Category Archives: TVM

Meltdown and Spectre

I am sure by now you have heard/read/watched about these two security vulnerabilities: Meltdown and Spectre. However, if you have not, here is a good place to start: A Simple Explanation of the Differences Between Meltdown and Spectre

In a nutshell, almost all of the major technologies are affected: Apple, Microsoft, Intel, Amazon, ARM, Google, RedHat, VMware, SUSE and more.

What you need to do:

  • Identify the affected technologies in your environment and if you have not already received advisories from those vendors, contact them for updates and guidance.
    • Start with the anti-virus (AV) vendor. The reason you need to start with them is that due to the special nature of these vulnerabilities, your anti-virus (AV) technology needs to be updated before Microsoft patches can be applied. Microsoft is pushing updates to only those systems that are running a compatible version of anti-virus.
    • You can check the status of your AV using this Google Doc thanks to @GossiTheDog https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true
  • Applying these patches will impact the performance of the CPU. The level of impact varies based on your system configuration and capacity, however, there have been reports of 15-30% performance impact. For this reason, it is important that you accommodate for the performance hit before pushing updates.
    • To limit the performance impact of unplanned patching, Microsoft has added a manual step. After the patch is installed, you need to manually enable a registry key. Without updating the registry key the system remains vulnerable; Reference.
  • Microsoft has released KB4056892 patch for Windows 10. Patches for Windows 7 and 10 are expected to be released on January 9th.
  • All of the commonly used browsers are also affected. However, patches for some of these are already available and are expected to be released for others soon: Firefox, Safari, Chrome.
    • In case of Chrome version 63 (released in Decmber 2017), there is the option to enable Site Isolation feature. This feature can be enabled by entering the following in Chrome: chrome://flags/#enable-site-per-process; Reference.

In summary, here are the steps:

  1. Contact technology vendors and review their advisories
  2. Plan in advance for any performance impact
  3. Apply patches in the development environment first and test!
    • it is important to deploy patches in accordance with your AV’s recommendation. There are public reports of the system crash (BSOD) due to incompatible AV.

As of this writing, following CVE identifications have been assigned: CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. These can be used to track remediation efforts.

This is a developing story and it is advised that you closely monitor communications from your technology vendors.

Additional references:

Advertisements
Tagged , ,

Petya Response Summary

Wanted to share a quick response plan for the recent Petya ransomware breakout:

  • Apply Microsoft security updates released in March 2017 bulletin: MS17-010
  • Most Firewall and IDS/IPS vendors have released signatures for the SMB vulnerability exploit, however, if you do not have auto-updates enabled you to want to do a manual update
  • Disable the support of SMBv1 protocol. A detailed write-up here: https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/
  • Some variants of Petya have been reported to use WMIC & Microsoft PSExec to laterally move within the environment.
    • Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on the system hosting the share.
    • Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
    • Blocking ADMIN$ share via GPO should address lateral movement concerns
  • If you cannot block, monitor ingress/egress traffic on 455/137/138/139
  • If you use tax accounting software, MEDoc read this: http://www.bbc.co.uk/news/technology-40428967

Most of the recent ransomware campaigns are taking advantage of vulnerabilities disclosed by the Shadow Brokers in April 2017. In addition to MS17-010 (EternalBlue), all of the related vulnerabilities should be patched as soon as possible:

  • Code Name: Solution
    • “EternalBlue” : Addressed by MS17-010
    • “EmeraldThread” : Addressed by MS10-061
    • “EternalChampion” : Addressed by CVE-2017-0146 & CVE-2017-0147
    • “ErraticGopher” : Addressed prior to the release of Windows Vista 
    • “EsikmoRoll” : Addressed by MS14-068 
    • “EternalRomance” : Addressed by MS17-010 
    • “EducatedScholar” : Addressed by MS09-050 
    • “EternalSynergy” : Addressed by MS17-010 
    • “EclipsedWing” : Addressed by MS08-067

Petya campaign is still developing and it is important to monitor the developments. One of the best ways to monitor the situation is via Twitter under the following hashtags: #Petya #NotPetya #Ransomware

References:

Tagged , ,
Advertisements
Advertisements