Security researchers digging for vulnerabilities and workarounds in Microsoft systems and applications demonstrated their discoveries last week at Black Hat and DEF CON in Las Vegas.
Presentations centered on Windows, Active Directory, BITS, and Office 365 in the enterprise. Microsoft issued Microsoft Office security updates the week of both conferences but, as researchers explained, it didn't cover all the vulnerabilities brought to its attention.
Let's take a deeper dive into the findings and flaws that researchers believe could put users at risk:
Office365 + PowerShell = Enterprise Danger
In his Black Hat presentation "Infecting the Enterprise: Abusing Office365 + PowerShell for Covert C2," Craig Dods, chief architect of security at Juniper Networks, explained how Office 365 is ideal for a command and control infrastructure. He argued businesses aren't considering the risk of Office 365 adoption and demonstrated how attackers can take advantage.
"For any enterprise that has more than 100 [users], adoption rates are quite high," he said of Microsoft's SaaS offering. Adoption exceeds 80% in OneDrive for Business, the highest rate among all Office 365 apps. For his research, Dods focused on OneDrive and SharePoint.
Most organizations allow SSL/TLS to Office 365 and larger businesses peer directly with Microsoft using ExpressRoute, accelerating data exfiltration. Due to the network volume and level of trust, most opt not to decrypt Office 365. Hackers can launch attacks without revealing their network; DLP solutions don't view local shares as being outside the organization.
Microsoft added a module to PowerShell that allows it to interact with, and control, Internet Explorer. This lets attackers mount external Office365 storage and hide it from users, encrypt and enable external C&C communication, and exfiltrate data.
Dods showed how an attacker could get the SAML token by clicking "keep me signed in" when signing into Office 365, mount and conceal the new drive, and take data while bypassing antivirus, DLP, and sandboxes. He advises businesses to mitigate their risk by decrypting SSL/TLS, creating custom signatures that only allow their Office 365 domain, and using firewalls with byte-counters and SIEM to identify external uploads.
A 20-year-old SMB Vulnerability in Windows 10
Microsoft also will not patch the "SMBLoris" vulnerability, revealed at DEF CON by Sean Dillon, senior security analyst at RiskSense. Dillon found the flaw when he was hunting for vulnerabilities similar to those exploited by ETERNALBLUE.
This vulnerability, which affects all version of SMB and works on both IPV4 and IPV6, could enable a remote denial of service attack. A single computer could take down a Windows server on the Internet by overloading its memory and causing it to become unresponsive.
"We found a way that we can exhaust all the memory the server has by sending malicious packets to the server," he explained. "This used up all the physical memory in the system, which caused the CPU to spike to 100%, causing the machine to freeze."
Dillon reported the vulnerability to Microsoft in early June, but it was downgraded. SlowLoris is only effective if SMB is exposed to the Internet, and Microsoft claimed companies should have addressed this.
"It may be patched in future versions of Windows but it isn't on their immediate radar," he explained, adding that he informed DDoS protection partners of the flaw so they could prepare. He also advises businesses to take all SMB off the Internet and put it behind a VPN, and use a firewall to throttle the amount of connections a single computer can make to a server.
The Risk of Windows BITS
Safebreach security researcher Dor Azouri discovered a way for local administrators to control download jobs through Background Intelligent Transfer Service (BITS), a Windows service for managing downloads like Windows Update. He was curious about BITS because of the way Windows Update downloads and installs updates, and wanted to see how it adds system jobs.
Known malicious uses of BITS include downloading malware and enabling C&C communication. Azouri discovered that by understanding a file's binary structure, he could change the job's properties and inject a custom download job without using BITS public interfaces. Using a method called BITSInject, he could run his own program as the LocalSystem account.
"I found I can mimic the representation of the new job created, and alter bytes of new artifacts to change parameters of the job," Azouri explained. He found when he controlled the structure of a download job, he can control the parameters and properties of all jobs in the queue.
This is not a means of accessing a user's machine, he said, but a way of manipulating jobs once someone has logged in with administrative privileges. Azouri brought his findings to Microsoft's attention but was told they would not fix the flaw because it requires administrative privileges, as well as physical access, "because a malicious administrator can do much worse things."
Turning Active Directory into a Botnet
Threat Intelligence's Paul Kalinin, senior security consultant, and managing director Ty Miller discussed the danger of botnets and C&C servers operating within organizations during their presentation "The Active Directory Botnet" at Black Hat. The two demonstrated an attack technique in which a threat actor could turn Active Directory Domain Controllers into C&C servers that command internal botnets.
"There is a huge amount of motivation for attackers to be compromising internal networks and setting up C&C environments," said Miller. There is also great potential for attacks to escalate quickly and have major impact, he added.
This attack technique uses a common flaw in the way many businesses implement their Active Directory. As a result of most implementations, nearly all servers, machines, laptops, mobile devices, and wireless devices can connect to a domain controller for authentication, enabling the Active Directory botnet to communicate through C&C servers.
Common botnet architecture looks like Active Directory architecture, said Miller. This enables bots to communicate with one another, and with C&C systems, regardless of their security zone. The Active Directory Botnet Client can identify compromised systems within in the same domain and issue commands to be launched on individual systems or all infected machines.
"End user devices and servers connect to Active Directory, and [bots] can use that connection to bypass access controls and avoid firewall rules," he said.