Microsoft on Untrusted Network

SANS ISC Diary - ProxyShell - how many Exchange servers are affected and where are they?

Jan Kopriva — Mon, 09 Aug 2021 12:25:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of Exchange serveres vulnerable to the ProxyShell attack…

SANS ISC Diary - SMBGhost - the critical vulnerability many seem to have forgotten to patch

Jan Kopriva — Wed, 28 Oct 2020 11:00:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the concerning number of machines connected to the internet, that are still not patched for the critical SMBGhost vulnerability.

SANS ISC Diary - Using Shell Links as zero-touch downloaders and to initiate network connections

Jan Kopriva — Wed, 24 Jun 2020 09:45:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a weakness handling of LNK files in Windows, through which one may force the OS to download an arbitrary file from a remote server any time the shortcut file is displayed.

SANS ISC Diary - Crashing explorer.exe with(out) a click

Jan Kopriva — Mon, 30 Mar 2020 07:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a vulnerability in the way Windows handles self-referential links, which makes it possible to use specially crafted URL and LNK files to crash Explorer.

CrisisCon - Breaking Windows

Jan Kopriva — Sat, 28 Mar 2020 09:15:00 +0100

Videos of all presentations from last weeks CrisisCon are now accessible on Youtube. Among them is my own talk on known unpatched vulnerabilities and weaknesses in Windows.

If you couldn’t make it to the online conference, I recommend you at least go through some of the recordings as couple of the talks were quite interesting.

SANS ISC Diary - Desktop.ini as a post-exploitation tool

Jan Kopriva — Mon, 16 Mar 2020 07:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a vulnerability in the way Windows handles desktop.ini files, which makes it possible to use them as an interesting post-exploitation tool.

UPDATE 27. 5. 2020: I put together a shor video demonstrating the vulnerabiltiy while preparing materials for SANSFIRE 2020. You may find it here.

SANS ISC Diary - Discovering contents of folders in Windows without permissions

Jan Kopriva — Tue, 18 Feb 2020 07:18:21 +0100

A Diary of mine was published today on the SANS Internet Storm Center. This one deals with a strange side effect of the way in which Windows deals with file permissions, which enables any user, regardless of permissions, to brute-force contents of any local folder.

UPDATE 20. 5. 2020: I put together a shor video demonstrating the weakness/vulnerability while preparing materials for SANSFIRE 2020. You may find it here.

Looking back at September 2015

Jan Kopriva — Sun, 18 Oct 2015 16:13:47 +0100

Information concerning number of devices vulnerable to Heartbleed vulnerability has appeared in the news during September. Given that the existence of Heartbleed was made public almost a year and a half ago it may be surprising that the number of vulnerable devices exceeds 200.000.
Affair concerning the Stagefright vulnerability (which was mentioned in the last Looking back) continued in September when Zimperium – the company which discovered Stagefright – released a proof-of-concept code which exploits the vulnerability.
A stealth malware hidden in modified Cisco IOS images and named SYNful knock has been discovered on tens of Cisco routers around the world. The malware functions as a backdoor and besides the (persistent) IOS-embedded main component uses tens of modules which provide further functionality which it loads into volatile memory.
It should be mentioned that Google, Microsoft and Mozzila made a press release announcing that their browsers will stop supporting the RC4 encryption algorithm early next year.
One final piece of interesting news we will mention has been the discovery of a malware targeted at online poker players. The trojan horse is named Odlanor and captures screenshots of applications used for playing poker online and then sends them to the attacker.

Looking back at April 2015

Jan Kopriva — Sat, 09 May 2015 20:51:28 +0100

During April, we have witnessed - among others - a discovery of an 18 years old “Redirect to SMB” vulnerability which can be used to attack all versions of Windows released since then. The vulnerability can be exploited in cases when attacker has some control over the network, enabling him to gain user login information by redirecting of network traffic to a malicious SMB (server message block) server. The server forces the target to automatic authorization process during which the target sends users login, domain and hashed password.
Next to this vulnerability an April discovery of a modern macro malware BALTEX. It spreads using phishing messages with a link to a page containing an infected Word document and instructions to enable macros. After the downloaded document is opened, the macro downloads a variant of DYRE banking malware.
It is also worth mentioning that the RSA conference was held at the end of April.

Looking back at March 2015

Jan Kopriva — Wed, 01 Apr 2015 00:00:24 +0100

Looking back at March, probably the most important information security news has been discovery of a significant vulnerability (which could be exploited using a FREAK attack) in some TLS/SSL implementations, including the ones used by Windows operating systems.
Another worth while news has been a discovery of a new campaign aimed at energy sector companies in the Middle East. Trojan Laizok - a reconnaissance malware for gathering information about infected systems - has been used in the campaign, along with other malicious programs which have been modified for specific systems based on the information gathered by Laizok.
A mention should also be made about two very powerful DDoS attacks made during the second half of the month - first one was targeted at Greatfire.org and the second one at GitHub. According to published analysis China was the source of both attacks.
Finally, at the end of “Looking back” we shoud mention that in course of March the Rowhammer attack was made public. It is based on changing specific bits in memory by exploiting a weakness in DDR3 memories which leads to priviledge escalation.

Looking back at February 2015

Jan Kopriva — Tue, 03 Mar 2015 09:58:57 +0100

Dramatic information security incidents and news were unfortunately fairly common in February – we will shortly remember three of the most interesting ones.

Most attention was probably gained by a story about an alleged theft of massive amount of encryption keys used in mobile communication from the network of Dutch company Gemalto (a major SIM card supplier) by NSA and GCHQ. The keys could be used to decrypt live communication and also, for example, remotely inject malicious code into end devices. Source of the story has been The Intercept, citing a document from 2010 which was acquired by Edward Snowden, formerly from the NSA. After the news went public Gemalto stock took a serious hit. The company responded couple of days later by a press release admitting that operation by NSA and GCHQ resulting in penetration of internal company network probably happened, but emphasizing that the penetration “could not have led to a massive theft of encryption keys”. Gemalto further stated that “in the case of eventual key theft, the intelligence services would only be able to spy on second generation 2G mobile network” since “3G and 4G networks are not vulnerable to this type of attack”.

Another high impact February news has been that the Superfish adware (which is used to inject ads into viewed web pages based on analysis of viewed pictures) which Lenovo used to preinstall on their laptops installed a self-signed root certificate. Using that, the adware could generate certificates for web pages which user viewed using encrypted connections, replacing the legitimate certificates and compromising security of communication between the user and the web page. Superfish was then able to analyze and alter the SSL encrypted communication. Furthermore, since the root certificated seems to have been always the same and itself not very secure, its presence in a system constitutes a vulnerability which can be used quite easily by a potential attacker. Since discovering this, lawsuits have been filed against Lenovo and web pages of the company have been defaced.

It should also be noted that in the course of February, after being criticized by Microsoft (among others), Google decided to change the policy of its Project Zero – an initiative which, after a vulnerability has been discovered in an application, gave 90-day deadline to its developers to work on a patch. After the deadline has passed the vulnerability was made public regardless of existence of a patch or its planed later release. This has been the case for Microsoft and a vulnerability in Windows 8.1 when the 90-day deadline ended two days before planned release of a patch during Patch Tuesday, regular release of updates and patches by Microsoft. Google now grants developers up to 2 weeks reprieve after the deadline has passed, provided they are actively working on patching the vulnerability.