PDF files can be weaponized by malicious actors to steal Windows credentials (NTLM hashes) without any user interaction and only by opening a file, according to Assaf Baharav, a security researcher with cyber-security company CheckPoint.
This means a curious end user who opens a PDF attachment they did not ask for can be pnwed in about 15 seconds. Good thing this nasty is not in the wild just yet…
Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.
If you’ve noticed any unexpected reboots or PC instability as a result of the recent Spectre patches, there’s a solution: Microsoft has issued an emergency Windows patch that rolls back the recent Spectre mitigations.
Microsoft’s latest patch (KB4078130) allows people with affected systems to download the patch via the Microsoft Update Catalog, which disables the mitigations for the “Spectre variant 2.”
Note that the patch notes specifically state that you should run this patch “if you are running an impacted device” (emphasis ours). In other words, if your system is working normally, don’t bother downloading this patch. This is what Microsoft calls an “out of band” patch, and it doesn’t appear that it will be made available via Windows Update, either.
Why should you consider it? Intel has warned previously that the faulty patch can sometimes cause data loss and corruption, and Microsoft is saying the same: “Our own experience is that system instability can in some circumstances cause data loss or corruption,” the patch notes state.
There’s another wrinkle, though. As part of the patch, Microsoft is allowing users to edit the Windows registry to toggle the mitigations on or off. (Instructions are here.) It’s possible to toggle Microsoft’s patch off, and then, when Intel solves its own patching problem, re-enable it. That scenario is actually what Microsoft recommends—again, only if you’ve noticed system instability and want to take action against it.
Toggling the mitigations on and off is also a feature of the latest InSpectre utility.
As Bleeping Computer noted, system makers such as Dell and HP also advise rolling back their own BIOS patches to an earlier version, which they’re redeployed. It’s all horrendously confusing for consumers and IT organizations alike. Fortunately, at least, there haven’t been any public cases of these vulnerabilities being exploited, Microsoft says.
What should you do? There’s no one-size-fits-all answer to this question. But we can tell you what we’re doing: if a PC is working as expected, we’re leaving it patched and in place. If you’re backing up your data (to Remote Backup Services or an external drive) chances are your most crucial data will be saved in case your system goes down unexpectedly. Obviously, install Microsoft’s emergency Windows patch if you’re running into system issues. There’s no perfect solution—if you’re more paranoid than we are, feel free to deploy the patch even if your PC hasn’t hiccuped.
In an emergency out-of-band update released late last night, Microsoft fixed a vulnerability in the Microsoft Malware Protection Engine discovered by two Google security experts over the weekend, and which the two described as “crazy bad” and “the worst Windows remote code exec in recent memory.”
While initially the two Google experts didn’t reveal what Windows feature the bug was found in, the veil of mystery lifted yesterday when both Microsoft and the two experts shared more details about the issue.
Vulnerability affects Microsoft Malware Protection Engine
As per the two sources, the bug affects the Microsoft Malware Protection Engine (MsMpEng), a core service that ships with Windows 7, Windows 8.1, Windows 10, and Windows Server 2016, and which is the core of many of Microsoft security tools, such as:
Microsoft Security Essentials
Microsoft Endpoint Protection
Microsoft System Center Endpoint Protection
Windows Intune Endpoint Protection
Microsoft Forefront Security for SharePoint Service Pack 3
Microsoft Forefront Endpoint Protection 2010
Vulnerability is trivially exploitable
The researchers say the issue can be exploited with no user interaction needed.
“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, one of the Google researchers says.
This is because the service runs without sandboxing — a basic and very efficient security feature —, but also because the service runs as NT AUTHORITY\SYSTEM, a system-level user with no limitations.
Furthermore, the service is included by default on all recent Windows operating system, exposing hundreds of millions of PCs to remote hacking.
Microsoft patches issue within days
Unlike past incidents, where Microsoft has allowed exploited zero-day vulnerabilities to fester in the wild without being bothered to deliver a patch for months, this time around, the company moved lightning fast to address the issue.
In just a few days, the company had prepared and already shipped a patch to fix the vulnerable MsMpEng service.
According to a Microsoft advisory, the first version of the Microsoft Malware Protection Engine affected by this flaw is v1.1.13701.0. The issue has been patched in v1.1.13704.0, released a few hours ago, and which has already reached some users (screenshot above).
Microsoft also said that on latest Windows platforms, the risk of exploitation should be lower if the user has turned on Windows CFG (Control Flow Guard), a security feature that can make exploitation of memory-based vulnerabilities much harder.
The vulnerability is tracked as CVE-2017-0290. The two Google researchers also released proof-of-concept exploit code. The entire exploit fits in a tweet. To help spread the word about this issue, US-CERT has also released an accompanying alert.
European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.
The document developed as a deterrent to provocations by nation states like Russia and North Korea, will declare that member states may respond to online attacks with conventional weapons “in the gravest circumstances.”
This framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.
UK security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.
The problem is that definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.
It brings the EU in line with NATO policy in the past, establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense, which states that an attack on one member is an attack on all 29 allies.
McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.
“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added.”
I’m expecting the USA to follow with a similar statement, to function as an additional deterrent against the recent spate of Russian and North Korean incursions.
The vast majority of Russia’s attacks start with social engineering and spear phishing attacks. However, current investigations show that they also have been running paid propaganda campaigns through Facebook.
2018 Is Likely to Be a Worse Year for Ransomware Than 2017
Sophos released their 2018 malware forecast this week. Their predictions would make any IT Pro concerned, link to a PDF of their report below. Read on for your executive summary.
Ransomware Mutations Running Amok
You have seen a lot in this blog this year about the WannaCry and NotPetya ransomware strains. Both attacks exploited the EternalBlue Windows SMB vulnerability, and both did not have workable decryption mechanisms for the few organizations desperate enough to try to pay the ransom.
Both incidents make one thing clear: WannaCry and NotPetya appear to be the work of military cyber warfare divisions. Their authors aren’t script kiddies, but professional Dev teams using sophisticated techniques. Nation states are fighting a cold cyber war, and both commercial and non-profit organizations are the collateral damage worldwide.
RaaS Is for Newbie Cyber Crims
There is an area where amateur cyber “crims” do come in, and that’s Ransomware as a Service, aka RaaS. Newbies without l33t skills simply buy the code on the dark web including easy how-to videos.
Sophos says that RaaS is growing in popularity on the Dark Web, and this year’s Cerber ransomware is their example of a worrisome trend. Here’s some of what it says in the report that specifically pertains to RaaS:
“Ransomware is big business on the Dark Web. Its creators realized they could make more money not just by extorting currency from their victims, but by selling kits buyers could use to make and distribute their own. We’ve seen a number of different services and pricing models in the past year, and expect to see many more in 2018.
One of the biggest examples, as mentioned above, is Cerber. Other examples include Satan, malicious software that once opened in a Windows system, encrypts all the files and demands a ransom for the decryption tools, and Philadelphia. The latter was notable for its marketing technique, which included a slick YouTube video advertisement on the open web.”
New “Marketing” Techniques
Sophos reports on an additional ransomware trend they found in a malware strain called Spora. Instead of demanding one ransom to decrypt an entire encrypted drive or partition, some ransomware offers victims multiple options. The options seen in Spora are:
Decrypt two files for nothing
Decrypt a selection of files for 30.00 dollars
Have the ransomware itself removed for 20.00 dollars
Buy what they call immunity for 50.00 dollars
Get everything on the computer restored for 120.00 dollars
Ransomware Is Now Targeting Non-Win OSen
September 2013 was when CryptoLocker reared its ugly head as the first weapons-grade ransomware that exclusively targeted Windows, which remains Target No. 1.
But Sophos notices a trend of ransomware targeting non-Windows operating systems. I would not be surprised if in 2018 a worldwide MacOS or Linux distro ransomware pandemic broke out.
Ransomware is also growing rapidly on Android. Sophos reported that the prevalence of Android ransomware has grown almost every month in 2017; 30.4% of the Android malware researched in September 2017 by Sophos was ransomware, and they expect that 45% of all Android malware in October was ransomware.
One of the biggest Android ransomware stories broke this October: DoubleLocker. Looks like Android ransomware is going to be a bigger problem in 2018.
Healthcare Continues to Be a Target.
Many cyber criminals are specifically targeting the healthcare industry. Sophos states this trend started in 2016. Healthcare is the single most targeted industry because they are the victims who are most likely to pay ransoms. The Sophos report shows that critical infrastructure, education and small businesses also are often targeted for ransomware attacks, as they’re more likely to pay up as well.
Between April 1st and October 3rd, Sophos notes that the top four countries for ransomware victims are the United States (17.2%), Great Britain (11.1%), Belgium (8.6%), and Singapore (6.5%.) And of course neither Ukraine or Russia even show up in the Top 16, because that’s where these organized cyber crime gangs are, and they know that FSB (KGB) swat teams will knock down their doors if they target these countries.