Sophos 2020

Posted on  by admin

Microsoft issues its latest set of cumulative updates for Windows and other Microsoft products this week, but the March, 2020 Patch Tuesday is notable not only because of the sheer volume of fixes, but because it will prevent one very serious bug in its Server Message Block (SMB) technology (download the patch right now) that could lead to a wide range of different (and potentially wormable) attacks.

The SMBv3 vulnerability fixed this month is a doozy: A potentially network-based attack that can bring down Windows servers and clients, or could allow an attacker to run code remotely simply by connecting to a Windows machine over the SMB network port of 445/tcp. The connection can happen in a variety of ways we describe below, some of which can be exploited without any user interaction; We’ve even developed our own proof-of-concept exploit (video below) to demonstrate how easy it could be for an attacker to take advantage of one of the scenarios. Microsoft has released some guidance notes about mitigating one attack scenario someone might use to exploit the vulnerability that involves adding a key to the Windows Registry.

Sophos Cloud Optix – See which of your Amazon Web Services and Microsoft Azure hosts are protected by Sophos – and check their security health – in Cloud Optix. Also, see XG Firewalls on AWS in the Cloud Optix network visualization. Sophos Cloud Optix is launching late December 2020. Sophos Evolve will host the launch of the 2021 Threat Report providing insights into emerging and evolving cybersecurity trends. Chet will be joined by Fraser Howard, Principal Threat Researcher, Sophos Labs and Keren Elazari, Ethical Hacker to discuss the findings. THE STATE OF CLOUD SECURITY 2020. By submitting this form, you consent to be contacted about Sophos products and services from members of the Sophos group of companies and selected companies who partner with us to provide our products and services. Sophos is committed to safeguarding your privacy.

Microsoft fixes 116 vulnerabilities with this month’s patches, and considers 25 of them critical, and 89 important. All the critical vulnerabilities could be used by an attacker to execute remote code and perform local privilege elevation. So far none of the vulnerabilities have been seen exploited in the wild, but they probably won’t stay that way forever.

At the same time, Adobe is fixing two important vulnerabilities in Adobe Reader.

Layoffs

Here is the list of products or components that receive updates today:

  • Windows internal components and services
  • Windows Defender
  • Windows Server IIS
  • Microsoft Office
  • Windows Mobile Device Management
  • Visual Studio
  • SharePoint
  • Web browsers: Edge and Internet Explorer
  • Azure DevOps
  • Microsoft Exchange

It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2020-03” at the Microsoft Update Catalog website.

Let’s have a closer look at some of the more important vulnerabilities.

Windows SMBv3 Client/Server Remote Code Execution Vulnerability

CVE-2020-0796

This is the most important fix in this month patch release. This vulnerability is in version 3.1.1 of the SMB protocol, which is only present in 32- and 64-bit Windows 10 version 1903 and 1909 for desktops and servers.

The vulnerability involves an integer overflow and underflow in one of the kernel drivers. The attacker could craft a malicious packet to trigger the underflow and have an arbitrary read inside the kernel, or trigger the overflow and overwrite a pointer inside the kernel. The pointer is then used as destination to write data. Therefore, it is possible to get a write-what-where primitive in the kernel address space.

An attacker could use the vulnerability in a few different ways:

Sophos 2020 Revenue

Sophos 2020 threat report
  1. A network based attack can compromise any windows computer that has file sharing enabled, whether that machine is just a standard desktop or a more robust file server.
  2. Social engineering or a person-in-the-middle attack that directs a Windows client to a malicious SMB server.
  3. A privilege escalation attack that can let anyone obtain higher privileges than they normally should be allowed to have.

Scenario 1: An external attacker targets a machine sharing files

Difficulty level: complex

By default, the Windows Firewall blocks incoming connections on the SMB port when you’re connected to one of the networks you usually use that’s been added to the Public network category on your computer (that is, not on a corporate network where your computer has been joined to the domain). In that configuration, an attacker could not remotely attack the machine.

However, if the port has been manually opened, or if the firewall is disabled, or if the machine is part of a Windows Domain, the machine may be exposed to attack. On some corporate networks, when you join the domain it applies a policy to a third category in your firewall settings just for these kinds of networks. So joining a corporate domain automatically opens the SMB port, which then exposes that machine to the remote form of the attack, in which an attacker who develops or uses an exploit could gain full control of the machine.

It goes without saying that any unpatched system with the vulnerable SMB port open to the public internet could become a target of opportunity for a worm-like outbreak, similar to WannaCry. The mitigating factor is that it requires an attacker with a state-of-the-art exploit that could bypass all the security mitigation Microsoft has built in to Windows 10, and that the target has port 445/tcp open for incoming connections.

Microsoft’s guidance about this particular attack scenario is to create a new Registry key of DisableCompression under the path HKEY_Local_MachineSYSTEMCurrentControlSetServicesLanmanServerParameters and to assign it a 32-bit DWORD value of 1. This action, Microsoft says, will block unauthenticated attackers from being able to exploit the vulnerability on a machine that faces the public internet and is hosting shared files.

Scenario 2: Target convinced to open a connection to an evil file sharing server

Difficulty level: complex

Another scenario would be for an attacker to create their own SMB server, and then convince a user to connect to their malicious server. This kind of attack might take the form of a spam email or instant message with a link to the evil SMB server hosting malicious code. If the attacker convinces the target to click the link — which could take the form of a Windows shortcut (a .lnk file), or just the name of a share (or a mapped drive) on a remote system — the evil server sends the attack packet back to your machine and immediately gains full control over it.

The attacker could also do this by contriving a machine-in-the-middle attack (possibly by spoofing a machine or device that other computers connect to) that looks for the SMB request packet, and (again, assuming they have created or obtained a working exploit) returns the evil packet as a response. This type of attack might be employed by an attacker that is already inside the network and may use this method to gain control over a specific target machine.

While the second scenario does not require a special firewall configuration, the attacker still needs the same quality of exploit as in the first scenario, and they have to either perform a successful social engineering attack or have machine-in-the-middle position inside a network to inject the evil packet into the authentication response.

Scenario 3: An attacker, already inside, gives themselves SYSTEM privileges

Difficulty level: Hard

The last scenario uses the vulnerability to perform a local elevation of privilege. In this case, the attacker must have first compromised the machine by other means, for example, by falling victim to opening a malicious attachment.

At that point, the attacker has code execution in the context of the targeted user. If that user doesn’t have many privileges, the attacker would want to exploit the vulnerability to modify key components of the kernel to gain SYSTEM privilege, which lets the attacker do pretty much anything on the machine.

The exploit for the third scenario is less complex to develop but the attacker must first gain code execution on the targeted machine.

SophosLabs’ Offensive Research has developed a proof-of-concept exploit for this scenario. The video below demonstrates that we’re able to take a user who has limited privileges and launch a command shell with SYSTEM level privileges. This version runs in Windows 10 64-bit 1909 machine with all the security fixes installed from the previous month.

In any case, until an exploit is publicly available, don’t expect to see the kinds of opportunistic attacks right away. But you can’t just turn off SMB or block port 445/tcp and wash your hands of the matter. TCP port 445 is not only used by SMB, but by some other vital components of a Windows Domain. The only way to mitigate the vulnerability is to patch. So go patch!

Elevation of Privilege Vulnerabilities

CVE-2020-0690, CVE-2020-0770, CVE-2020-0773, CVE-2020-0788, CVE-2020-0791, CVE-2020-0860, CVE-2020-0877, CVE-2020-0887, CVE-2020-0898

The graphical subsystems of Windows, Win32k, DirectX, and GDI suffer from vulnerabilities that could allow an attacker to locally elevate their privilege to SYSTEM. The GDI bug could also be triggered remotely by sharing a document to the victim.

Internet Explorer and Edge Remote Code Execution Vulnerabilities

CVE-2020-0768, CVE-2020-0811, CVE-2020-0812, CVE-2020-0816, CVE-2020-0823, CVE-2020-0824, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829, CVE-2020-0830, CVE-2020-0831, CVE-2020-0832, CVE-2020-0833, CVE-2020-0847, CVE-2020-0848

Internet Explorer and Edge were found to be vulnerable to a few Remote Code Execution vulnerabilities. Even though they would not result in a full system compromise, their successful exploitation would give an attacker a foothold onto a targeted computer, with associated privileges, allowing further lateral or vertical escalation.

Protection notes

Sophos has released following detection signatures to address the critical SMB vulnerability (CVE-2020-0796) in our network firewall IPS products. Please note that Sophos may release additional detections for these or other vulnerabilities in the future.

Signatures 2302022 and 2301958 are supported by all versions of the Sophos IPS products.

Signatures 2301960 and 2302002 have been also created for XG version 18 to provide generic detection coverage, leveraging more advanced capabilities in that platform.

Additional signatures

Sophos has also released the following IPS signatures to address the following vulnerabilities.

CVESID
CVE-2020-08332302035
CVE-2020-08472302036
CVE-2020-082490001080
CVE-2020-083290001081

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.

What if the vulnerability/0-day you’re looking for is not listed here?

If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.

The operators of Ryuk ransomware are at it again. After a long period of quiet, we identified a new spam campaign linked to the Ryuk actors—part of a new wave of attacks. And in late September, Sophos’ Managed Threat Response team assisted an organization in mitigating a Ryuk attack—providing insight into how the Ryuk actors’ tools, techniques and practices have evolved. The attack is part of a recent wave of Ryuk incidents tied to recent phishing campaigns.

First spotted in August of 2018, the Ryuk gang gained notoriety in 2019, demanding multi-million-dollar ransoms from companies, hospitals, and local governments. In the process, the operators of the ransomware pulled in over $61 million just in the US, according to figures from the Federal Bureau of Investigation. And that’s just what was reported—other estimates place Ryuk’s take in 2019 in the hundreds of millions of dollars.

Starting around the beginning of the worldwide COVID-19 pandemic, we saw a lull in Ryuk activity. There was speculation that the Ryuk actors had moved on to a rebranded version of the ransomware, called Conti. The campaign and attack we investigated was interesting both because it marked the return of Ryuk with some minor modifications, but also showed an evolution of the tools used to compromise targeted networks and deploy the ransomware.

The attack was also notable because of how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller, and were in the early stages of an attempt to deploy ransomware.

The attackers were persistent as well. As attempts to launch the attack failed, the Ryuk actors attempted multiple times over the next week to install new malware and ransomware, including renewed phishing attempts to re-establish a foothold. Before the attack had concluded, over 90 servers and other systems were involved in the attack, though ransomware was blocked from full execution.

Let the wrong one in

The attack began on the afternoon of Tuesday. September 22. Multiple employees of the targeted company had received highly-targeted phishing emails:

From: Alex Collins [spoofed external email address]

To: [targeted individual]

Sophos Gartner 2020

Subject: Re: [target surname] about debit

Please call me back till 2 PM, i will be in [company name] office till 2 PM.

Sophos conference 2020

Sophos Layoffs 2020

[Target surname], because of [company name]head office request #96-9/23 [linked to remote file], i will process additional 3,582 from your payroll account.

[Target first name], call me back when you will be available to confirm that all is correct.

Here is a copy of your statement in PDF[linked to remote file].

Alex Collins

[Company name] outsource specialist

The link, served up through the mail delivery service Sendgrid, redirected to a malicious document hosted on docs.google.com. The email was tagged with external sender warnings by the company’s mail software. And multiple instances of the malicious attachment were detected and blocked.

But one employee clicked on the link in the email that afternoon. The user opened the document and enabled its content, allowing the document to execute print_document.exe—a malicious executable identified as Buer Loader. Buer Loader is a modular malware-as-a-service downloader, introduced on underground forums for sale in August of 2019. It provides a web panel-managed malware distribution service; each downloader build sold for $350, with add-on modules and download address target changes billed separately.

In this case, upon execution, the Buer Loader malware dropped qoipozincyusury.exe, a Cobalt Strike “beacon,” along with other malware files. Cobalt Strike’s beacon, originally designed for attacker emulation and penetration testing, is a modular attack tool that can perform a wide range of tasks, providing access to operating system features and establishing a covert command and control channel within the compromised network.

Over the next hour and a half, additional Cobalt Strike beacons were detected on the initially compromised system. The attackers were then able to successfully establish a foothold on the targeted workstation for reconnaissance and to hunt for credentials.

A few hours later, the Ryuk actors’ reconnaissance of the network began. The following commands were run on the initially infected system:

  • C:WINDOWSsystem32cmd.exe /C whoami /groups (accessing list of AD groups the local user is in)
  • C:WINDOWSsystem32cmd.exe /C nltest /domain_trusts /all_trusts (returns a list of all trusted domains)
  • C:WINDOWSsystem32cmd.exe /C net group “enterprise admins” /domain (returns a list of members of the “enterprise admins” group for the domain)
  • C:WINDOWSsystem32net1 group “domain admins” /domain (the same, but a list of the group “domain admins”)
  • C:WINDOWSsystem32cmd.exe /C net localgroup administrators (returns a list of administrators for the local machine)
  • C:WINDOWSsystem32cmd.exe /C ipconfig (returns the network configuration)
  • C:WINDOWSsystem32cmd.exe /C nltest /dclist:[target company domain name] (returns names of the domain controllers for the company domain name)
  • C:WINDOWSsystem32cmd.exe /C nltest /dclist:[target company name] (the same, but checking for domain controllers using the company name as the domain name)

Forward lateral

Using this data, by Wednesday morning the actors had obtained administrative credentials and had connected to a domain controller, where they performed a data dump of Active Directory details. This was most likely accomplished through the use of SharpHound, a Microsoft C#-based data “injestor” tool for BloodHound (an open-source Active Directory analysis tool used to identify attack paths in AD environments). A data dump from the tool was written to a user directory for the compromised domain administrator account on the domain server itself.

2020

Another Cobalt Strike executable was loaded and launched a few hours later. That was followed immediately by the installation of a Cobalt Strike service on the domain controller using the domain administrator credentials obtained earlier. The service was a chained Server Message Block listener, allowing Cobalt Strike commands to be passed to the server and other computers on the network. Using Windows Management Interface, the attackers remotely executed a new Cobalt Strike beacon on the same server.

In short order, other malicious services were created on two other servers using the same admin credentials, using Windows Management Instrumentation from the initially compromised PC. One of the services configured was an encoded PowerShell command creating yet another Cobalt communications pipe.

The actors continued to perform reconnaissance activities from the initially infected desktop, executing commands trying to identify potential targets for further lateral movement. Many of these repeated previous commands. The nltest command was used in an attempt to retrieve data from domain controllers on other domains within the enterprise Active Directory tree. Other commands pinged specific servers, attempting to gain IP addresses. The actors also checked against all mapped network shares connected to the workstation and used WMI to check for active Remote Desktop sessions on another domain controller within the Active Directory tree.

Setting the trap

Late Wednesday afternoon—less than a day after the victim’s click on the phish— the Ryuk actors began preparations to launch their ransomware. Using the beachhead on the initially compromised PC, the attackers used RDP to connect to the domain controller with the admin credentials obtained the day before. A folder named C:Perflogsgrub.info.test2 – Copy was dropped on the domain controller— a name consistent with a set of tools deployed in previous Ryuk attacks. A few hours later, the attackers ran an encoded PowerShell command that, accessing Active Directory data, generated a dump file called ALLWindows.csv, containing login, domain controller and operating system data for Windows computers on the network.

Next, the SystemBC malicious proxy was deployed on the domain controller. SystemBC is a SOCKS5 proxy used to conceal malware traffic that shares code and forensic markers with other malware from the Trickbot family. The malware installed itself (as itvs.exe), and created a scheduled job for the malware, using the old Windows task scheduler format in a file named itvs.job—in order to maintain persistence.

A PowerShell script loaded into the grub.info.test folder on the domain controller was executed next. This script, Get.DataInfo.ps1 , scans the network and provides an output of which systems are active. It also checks which AV is running on the system.

The Ryuk actors used a number of methods to attempt to spread files to additional servers, including file shares, WMI, and Remote Desktop Protocol clipboard transfer. WMI was used to attempt to execute GetDataInfo.ps1 against yet another server.

Failure to launch

Thursday morning, the attackers spread and launched Ryuk. This version of Ryuk had no substantial changes from earlier versions we’ve seen in terms of core functionality, but Ryuk’s developers did add more obfuscation to the code to evade memory-based detections of the malware.

The organizational backup server was among the first targeted. When Ryuk was detected and stopped on the backup server, the attackers used the icacls command to modify access control, giving them full control of all the system folders on the server.

They then deployed GMER, a “rootkit detector” tool:

GMER is frequently used by ransomware actors to find and shut down hidden processes, and to shut down antivirus software protecting the server. The Ryuk attackers did this, and then they tried again. Ryuk ransomware was redeployed and re-launched three more times in short order, attempting to overwhelm remaining defenses on the backup server.

Ransom notes were dropped in the folders hosting the ransomware, but no files were encrypted.

In total, Ryuk was executed in attacks launched from over 40 compromised systems,but was repeatedly blocked by Sophos Intercept X. By noon on Thursday, the ransomware portion of the attack had been thwarted. But the attackers weren’t done trying—and weren’t off the network yet.

On Friday, defenders deployed a block across the domains affected by the attack for the SystemBC RAT. The next day, the attackers attempted to activate another SOCKS proxy on the still-compromised domain controller. And additional Ryuk deployments were detected over the following week—along with additional phishing attempts and attempts to deploy Cobalt Strike.

Lessons learned

The tactics exhibited by the Ryuk actors in this attack demonstrate a solid shift away from the malware that had been the basis of most Ryuk attacks last year (Emotet and Trickbot). The Ryuk gang shifted from one malware-as-a-service provider (Emotet) to another (Buer Loader), and has apparently replaced Trickbot with more hands-on-keyboard exploitation tools—Cobalt Strike, Bloodhound, and GMER, among them—and built-in Windows scripting and administrative tools to move laterally within the network. And the attackers are quick to change tactics as opportunities to exploit local network infrastructure emerge—in another recent attack Sophos responded to this month, the Ryuk actors also used Windows Global Policy Objects deployed from the domain controller to spread ransomware. And other recent attacks have used another Trickbot-connected backdoor known as Bazar.

The variety of tools being used, including off-the-shelf and open-source attack tools, and the volume and speed of attacks is indicative of an evolution in the Ryuk gang’s operational skills. Cobalt Strike’s “offensive security” suite is a favorite tool of both state-sponsored and criminal actors, because of its relative ease of use and broad functionality, and its wide availability—“cracked” versions of the commercially-licensed software are readily purchased in underground forums. And the software provides actors with a ready-made toolkit for exploitation, lateral movement, and many of the other tasks required to steal data, escalate the compromise and launch ransomware attacks without requiring purpose-made malware.

While this attack happened quickly, the persistence of the attacks following the initial failure of Ryuk to encrypt data demonstrate that the Ryuk actors—like many ransomware attackers—are slow to unlatch their jaws, and can persist for long periods of time once they’ve moved laterally within the network and can establish additional backdoors. The attack also shows that Remote Desktop Protocol can be dangerous even when it is inside the firewall.

Sophos 2020

IOCs for this attack are posted on the SophosLabs GitHub here.

SophosLabs would like to acknowledge the contributions of Peter Mackenzie, Elida Leite, Syed Shahram and Bill Kearney of the MTR team, and Anand Aijan, Sivagnanam Gn, and Suraj Mundalik of SophosLabs to this report.