MONTHLY SECURITY BRIEF: April 2016
APRIL PATCH TUESDAY UPDATES
This month’s release features 13 bulletins, with 6 ranked as critical. Each of these comes with the potential threat of remote code execution. In addition there are elevation of privilege and DoS threats.
The critical-rated bulletins are MS16-037, MS16-038, MS16-039, MS16-040, MS16-042 and MS16-050.
Adobe: only one update to fix a flaw in Creative Cloud Desktop app. CVE-2016-1034.
The BIG Story: Badlock: Much Ado About Nothing
Usually previews come out for movies. Not for the latest and greatest malware since the last major threat. This is not to promote the hype but to help you prepare.
Enter Badlock. Dire warnings premiered on Twitter two weeks ago featuring a link to a website www.badlock.org with the following warning:
“On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th. Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.”
What is Badlock: A vulnerability that could affect almost every version of Windows and Samba. Because this is on two entirely different implementations, the flaw is major. Early analysis says this is “almost assuredly remote, and likely has to do with the implementation of the SMB/CIFS protocol”. Which in real-world terms means “everyone on the LAN could get administrator level status if the flaw is exploited. LAN-based issues reduce the risk considerably, but they’re a nightmare for flat networks.” Simply put, you must restrict the use of Admin level status because not everyone should get to be the king. And from what I’ve been seeing on Twitter in informal polls, there are a heck of a lot of flat networks out there ripe for the picking.
Why the Hype? Apparently this is a good thing for SerNet, the marketing company for Samba now hoping to reap the reward of marketing potential for early disclosure. But this is reckless rather than responsible disclosure. The 20 days lead up for the public to prepare are 20 days attackers can find more flaws to exploit. You know they’ll be doing the due diligence in this scenario.
The Risk to Users: Unpatched systems. Those with current patches and who are equipped to take on the task fast aren’t the low-hanging fruit. Users were advised to take steps like:
Network Segmentation. If you haven’t already separated your network to improve security and performance, you should. And carefully consider how you allow SMB and NetBIOS. You can block ports on your firewall to better secure traffic outbound. Use a VLAN for added security. Be sure to test patches before you apply. We know that Windows does not always respond well. And this flaw is at the kernel level, so extra care is required.
STATUS UPDATE: The overall description is that this is more or less a Man in the Middle Attack.
Modems open to Remote Factory Reset
Ongoing sad story. Arris Surfboard modems. Attacker can reset modem remoted. App does not verify whether the reboot or reset modem command comes for the UI interface or an external source. Cross-Site Request forgery attack used to trick users into clicking on malicious web page or email. No practical fix for these flaws. ISPs need to apply the fix and push the update to their customers.
Adobe Flash Upgrade Urged
A Zero day vulnerability was identified and being exploited. No patch available. New flashplayer exploit being used by Magnitude and Nuclear exploit kits.
Dridex Malware Updates
This is a heads up. The guys have been busy reinventing their very lucrative tools. Now the target range has expanded from English speaking countries to global. It isn’t just hijacking online banking sessions anymore. It steals banking creds and credit card info via an Automatic Transfer System mechanism. And the big deal: it is distributing Locky Ransomware. In 10 weeks, multiple campaigns compromised 1 million credit cards. For something that was first reported in a mass phishing campaign targeting small and midsized business in the UK is has evolved into a growing and serious threat. The perception is that someone new has taken over the helm.
Locky Ransomware Update
From the group that brought you Dridex banking malware. New modifications in Locky (note that this was part of the ransomware hitting hospitals recently). A new variant is in play. More efficient at evading detection mechanisms. No longer sent out in malicious macros via Office docs. Now being sent via the tried and true Nuclear Exploit kit EK. The process is much more efficient as ransomware won’t be blocked by email or document server security inspections. Also Locky now blocks its embedded configuration block which has info about that sample and a list of static C&C server addresses. And then Locky tries to put a shadow copy of itself in a newly allocated memory region. This is to avoid sandboxes, memory detection & other dynamic analysis methods. It used to save is config data in a fised registry key. This new variant used RANDOM registry keys and values. Detection is now no longer possible simply by looking for this registry key. So any “vaccines” we may have had don’t work. And it has changed the DGA algorithm. The security community is bracing for Locky to hit harder and with more success.
Distributed via spam. Malicious executable is dropped by a VB script in the email attachment. Similar to Chimera ransomware so possible link. Look for file extension .rokku to original name of encrypted files. Goes after local disks and network shares.
And if that’s not enough …
The SamSam ransomware that hit hospitals is a harbinger of what will be coming. Moving from “spray and pray” mentality where payloads are delivered indiscriminately via exploit kits or mass phishing. Moving to self-propagating or cryptoworms. Learnings from the past with new tricks. Traversing corporate networks laterally to seek the most vulnerable targets. Look at Conficker and SQL Slammer worms updated with current network intrusion abilities.
Watch for a repurposing of older persistent threats. Key word persistent. Attackers can take any off the shelf network vulnerability and make a worm out of it. SamSam is going after existing unpatched server vulnerabilities in the middleware ie Java and JBoss. Expectation is that the next wave is being built to specifically target enterprise network vulnerabilities. So unprotected executable files, attached storage drives; authentication weaknesses. And all the while using minimal resources to avoid detection.
Expect the ransoms to rise. Currently we are at .5 to 1 bitcoin at $220-420. The only safety measures that work are up to date backups and a FLAWLESS backup restoration protocol. Preventative measures can help. DMZ hardening. Increase security at the perimeter and public-facing networks.
And just how much could a huge cyberattack on a major power grid cost?
The University of Cambridge calculated in the UK that a widespread attack could cost tens of billions of pounds. Given the recent attack on the grid in the Ukraine, this is a very real threat. The result would produce blackouts. Disrupt train service and airline flights. Plus hit financial services, retail, real estate and professional services hard. What many don’t realize are that the effects are long-lasting, and for many smaller businesses, the damage could be unrecoverable.
Thanks for reading! Cheryl Biswas, InfoSec Co-ordinator and Editor