Vulnerabilities / Threats
8/1/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Security Put to the Test at Black Hat, DEF CON

Researchers at both conferences demonstrated workarounds and flaws in applications and services including Office 365, PowerShell, Windows 10, Active Directory and Windows BITs.

Security researchers digging for vulnerabilities and workarounds in Microsoft systems and applications demonstrated their discoveries last week at Black Hat and DEF CON in Las Vegas.

Presentations centered on Windows, Active Directory, BITS, and Office 365 in the enterprise. Microsoft issued Microsoft Office security updates the week of both conferences but, as researchers explained, it didn't cover all the vulnerabilities brought to its attention.

Let's take a deeper dive into the findings and flaws that researchers believe could put users at risk:

Office365 + PowerShell = Enterprise Danger

In his Black Hat presentation "Infecting the Enterprise: Abusing Office365 + PowerShell for Covert C2," Craig Dods, chief architect of security at Juniper Networks, explained how Office 365 is ideal for a command and control infrastructure. He argued businesses aren't considering the risk of Office 365 adoption and demonstrated how attackers can take advantage.

"For any enterprise that has more than 100 [users], adoption rates are quite high," he said of Microsoft's SaaS offering. Adoption exceeds 80% in OneDrive for Business, the highest rate among all Office 365 apps. For his research, Dods focused on OneDrive and SharePoint.

Most organizations allow SSL/TLS to Office 365 and larger businesses peer directly with Microsoft using ExpressRoute, accelerating data exfiltration. Due to the network volume and level of trust, most opt not to decrypt Office 365. Hackers can launch attacks without revealing their network; DLP solutions don't view local shares as being outside the organization.

Microsoft added a module to PowerShell that allows it to interact with, and control, Internet Explorer. This lets attackers mount external Office365 storage and hide it from users, encrypt and enable external C&C communication, and exfiltrate data.

Dods showed how an attacker could get the SAML token by clicking "keep me signed in" when signing into Office 365, mount and conceal the new drive, and take data while bypassing antivirus, DLP, and sandboxes. He advises businesses to mitigate their risk by decrypting SSL/TLS, creating custom signatures that only allow their Office 365 domain, and using firewalls with byte-counters and SIEM to identify external uploads.

A 20-year-old SMB Vulnerability in Windows 10

Microsoft also will not patch the "SMBLoris" vulnerability, revealed at DEF CON by Sean Dillon, senior security analyst at RiskSense. Dillon found the flaw when he was hunting for vulnerabilities similar to those exploited by ETERNALBLUE.

This vulnerability, which affects all version of SMB and works on both IPV4 and IPV6, could enable a remote denial of service attack. A single computer could take down a Windows server on the Internet by overloading its memory and causing it to become unresponsive.

"We found a way that we can exhaust all the memory the server has by sending malicious packets to the server," he explained. "This used up all the physical memory in the system, which caused the CPU to spike to 100%, causing the machine to freeze."

Dillon reported the vulnerability to Microsoft in early June, but it was downgraded. SlowLoris is only effective if SMB is exposed to the Internet, and Microsoft claimed companies should have addressed this.

"It may be patched in future versions of Windows but it isn't on their immediate radar," he explained, adding that he informed DDoS protection partners of the flaw so they could prepare. He also advises businesses to take all SMB off the Internet and put it behind a VPN, and use a firewall to throttle the amount of connections a single computer can make to a server.

The Risk of Windows BITS

Safebreach security researcher Dor Azouri discovered a way for local administrators to control download jobs through Background Intelligent Transfer Service (BITS), a Windows service for managing downloads like Windows Update. He was curious about BITS because of the way Windows Update downloads and installs updates, and wanted to see how it adds system jobs.

Known malicious uses of BITS include downloading malware and enabling C&C communication. Azouri discovered that by understanding a file's binary structure, he could change the job's properties and inject a custom download job without using BITS public interfaces. Using a method called BITSInject, he could run his own program as the LocalSystem account.

"I found I can mimic the representation of the new job created, and alter bytes of new artifacts to change parameters of the job," Azouri explained. He found when he controlled the structure of a download job, he can control the parameters and properties of all jobs in the queue.

This is not a means of accessing a user's machine, he said, but a way of manipulating jobs once someone has logged in with administrative privileges. Azouri brought his findings to Microsoft's attention but was told they would not fix the flaw because it requires administrative privileges, as well as physical access, "because a malicious administrator can do much worse things."

Turning Active Directory into a Botnet

Threat Intelligence's Paul Kalinin, senior security consultant, and managing director Ty Miller discussed the danger of botnets and C&C servers operating within organizations during their presentation "The Active Directory Botnet" at Black Hat. The two demonstrated an attack technique in which a threat actor could turn Active Directory Domain Controllers into C&C servers that command internal botnets.

"There is a huge amount of motivation for attackers to be compromising internal networks and setting up C&C environments," said Miller. There is also great potential for attacks to escalate quickly and have major impact, he added.

This attack technique uses a common flaw in the way many businesses implement their Active Directory. As a result of most implementations, nearly all servers, machines, laptops, mobile devices, and wireless devices can connect to a domain controller for authentication, enabling the Active Directory botnet to communicate through C&C servers.

Common botnet architecture looks like Active Directory architecture, said Miller. This enables bots to communicate with one another, and with C&C systems, regardless of their security zone. The Active Directory Botnet Client can identify compromised systems within in the same domain and issue commands to be launched on individual systems or all infected machines.

"End user devices and servers connect to Active Directory, and [bots] can use that connection to bypass access controls and avoid firewall rules," he said.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
8/2/2017 | 12:53:28 PM
Phishing the Microsoft 365 Enterprise
With so many Enterprises making the move to MS Office 365 this can't be good news, especially considering the massive volume of successful phishing attempts in Enterprise environments with this setup.  Phishing is sometimes just associated with fraud but getting the keys to the MS Office 365 kingdom is also a prime target.  And based on this report what a kingdom to have the keys to. 

I'd love to see some comprehensive whitepapers (especially authored by MS techs) that really help Enterprise IT folks remedy these issues with what they already have.  Large institutions who are already joined at the hip with MS through bulk licensing, education deals, and etc deserve a serious solution to buttoning up their vulnerable landscape.    
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/2/2017 | 8:18:00 AM
Woz was right
A few years ago, one of the great savants of our industry - beloved Woz from Apple - said that the cloud was the great security black hole.  Nothing existed there in terms of security and everyone - in believing it was secure - was essentially playing a fools game.  So this report shows all too well.  Not surprised that Office 365 and One Drive can be pulled open.  Plus it is a NEW technology really, half-born yet so intrusion is to be expected.   Given the stature of Wozniak, we ask where is Jobs when we really need him.  (Instead we have Watson and the IBM Cloud - sheesh).
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
We're Still Not Ready for GDPR? What is Wrong With Us?
Sara Peters, Senior Editor at Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.