Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:30 PM
Connect Directly

Microsoft Security Put to the Test at Black Hat, DEF CON

Researchers at both conferences demonstrated workarounds and flaws in applications and services including Office 365, PowerShell, Windows 10, Active Directory and Windows BITs.

Security researchers digging for vulnerabilities and workarounds in Microsoft systems and applications demonstrated their discoveries last week at Black Hat and DEF CON in Las Vegas.

Presentations centered on Windows, Active Directory, BITS, and Office 365 in the enterprise. Microsoft issued Microsoft Office security updates the week of both conferences but, as researchers explained, it didn't cover all the vulnerabilities brought to its attention.

Let's take a deeper dive into the findings and flaws that researchers believe could put users at risk:

Office365 + PowerShell = Enterprise Danger

In his Black Hat presentation "Infecting the Enterprise: Abusing Office365 + PowerShell for Covert C2," Craig Dods, chief architect of security at Juniper Networks, explained how Office 365 is ideal for a command and control infrastructure. He argued businesses aren't considering the risk of Office 365 adoption and demonstrated how attackers can take advantage.

"For any enterprise that has more than 100 [users], adoption rates are quite high," he said of Microsoft's SaaS offering. Adoption exceeds 80% in OneDrive for Business, the highest rate among all Office 365 apps. For his research, Dods focused on OneDrive and SharePoint.

Most organizations allow SSL/TLS to Office 365 and larger businesses peer directly with Microsoft using ExpressRoute, accelerating data exfiltration. Due to the network volume and level of trust, most opt not to decrypt Office 365. Hackers can launch attacks without revealing their network; DLP solutions don't view local shares as being outside the organization.

Microsoft added a module to PowerShell that allows it to interact with, and control, Internet Explorer. This lets attackers mount external Office365 storage and hide it from users, encrypt and enable external C&C communication, and exfiltrate data.

Dods showed how an attacker could get the SAML token by clicking "keep me signed in" when signing into Office 365, mount and conceal the new drive, and take data while bypassing antivirus, DLP, and sandboxes. He advises businesses to mitigate their risk by decrypting SSL/TLS, creating custom signatures that only allow their Office 365 domain, and using firewalls with byte-counters and SIEM to identify external uploads.

A 20-year-old SMB Vulnerability in Windows 10

Microsoft also will not patch the "SMBLoris" vulnerability, revealed at DEF CON by Sean Dillon, senior security analyst at RiskSense. Dillon found the flaw when he was hunting for vulnerabilities similar to those exploited by ETERNALBLUE.

This vulnerability, which affects all version of SMB and works on both IPV4 and IPV6, could enable a remote denial of service attack. A single computer could take down a Windows server on the Internet by overloading its memory and causing it to become unresponsive.

"We found a way that we can exhaust all the memory the server has by sending malicious packets to the server," he explained. "This used up all the physical memory in the system, which caused the CPU to spike to 100%, causing the machine to freeze."

Dillon reported the vulnerability to Microsoft in early June, but it was downgraded. SlowLoris is only effective if SMB is exposed to the Internet, and Microsoft claimed companies should have addressed this.

"It may be patched in future versions of Windows but it isn't on their immediate radar," he explained, adding that he informed DDoS protection partners of the flaw so they could prepare. He also advises businesses to take all SMB off the Internet and put it behind a VPN, and use a firewall to throttle the amount of connections a single computer can make to a server.

The Risk of Windows BITS

Safebreach security researcher Dor Azouri discovered a way for local administrators to control download jobs through Background Intelligent Transfer Service (BITS), a Windows service for managing downloads like Windows Update. He was curious about BITS because of the way Windows Update downloads and installs updates, and wanted to see how it adds system jobs.

Known malicious uses of BITS include downloading malware and enabling C&C communication. Azouri discovered that by understanding a file's binary structure, he could change the job's properties and inject a custom download job without using BITS public interfaces. Using a method called BITSInject, he could run his own program as the LocalSystem account.

"I found I can mimic the representation of the new job created, and alter bytes of new artifacts to change parameters of the job," Azouri explained. He found when he controlled the structure of a download job, he can control the parameters and properties of all jobs in the queue.

This is not a means of accessing a user's machine, he said, but a way of manipulating jobs once someone has logged in with administrative privileges. Azouri brought his findings to Microsoft's attention but was told they would not fix the flaw because it requires administrative privileges, as well as physical access, "because a malicious administrator can do much worse things."

Turning Active Directory into a Botnet

Threat Intelligence's Paul Kalinin, senior security consultant, and managing director Ty Miller discussed the danger of botnets and C&C servers operating within organizations during their presentation "The Active Directory Botnet" at Black Hat. The two demonstrated an attack technique in which a threat actor could turn Active Directory Domain Controllers into C&C servers that command internal botnets.

"There is a huge amount of motivation for attackers to be compromising internal networks and setting up C&C environments," said Miller. There is also great potential for attacks to escalate quickly and have major impact, he added.

This attack technique uses a common flaw in the way many businesses implement their Active Directory. As a result of most implementations, nearly all servers, machines, laptops, mobile devices, and wireless devices can connect to a domain controller for authentication, enabling the Active Directory botnet to communicate through C&C servers.

Common botnet architecture looks like Active Directory architecture, said Miller. This enables bots to communicate with one another, and with C&C systems, regardless of their security zone. The Active Directory Botnet Client can identify compromised systems within in the same domain and issue commands to be launched on individual systems or all infected machines.

"End user devices and servers connect to Active Directory, and [bots] can use that connection to bypass access controls and avoid firewall rules," he said.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/2/2017 | 12:53:28 PM
Phishing the Microsoft 365 Enterprise
With so many Enterprises making the move to MS Office 365 this can't be good news, especially considering the massive volume of successful phishing attempts in Enterprise environments with this setup.  Phishing is sometimes just associated with fraud but getting the keys to the MS Office 365 kingdom is also a prime target.  And based on this report what a kingdom to have the keys to. 

I'd love to see some comprehensive whitepapers (especially authored by MS techs) that really help Enterprise IT folks remedy these issues with what they already have.  Large institutions who are already joined at the hip with MS through bulk licensing, education deals, and etc deserve a serious solution to buttoning up their vulnerable landscape.    
User Rank: Ninja
8/2/2017 | 8:18:00 AM
Woz was right
A few years ago, one of the great savants of our industry - beloved Woz from Apple - said that the cloud was the great security black hole.  Nothing existed there in terms of security and everyone - in believing it was secure - was essentially playing a fools game.  So this report shows all too well.  Not surprised that Office 365 and One Drive can be pulled open.  Plus it is a NEW technology really, half-born yet so intrusion is to be expected.   Given the stature of Wozniak, we ask where is Jobs when we really need him.  (Instead we have Watson and the IBM Cloud - sheesh).
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.