Posts by Thored

Re: WMI (and seriously - passwords in memory?)

Cached credentials in windows are held in the lsass.exe process. However, there is a group policy setting that turns off credential caching.

The side effect is that any machine that cannot contact a domain controller will be unable to log anyone on to a domain account (because credentials are not cached, the machine has to contact the domain controller for every login).

This should not be an issue for servers in the core or static workstations. It should not be enabled on laptops that are used for remote access.

Domain admins should be reserved only for server admins and the security team and they have separate user and admin accounts. The user account is for day to day tasks (Word, Excel, Powerpoint, email, etc...) and the admin account is for anything a typical user cannot do.

Helpdesk techs need local administrator on workstations only and they have permissions to reset/unlock passwords for normal users only. Again, helpdesk techs have a normal user account and an admin account. Domain admins are the only ones that can reset/unlock administrator accounts.

All account changes and logins are syslogged and alerts are set for repeat lockouts and expired accounts that attempt to log in.

By flat topology they mean every machine can reach every other machine in the enterprise.

It is better to set up the network in such a way that user machines are segregated. Meaning a workstation on the 4th floor of a building cannot touch or see a workstation on the first floor or second floor. Workstations should only be able to reach servers on ports that are required to perform tasks and only administrative workstations should be able to perform administrative functions on servers and infrastructure.

Any devices that VPN into the network should not be able to see any critical resources directly. There should be administrative jump boxes for administrators to reach into the infrastructure.

This is much easier to implement if it is baked in when the network is built, but it isn't impossible to implement after the fact.

Re: Decrypting?

"Sure you can. Piece of piss. Why, even XP had "fixmbr" and "fixboot" commands to fix the mbr on another attached disk. Took all of a couple of seconds to run (if that).

7 and up IIRC have "bootcfg /somethingIcannotremember", worked as well. Or is it "bootrec"? Been a while.

There's tools in Linux to do this just as quickly and easily, and if you're really struggling you can look at boot repair disk which is a bootable CD/USB/PXE image which will do it all with a few mouse clicks."

It is amazing that no one else figured this out. Actually it isn't amazing because it isn't true.

When NotPetya gets on the machine it does more than just "encrypt the MBR".

1. When it initially gets on the box, it overwrites (not encrypts) the MBR with its own bootloader and scans the system for a few files. Specifically, it checks to see if the machine is running Kaspersky, Norton Security or Symantec anti-virus products. If it finds any of these products it has specific processes it uses to avoid detection.

2. If it doesn't find any of those AV products, it checks to confirm it has the privileges to perform its task and assuming it does, it drops its modified version of MimiKatz to pull any credentials out of memory.

3. If it is able to pull admin credentials from memory, it will attempt to use those credentials to spread in the network (using DHCP if it happens to be on a domain controller or scanning the local network if it isn't on a DC) and while it is doing this it is also scanning the hard drive for the ~65 specific file types it was created to encrypt and encrypts them with 128 bit AES encryption.

4. If it is unable to pull credentials from memory, it then attempts to use EternalBlue to spread to computers on the same subnet as the infected computer as a last resort.

5. After it finishes spreading and encrypting individual files, it chooses a method to reboot the machine based on the privileges it has in its user context. Initiating a system shutdown, creating a hard error that causes windows to reboot or creating a scheduled task to initiate a reboot within an hour. (up to this point, the user has no idea anything is going on unless they get suspicious because the hard drive light is thrashing)

6. System reboots

7. The system runs the NotPetya bootloader and loads its own lightweight operating system. This OS displays what appears to be a Windows chkdsk screen telling the user that it is attempting to correct errors on the disk. What it is actually doing is encrypting the MFT and then displaying the ransom note.

So you can't just boot into a disk recovery environment or slave the disk into a working system because the specific file types NotPetya targets were encrypted on top of the MFT being encrypted. It targeted file types like .7z files and VMware files. File types that would be important to a corporate environment suggesting this was targeted to take out corporate, government and infrastructure targets.

Re: The real blame goes to..

Wait, so this means you can't use tools like Metasploit in Australia?

Kali Linux?

How do they red team and penetration test networks without exploit code?

I think this might actually make Australia a target rich environment if anyone decides to look in that direction.

Are offensive security sites blocked in Australia?

You are correct.

The initial analysis was that the entity behind the attack made a mistake by using a conventional email and a single bitcoin wallet.

Posteo, disabled the email account within a few hours of the attack happening and victims were still sending ransom emails to the address in the hopes of getting their data back.

As it turns out, the "Personal Installation Key" generated by the malware was just a random string of characters unrelated to the encryption key used to encrypt the data, making it useless for retrieving the files. The hackers couldn't give back the files if they wanted to. So, there are victims out there that paid about $10,000 collectively with no hope of getting their data back.

Re: The real blame goes to..

**shrugs**

Microsoft has enough money to hire a reasonable sized team to do nothing but fuzz their applications for vulnerabilities. Assuming they hire people that know what they are doing, they could greatly minimize the number of potential vulnerabilities.

Re: Bring Back

This is why you have a security team that is separate and autonomous from anyone else that runs and maintains the network.

System and network administrators install patches and software/firmware upgrades and the security team runs vulnerability scans to ensure that the patches and upgrades are applied properly.

The security team is also responsible for monitoring access to VPNs and external access to the network. This prevents administrators from opening accesses as a matter of convenience.

In a separate reporting structure, you have an Information Assurance team (team in both cases can be a single person). The information assurance team is responsible for publishing policy and auditing the security team.

The security team would report to the CTO/CIO and the information assurance team would report directly to a board of directors or executive management committee.

This keeps everything separate so that it is more difficult for an insider threat to cause havoc.

As for the password issue, the only real solutions are MFA or password vaulting.

Re: WMI (and seriously - passwords in memory?)

It is even worse than that. You don't have to decrypt the hash. You can use the hash for authentication.

Re: Are you freaking serious?

I don't have any idea, but if I had to guess, they are using SCADA devices for the sensors and Windows machines for the eyes on glass monitoring.

Re: A good argument for keeping *one* *nix machine

Nah, use network attached storage via ISCSI in a replication pair and addressed via DFS.

Users should only store data on the NAS/SAN and data should be snapshotted every 1-4 hours and replicated to the second part of the replication pair.

On top of that, you can add conventional incremental/differential/synthetic full backups to add in more redundancy.

Re: @ Rob D The real blame goes to..

There was no overt notification of the exploits existence, but many of the exploits in the Shadow Brokers NSA leak were patched one month prior to Shadow Brokers releasing the code.

MS patched many of them in March and the Shadow Brokers leak was in April. No one knows who tipped MS off on what was being leaked.

Re: Backups

There are botnets in the wild that are just sitting there waiting for the zombie master to issue a command. Some of them have been there for a long time. Here is one that was built in 2013 and was only recently discovered. 350,000 bots.

https://www.technologyreview.com/s/603404/cybersecurity-experts-uncover-dormant-botnet-of-350000-twitter-accounts/

Re: The real blame goes to..

"The real blame goes to... people continuing to use Windows."

Oh, how cute. A Linux fanboi in the wild.

Just this month a South Korean ISP had 150 Linux servers hit with ransomware and paid over a million dollars to get their data back.

https://www.onthewire.io/south-korean-isp-nayana-pays-1m-ransom-to-decrypt-servers/

So much for not attracting attention.

Nothing to see here, move along.

Re: The real blame goes to..

Not really.

First, this malware only uses EternalBlue as a last resort to spread.

Second, whoever wrote EternalBlue did not create the vulnerability, they just found it and wrote an exploit for it (Every persistent threat organization out there has zero days like this in their pocket it isn't like this was a unicorn).

Third, Microsoft released a patch for this over a month ago and it is obvious that a large number of entities are not applying patches in a timely manner. When I do penetration tests on networks using Metasploit, the first exploit I throw is MS08-067 because 50% of the time, it wasn't patched properly. that is an exploit that was REPORTED publicly in 2008. It is almost 10 years old and you can still find machines vulnerable to it in the wild.

Why not blame ShadowBroker for releasing the exploit?

Why not blame shoddy Information Security practices that don't train users to use a little internet hygiene before they start clicking on links in emails they aren't expecting?

Why not blame network engineers that deploy their networks in a flat topology so that any machine can reach any other machine?

Why not blame software companies that don't secure their networks and allow malicious actors to plant malware in their patch catalogs?

Why not blame system administrators that don't disable password caching so that administrator hashes aren't left behind on a machine when the administrator logs out?

There is plenty of blame to go around. Have some.