obviously there are still many unpatched machines worldwide with SMB accessible by public IP," Kevin Epstein, vice president for threat operations at Proofpoint, told ZDNet.

    Cybercriminals appear to be increasingly turning their attention to cryptocurrency miners as a means of easily making money.

    While bitcoin remains the most popular form of cryptocurrency, many cybercriminals are turning towards alternatives like Monero for reasons ranging from increased privacy to being able to cash it out more quickly.
     
    Dr. AMK likes this.
  3. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,401
    Messages:
    1,009
    Likes Received:
    2,266
    Trophy Points:
    181
     
    slimmolG likes this.
  4. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    4,483
    Messages:
    15,704
    Likes Received:
    19,322
    Trophy Points:
    931
    Dr. AMK likes this.
  5. Dr. AMK

    Dr. AMK The Strategist

    Reputations:
    1,401
    Messages:
    1,009
    Likes Received:
    2,266
    Trophy Points:
    181
  6. slimmolG

    slimmolG Notebook Consultant

    Reputations:
    200
    Messages:
    137
    Likes Received:
    158
    Trophy Points:
    56
    Undoubtedly this should be causing panic in some workgroups
    lol
    :eek:
     
    Dr. AMK likes this.
Loading...

Share This Page