Don’t get caught in the cold with ransomware

Before prevention is enabled.

Ransoms is sadly the trend these days. We want to share a cheap and effective way to enable prevention that most probably fail to consider.

Using the ransomware simulator from KnowBe4, RanSim, we could see that our endpoints did no prevention previously.

An easy way to minimize the attack surface for ransomware is to use the built-in feature in Windows 10 and Server 2019 called “Controlled Folder Access”. This can be managed with the following:

  • Windows Security app
  • Microsoft Intune
  • Mobile Device Management (MDM)
  • Microsoft Endpoint Configuration Manager
  • Group Policy
  • PowerShell

More information can be found here:

Our results after we enabled this prevention (and enabled it for RanSims test-folder) look a lot better.

It notes some things that got denied that should not be denied, but testing did not show any impact to the users experience. This only affected this particular untrusted application.

After prevention is enabled

CVE-2021-3156 | Heap-Based Buffer Overflow in Sudo

Published: 2021-01-26
MITRE CVE-2021-3156

“The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.”

This is especially bad for multi-user environments where some users have login access, but should not have root access.

Through a responsible and coordinated vulnerability disclosure from Qualys’ part there should be updated version available for most affected systems. This vulnerability will probably affect most systems that make use of the sudo command.

CVSS Base Score is 7, but during our evaluation we did not agree that there are no privileges required. With the vector set to “Privileges Required” as “Low”, instead of “None” the CVSS score is 6.7. We consider this our environmental CVSS score for this vulnerability.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2208165 with an increased priority and have a goal of having all systems patched within 30 days.

SolarWinds Supply Chain Attack to Compromise Victims With SUNBURST Backdoor

There is an ongoing news-story concerning SolarWinds and a supply chain attack used by an advanced threat actor to compromise victims with a rather advanced backdoor.

Basefarm does not use this affected product, but are aware of at least one of our customer who do. We are working with the customer in question to mitigate and investigate the matter.

If you are using SolarWinds Orion platform we strongly suggest that you initiate a full incident response and consider those hosts as compromised.

For a more detailed analysis and insight into the developing story:

CVE-2020-17095 | Windows Hyper-V Remote Code Execution Vulnerability

Published: 2020-12-08
MITRE CVE-2020-17095

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data.”

This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad for environments with different levels of security sensitivity within the same tenant.

There is no workarounds or possible mitigations in the configuration.

CVSS Base Score is 8.5

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2180090 with the highest priority.

Windows update

NSA publishes advisory on 25 vulnerabilities used by Chinese state sponsored hackers

The National security Agency in the United States recently released an advisory warning of the threat of Chinese state sponsored attacks and detailed 25 vulnerabilities used. The advisory gives detailed information about the vulnerabilities, what it affects and how to remediate them. Most of them are remotely exploited and can be used to gain initial access to a system before using other vulnerabilities to go further in to the network. Most of these vulnerabilities already have patches ready to be installed so as always we really want to emphasize keeping systems up to date with the latest patches and software.

Top 5 Security News

CVE-2020-16891 | Windows Hyper-V Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16891

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.”

This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad for environments with different levels of security sensitivity within the same tenant.

There is no workarounds or possible mitigations in the configuration.

CVSS Base Score is 8.8

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2140691with the highest priority.

CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16898

“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.”

This vulnerability affects Windows 10, Server 2019 and Server Core versions (see full Security Advisory for proper details). It can be mitigated by disabling a network feature or blocking ICMPv6 Router Advertisement packets.

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave a workaround in place.

CVSS Base score is 9.8

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2139859 with the highest priority.

CVE-2020-3992 | ESXi OpenSLP remote code execution vulnerability

Published: 2020-10-20
MITRE CVE-2020-3992

“A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”

The workaround is to stop and disable the SLP service.

CVSS Base Score is 9.8

Basefarm and VMware recommends that you install the updates for this vulnerability as soon as possible. Basefarm also recommends that the management services of ESXi servers are not available for regular users, but are places on a protected network.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2146240 with the highest priority.

“Known assailant” back with a vengeance

In this post there is specific focus on an infamous threat that resurfaced during the summer.

Following several news articles in Nordic media of phishing attacks towards public services in late august and, in addition, sources that indicate that the Emotet trojan resurfaced in mid-july, several sources online are now indicating a massive campaigning not only in the Nordics but worldwide.

Emotet is an e-mail trojan that is often used as the entry point to target organizations. It´s success has largely been brought on by the craftiness of mimicking valid e-mails and attachments, utilizing macros in Word and Excel files. In addition, its evolution of attack techniques adds to that success.
For example, there are indications that the latest strain is using stolen attachments to add credibility to the forged e-mails.

Emotet is often paving way for at least two know other assailants in TrickBot and QakBot, to further spread laterally and steal credentials.

How to protect against Emotet (as well as Trojans and  Malware in general):

  • Be extra suspicious and cautious towards e-mails and attachments, even from known sources
  • Report suspicious e-mails to your Security organization for investigation
  • Make sure you have an up to date security program, preferably with anti-exploit capabilities
  • Make sure your systems are patched and up to date with the latest security patches
  • Enforce proper network segmentation
  • Enable MFA (Multi factor authentication on your e-mail service)
  • Block networks that generally do not need access (TOR, VPN etc.)

If you get infected:

  • Report it to your security organization or SIRT immediately
  • It is strongly advised that you perform and audit of your network and e-mail accounts to make sure other devices are not compromised.

Further reading:

Check your Exchange for ongoing leaks

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

Currently the biggest exposure to threats in the cyber domain is presented via mail. Phishing attacks tricks out the credentials for legitimate users and then gain access to the mail account, and some actors will sit with this access to months looking for ways to benefit from this access. As a way of establishing persistence an attacker will often create rules in the mail-system to have mail forwarded to an external account the attacker controls. This way, even if you change passwords, the attacker still receives copies of the mail.

These forwarding rules can serve as valuable indicators. And even if absence of evidence is not evidence of absence, it is worth to look for these rules with regular intervals. This is nothing new, but a reminder seemed in place given the current threat landscape. Here is an older blogpost from Compass-Security explaining the issue.

There is also a project on Github to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API that might be interesting in this regard.

Top 5 Security News