Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:30 PM
Connect Directly

Microsoft Security Put to the Test at Black Hat, DEF CON

Researchers at both conferences demonstrated workarounds and flaws in applications and services including Office 365, PowerShell, Windows 10, Active Directory and Windows BITs.

Security researchers digging for vulnerabilities and workarounds in Microsoft systems and applications demonstrated their discoveries last week at Black Hat and DEF CON in Las Vegas.

Presentations centered on Windows, Active Directory, BITS, and Office 365 in the enterprise. Microsoft issued Microsoft Office security updates the week of both conferences but, as researchers explained, it didn't cover all the vulnerabilities brought to its attention.

Let's take a deeper dive into the findings and flaws that researchers believe could put users at risk:

Office365 + PowerShell = Enterprise Danger

In his Black Hat presentation "Infecting the Enterprise: Abusing Office365 + PowerShell for Covert C2," Craig Dods, chief architect of security at Juniper Networks, explained how Office 365 is ideal for a command and control infrastructure. He argued businesses aren't considering the risk of Office 365 adoption and demonstrated how attackers can take advantage.

"For any enterprise that has more than 100 [users], adoption rates are quite high," he said of Microsoft's SaaS offering. Adoption exceeds 80% in OneDrive for Business, the highest rate among all Office 365 apps. For his research, Dods focused on OneDrive and SharePoint.

Most organizations allow SSL/TLS to Office 365 and larger businesses peer directly with Microsoft using ExpressRoute, accelerating data exfiltration. Due to the network volume and level of trust, most opt not to decrypt Office 365. Hackers can launch attacks without revealing their network; DLP solutions don't view local shares as being outside the organization.

Microsoft added a module to PowerShell that allows it to interact with, and control, Internet Explorer. This lets attackers mount external Office365 storage and hide it from users, encrypt and enable external C&C communication, and exfiltrate data.

Dods showed how an attacker could get the SAML token by clicking "keep me signed in" when signing into Office 365, mount and conceal the new drive, and take data while bypassing antivirus, DLP, and sandboxes. He advises businesses to mitigate their risk by decrypting SSL/TLS, creating custom signatures that only allow their Office 365 domain, and using firewalls with byte-counters and SIEM to identify external uploads.

A 20-year-old SMB Vulnerability in Windows 10

Microsoft also will not patch the "SMBLoris" vulnerability, revealed at DEF CON by Sean Dillon, senior security analyst at RiskSense. Dillon found the flaw when he was hunting for vulnerabilities similar to those exploited by ETERNALBLUE.

This vulnerability, which affects all version of SMB and works on both IPV4 and IPV6, could enable a remote denial of service attack. A single computer could take down a Windows server on the Internet by overloading its memory and causing it to become unresponsive.

"We found a way that we can exhaust all the memory the server has by sending malicious packets to the server," he explained. "This used up all the physical memory in the system, which caused the CPU to spike to 100%, causing the machine to freeze."

Dillon reported the vulnerability to Microsoft in early June, but it was downgraded. SlowLoris is only effective if SMB is exposed to the Internet, and Microsoft claimed companies should have addressed this.

"It may be patched in future versions of Windows but it isn't on their immediate radar," he explained, adding that he informed DDoS protection partners of the flaw so they could prepare. He also advises businesses to take all SMB off the Internet and put it behind a VPN, and use a firewall to throttle the amount of connections a single computer can make to a server.

The Risk of Windows BITS

Safebreach security researcher Dor Azouri discovered a way for local administrators to control download jobs through Background Intelligent Transfer Service (BITS), a Windows service for managing downloads like Windows Update. He was curious about BITS because of the way Windows Update downloads and installs updates, and wanted to see how it adds system jobs.

Known malicious uses of BITS include downloading malware and enabling C&C communication. Azouri discovered that by understanding a file's binary structure, he could change the job's properties and inject a custom download job without using BITS public interfaces. Using a method called BITSInject, he could run his own program as the LocalSystem account.

"I found I can mimic the representation of the new job created, and alter bytes of new artifacts to change parameters of the job," Azouri explained. He found when he controlled the structure of a download job, he can control the parameters and properties of all jobs in the queue.

This is not a means of accessing a user's machine, he said, but a way of manipulating jobs once someone has logged in with administrative privileges. Azouri brought his findings to Microsoft's attention but was told they would not fix the flaw because it requires administrative privileges, as well as physical access, "because a malicious administrator can do much worse things."

Turning Active Directory into a Botnet

Threat Intelligence's Paul Kalinin, senior security consultant, and managing director Ty Miller discussed the danger of botnets and C&C servers operating within organizations during their presentation "The Active Directory Botnet" at Black Hat. The two demonstrated an attack technique in which a threat actor could turn Active Directory Domain Controllers into C&C servers that command internal botnets.

"There is a huge amount of motivation for attackers to be compromising internal networks and setting up C&C environments," said Miller. There is also great potential for attacks to escalate quickly and have major impact, he added.

This attack technique uses a common flaw in the way many businesses implement their Active Directory. As a result of most implementations, nearly all servers, machines, laptops, mobile devices, and wireless devices can connect to a domain controller for authentication, enabling the Active Directory botnet to communicate through C&C servers.

Common botnet architecture looks like Active Directory architecture, said Miller. This enables bots to communicate with one another, and with C&C systems, regardless of their security zone. The Active Directory Botnet Client can identify compromised systems within in the same domain and issue commands to be launched on individual systems or all infected machines.

"End user devices and servers connect to Active Directory, and [bots] can use that connection to bypass access controls and avoid firewall rules," he said.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/2/2017 | 12:53:28 PM
Phishing the Microsoft 365 Enterprise
With so many Enterprises making the move to MS Office 365 this can't be good news, especially considering the massive volume of successful phishing attempts in Enterprise environments with this setup.  Phishing is sometimes just associated with fraud but getting the keys to the MS Office 365 kingdom is also a prime target.  And based on this report what a kingdom to have the keys to. 

I'd love to see some comprehensive whitepapers (especially authored by MS techs) that really help Enterprise IT folks remedy these issues with what they already have.  Large institutions who are already joined at the hip with MS through bulk licensing, education deals, and etc deserve a serious solution to buttoning up their vulnerable landscape.    
User Rank: Ninja
8/2/2017 | 8:18:00 AM
Woz was right
A few years ago, one of the great savants of our industry - beloved Woz from Apple - said that the cloud was the great security black hole.  Nothing existed there in terms of security and everyone - in believing it was secure - was essentially playing a fools game.  So this report shows all too well.  Not surprised that Office 365 and One Drive can be pulled open.  Plus it is a NEW technology really, half-born yet so intrusion is to be expected.   Given the stature of Wozniak, we ask where is Jobs when we really need him.  (Instead we have Watson and the IBM Cloud - sheesh).
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.