Downclimb

2017.05.14

Weekly infosec news summary for 2017.05.07 – 2017.05.14

Quotes

“While security updates require reboots, security updates will not be applied. This is utterly inevitable and the industry’s job to solve.” Matthew Garrett‏

“So my CPU has a webserver in it and my SYSTEM account has a JavaScript engine in it. I think we’ve lost the complexity battle.” Chris Evans

Top stories

WannaCry ransomware

On Friday, a ransomware worm called WannaCry began spreading by using a remote SMB exploit named ETERNALBLUE that was posted by the ShadowBrokers. There was already a patch for this in March (MS17–010) and SMB should never be exposed to the public Internet, but there are many systems that can’t patch, didn’t patch, or in the cases of unsupported versions of Windows such as Windows XP or Windows Server 2003, there was no patch. Matt Suiche of Comae has a great write-up from his reversing of the ransomware here. The ransomware used dates back to February according to Snorre Fagerland‏ (link), but only recently did it have the SMB exploit added to it.

45K systems are believed to have been infected, with 30BTC ($54K) paid in ransoms according to TradeBlock. There was a kill-switch built into the worm to stop its spread if a certain domain could be reached. A researcher registered that domain with a fun write-up at How to Accidentally Stop a Global Cyber Attacks. There is also a mutex that could be set on systems to avoid the infection mentioned here. There are so many variants of this worm now though that neither of those will be effective in stopping it.

Microsoft released updates the day of the out-break for the unsupported Windows OS’s here. That’s an interesting move as Microsoft must have already had the updates.

HP laptops have a keylogger in the audio driver

A researcher noticed that his key presses were being written to OutputDebugString. Reversing backwards from this he identified the source was Conexant’s MicTray64.exe which is installed on all HP laptops since 2015. This program monitors all keystrokes made by the user to look for hotkey presses for things like mute/unmute. The key presses are written to both OutputDebugString and recorded to a world-readable file (link). The file location is controlled by a registry key, so one person has already shown how to log the key strokes remotely (link).

Windows Malware Protection exploit

Tavis Ormandy and Natalie Silvanovich of Project Zero identified a vuln in the built-in Windows AV, Malware Protection service, that is enabled by default on Windows 8 and up. This AV runs as SYSTEM and has a built-in javascript engine which the researchers were able to exploit (link). Microsoft provided patches (link). This can detonated by a user visiting a link or receiving an email, and detonated without authentication against any Windows server if it runs services such as Exchange or IIS. We should see more vulns against this javascript engine and possibly a worm, so you should consider disabling this feature.

Cybersecurity Executive Order

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was released this week. It requires every agency to follow the NIST Framework for Improving Critical Infrastructure Cybersecurity. It requires preference for shared IT services, “including email, cloud, and cybersecurity services.” Coinciding with this, AWS released a paper Aligning to the NIST Cybersecurity Framework in the AWS Cloud.

Business

Sentinel sued over cyber insurance: A law firm purchased cyber insurance and subsequently was impacted by ransomware. It took 3 months to recover the business, so despite the ransom being paid for $25K, the lawfirm is requesting an additional $700K for lost business.
- Correction 2017.05.14: I had originally misattributed this to SentinelOne.

Conference materials and publications

Windows Internals, Part 1, 7th edition: An update to the classic book on how the Windows OS works is out.