May 2017 Newsletter

Phishing, Microsoft Defender Zero Days, Intel AMT, & More!

The Lowdown

What’s been happening with Savage? We’ve been busy this month with community engagement, both in person and digitally. We’ve been helping a local community college fine-tune their Cybersecurity program, attending B-Sides Nashville, speaking at DiG South, planning (& speaking) at B-Sides Knoxville, and giving training on how to effectively implement CASB solutions.

There have been a few interesting security stories that have broken as well:

• The massive Google Docs phishing campaign
• A Remote Code Execution bug in Windows Defender
• A Privilege Escalation vulnerability built into Intel’s AMT platform

Google Docs Phish

Earlier this month, attackers sending from a temporary account on Mailinator, crafted an extremely clever phishing campaign that tricked the user into giving access to their entire Google Drive to the attacker. Unlike some other phishing campaigns, there was no way to decipher this was a phish based on the URL, as it utilized a clever “feature” in Google App Scripting. The key indicators were:

• The victim’s address was in the BCC field.
• The from address was nonsense (hhhhhhhhhhhhhhhh@mailinator[.]com)
• The phish was asking the victim to allow the fake “Google Docs” app permission to the victim’s Google Account

As a general rule, if you aren’t expecting a shared document, don’t click. Phishing campaigns are an extremely successful attack vector, and thus, employees should be trained regularly on how to identify phishing emails, and what to do with them.

RCE Zero-Day in Windows Defender

Happy Cinco de Mayo! On May 5, Tavis Ormandy and Natalie Silvanovich of Google’s Project Zero claimed to have discovered “the worst Windows remote code exec in recent memory.” This tweet sent the infosec industry into a panic, as we were all on the edge of our seats as to what it could be. On May 8th, Tavis commended the Microsoft Security team for their quick and incredible response.

As it turns out, it was a flaw in Windows Defender (CVE-2017–0290) in which attackers could exploit the scan engine itself to gain LocalSystem privileges. So for example, sending an email with the exploit code in it could compromise Windows Defender on the Exchange Server without the email ever being opened.

The Fix: Microsoft has pushed updated definitions that will automatically be applied. If your scan engine is <= 1.1.13704.0 then it has not yet been applied (but you can manually apply it). For those of you with VDI environments, you will need to update your master template to make sure it’s using the latest definitions.

If you’d like to manually check the version, you can use PowerShell and do the following in Windows 10:

get-childitem "c:\ProgramData\Microsoft\Windows Defender\Definition Updates\" -recurse -filter mpengine.dll | select -expandproperty versioninfo

And in Windows 7:

get-childitem "c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\" -recurse -filter mpengine.dll | select -expandproperty versioninfo

Intel Processor Privilege Escalation

This flaw (CVE-2017–5689) is allows remote attackers to easily bypass the authentication typically required on Active Management Technology (AMT), Intel Standard Manageability (ISM), and Small Business Technologies (SBT) technologies embedded into Intel firmware versions dating back to 2010. These products are remote administration tools that allow administrators to do things like mount media, erase hard drives, delete encryption keys, connect via KVM, and power on/off the machine. Although to manage machines, you must authenticate, it was found that if an attacker can MITM the request using a local proxy, they can bypass the authentication challenge and walk through the front door, giving them access to kernel-level privileges.

The Fix: Some OEMs have already released firmware to fix this issue. You can use the guidance on Intel’s page to detect and update the firmware on your affected systems. Of course, the best fix is to disable it if you aren’t using it. Wouldn’t it be nice if someone utilized the exploit to build a script to disable AMT/ISM/SBT across your entire environment? Maybe we’ll work on that.

Wrap It Up!

The takeaway from this month’s big stories is that every day we are finding new bugs in our tools that attackers can exploit. It’s important to have processes established for user training, patch & vulnerability management, and out-of-band emergency patching. Of course, if you need a hand, we’re here to help.

This is a copy of the newsletter we send to subscribers monthly. Sign up for the Savage Security newsletter here.