June 2017 Newsletter
In this issue, we research ransomware, ponder Microsoft patch mysteries and eat paella in Puerto Rico!
This is a reformatted copy of June 2017’s newsletter. If you haven’t already signed up, you can do so here.
Savage Past
It’s been a busy month, both for Savage and the industry. Wannacry dominated security-related news stories, Microsoft released approximately one bajillion new patches (95, actually) and Adrian took a trip to the tropics!
Looking back at WannaCry
This past month has put ransomware top-of-mind again (not that it ever left) with WannaCry. It had an unfinished quality to it, leaving many security researchers scratching their heads over several details. Why was there no plan to recover the funds once raised? Why make it so easy to kill the ransomware with a simple killswitch? The latest theory is that the DPRK (North Korea) accidentally leaked WannaCry before it was finished. Since it was designed to be a worm that spread via vulnerable Internet-connected hosts, there was no stopping it once released. Even more boggling, the killswitch only disabled the ransomware component, not the worm component.
This has easily been the most (over)covered cybersecurity event we’ve seen this year. The eagerness to get information out quickly resulted in the spreading of myths and misinformation. Despite what you might have heard, there is no evidence of phishing being used in addition to the worm component, and it did not infect Windows XP, but rather caused XP to crash. We put together our own post on effective strategies to defend against the worm.
Critical Windows Patch Mystery
Of the 95 patches released by Microsoft on June 13th, CVE-2017–8543, a vulnerability in the Windows Search service sounds particularly interesting. It is remotely exploitable; is allegedly being exploited in the wild; affects all versions of Windows from Windows XP and Server 2003 to the latest versions and was critical enough that Microsoft released patches for unsupported operating systems (like XP and Windows 8) for the second time in a month (WannaCry was the first).
Despite all this, there’s very little information available on how an exploit might work. If all that’s needed is a malformed file, beware any file shares set to anonymous or Everyone/Full Control in your environment. Also, be aware that Windows Search is responsible for search functionality within the full client version of Microsoft Outlook. Our worry is that some malicious text in the body of an email could be enough to exploit the vulnerability.
In addition, there are several hints that versions of Windows all the way back to XP are vulnerable, but most Microsoft sources don’t mention it. Originally, when this vulnerability was announced, it was incorrectly referenced as an SMB vulnerability instead of a Windows Search vulnerability. Microsoft descriptions have since hinted that SMB is a potential attack vector, leading to our guess that the vulnerability could be exploited by simply dropping a malicious file on an open file share.
This is all guesswork at this point, so take with a grain of salt. We’ll try to make time to go a bit deeper with this, but will stop short of attempting to reverse engineer the Microsoft patch. We wouldn’t be surprised to see this one pop up again, like WannaCry did, 51 days after Microsoft released the patch that protected against ETERNALBLUE. Is there another NSA exploit behind Microsoft’s precautionary actions here? Only time will tell, but plan as if the answer is yes.
Anti-Ransomware and Paella
Adrian traveled to Puerto Rico earlier this month for a family reunion and to speak at the 29th annual FIRST conference. FIRST is a very cool conference and organization, dedicated to incident response and sharing defender insights.
This was a team effort, with Adrian contributing his research into ransomware behaviors, and Konrads Smelkovs of KPMG UK creating a proof-of-concept endpoint defense tool called WEEP. One goal of WEEP was to show that a lot of malware can be defeated by targeting common behaviors. Another goal was to start building something that budget-challenged organizations could deploy for free, as most commercial anti-ransomware solutions are either expensive up front (next-gen AV, for example) or in terms of labor (restoring everything from backups). WEEP leverages Facebook’s open source OSQuery IT management tool to detect malware behaviors, which allow it to kill the offending process.
Check out the slides here and WEEP will be available on Konrads’ GitHub page soon. The plan is to continue working on WEEP as both a proof-of-concept tool and perhaps eventually a production-ready open source project.
Two days before the talk, Adrian prepared by exploring the local cuisine. Enjoy the following pictures of what it takes to feed 100+ people at a Puerto Rican family reunion.
Impressive, huh? Food not pictured included: an entire pig, 25 pounds of mac & cheese, sorullitos de maiz, bacalaitos, empanadillas, bread, salad, seafood salad and several other items. Someone brought tortilla chips, which no one bothered to open.
Other posts
Since our last newsletter, we also published a six-week update on the business back in May, and a how-to on using Prowler to scan your AWS infrastructure for security issues.
Savage Future
New research
Our own WannaCry research resulted in a new tactic using DNS for detecting and stopping malware. We’re partnering up with an interesting security startup on this research, so keep an eye out for that post.
Upcoming events (full calendar)
6/20/17 Savage Security live on the Radio tomorrow morning at 8:30AM on FM 94.3 WNFZ in Knoxville (listen live from anywhere)
6/24/17 Kyle is giving his defense on zero budget talk at BSides Cleveland this Saturday
7/24–7/28 Adrian will be in Vegas for hacker summer camp. Schedule a meeting with him here!
Check out the full calendar for more events you’ll find Savage at this summer and fall!
