New Malware Abuses PowerPoint Slide Show

In April Microsoft fixed the CVE-2017-0199  vulnerability in Office after threat actors had been exploiting it in the wild.The same vulnerability is now been found to be used hidden behind a specially crafted PowerPoint (PPSX) Presentation file.

CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents.

According to the researchers at Trend Micro, who spotted the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry.

Technical Analysis

The exploit arrives as a spear-phishing email attachment, purportedly from a cable manufacturing provider, that drops a remote access tool as its final payload.

Figure_02_spear-phishing-email

When the malicious PowerPoint Show is opened, it shows the text CVE-2017-8570, which is a different Microsoft Office vulnerability. However, based on our analysis, it actually exploits CVE-2017-0199 instead. This is a leftover mistake from the toolkit developer, which the sender did not choose to change.

The file triggers a script moniker in ppt/slides/_rels/slide1[.]xml[.]rels. The exploit runs the remote code at hxxp://192[.]166[.]218[.]230:3550/logo[.]doc, which is a VPN or hosting service that is abused by the attacker.

Figure_04_remote-malicious-code

If we run the sample, PowerPoint will initialize the script moniker and run the remote malicious payload via the PowerPoint Show animations feature.

Figure_06_ratman-exe

The logo.doc file is actually an XML file with JavaScript code that runs a PowerShell command to download and execute the file known as RATMAN.EXE (Detected by Trend Micro as BKDR_RESCOMS.CA). The executable is actually a trojanized version of the REMCOS remote access tool (RAT) from the Command & Control (C&C) server: hxxp://192[.]166[.]218[.]230:3550/ratman[.]exe, which is located in Poland. The 192[.]166[.]218[.]230address is also known to host other kinds of RATs. RATMAN.EXE then connects to the C&C server at 5[.]134[.]116[.]146:3550 for execution.

RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely.

Figure_07_remcos_rat_control_panel

Remcos is a legitimate and customizable remote access tool that allows users to control their system from anywhere in the world with some capabilities, like a download and execute the command, a keylogger, a screen logger, and recorders for both webcam and microphone.
Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the use of a new PPSX files allows attackers to evade antivirus detection as well.

The easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability.

Microsoft patches 25 critical vulnerabilities

Microsoft,as part of its August Patch Tuesday has released a large batch of 48 security updates consisting of 25 critical, 21 important and 2 moderate in severity for all supported versions Windows systems and other products.

These vulnerabilities impact various versions of Microsoft’s Windows operating systems, Internet Explorer, Microsoft Edge, Microsoft SharePoint, the Windows Subsystem for Linux, Adobe Flash Player, Windows Hyper-V and Microsoft SQL Server.

Some of these are:

CVE-2017-8620: Windows Search Remote Code Execution Vulnerability

This vulnerability affects all versions of Windows 7 and Windows 10, which could be used as a wormable attack like the one used in WannaCry ransomware, as it utilises the SMBv1 connection.
An attacker could remotely exploit the vulnerability through an SMB connection to elevate privileges and take control of the targeted Windows computer.
“A remote code execution vulnerability exists when Windows Search handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explains.

CVE-2017-8633: Windows Error Reporting Elevation of Privilege Vulnerability

Another elevation of privilege vulnerability resides in Windows Error Reporting (WER) that could allow an attacker to run a specially crafted application to gain access to administrator privileges on the targeted system to steal sensitive information.
“This update corrects the way the WER handles and executes files,” the advisory says.

CVE-2017-8627: Windows Subsystem for Linux DoS Vulnerability

Another important vulnerability is discovered in Windows Subsystem for Linux that could allow an attacker to execute code with elevated permissions.
“To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by correcting how Windows Subsystem for Linux handles NT pipes” the advisory says.
Successful exploitation eventually could allow denial of service attack, leaving the targeted system unresponsive.
Microsoft has released patches for all the vulnerabilities and users are advies to install them immediately.

Orpheus’ Lyre, a serious vulnerability in Kerberos patched

A vulnerability hidden in Kerberos code for more than 20 years met its end in patches issued on Tuesday, 11 July 2017 by Microsoft and several Linux vendors.

Kerberos is a cryptographic authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.

The flaw was discovered in Heimdal, an open source implementation of Kerberos and dubbed as Orpheus Lyre.

The vulnerability has to do with the way Kerberos handles authentication messages that combine both cryptographically protected data and unauthenticated plaintext. Affected implementations of Kerberos fetched metadata from unprotected key distribution center (KDC) tickets rather than encrypted KDC responses, something Altman characterized as a logic error.

This vulnerability can be exploited in a number of ways, and in some cases it can lead to remote credential theft, and thus remote privilege escalation, largely defeating Kerberos. Attackers do have to be on-path (logically, at least) between the victim client and a KDC.

Kerberos is a lot like a PKI, but instead of public key cryptography, with certification authorities (CAs) and certificates, Kerberos has a trusted third-party, the Key Distribution Centers (KDCs) that issue short-lived tickets. These tickets are encrypted using a symmetric key known to the relying party (usually a service) and the KDC for that party’s administrative “realm”. The encrypted portion of a Kerberos ticket bears the name of the client principal (usually a user) being authenticated to the service principal, metadata such as the ticket’s expiration time, and -crucially!- a “session key” that the KDC will arrange for the user to also know. The client principal (user) uses this session key to create an Authenticator with which to prove knowledge of the session key to the service principal, and that’s how one uses Kerberos to authenticate a client user to some service. If the client presents a Ticket and Authenticator, and the service can decrypt the Ticket, extract the “session key”, and decrypt the Authenticator with the session key, then the client is whoever the Ticket says they are, for they possessed the cryptographic key with which to make that Authenticator.

Orpheus’ Lyre allows an attacker who is on-path (physically or logically) between the client and the services it talks to (including the KDCs) to mount a service impersonation attack on the client. That is, a man-in-the-middle (MITM) on the wire can impersonate some services to the client.

This vulnerability is a client-side vulnerability and all the affected clients must be patched .It cannot be mitigated by patching servers.

Every Kerberos implementation needs to be checked for this issue. While efforts have been made to notify companies like Microsoft that rely on Kerberos, not every vendor can be expected to have fixed the vulnerability.

Microsoft patches 19 critical issues along with 2 zero-days in NTLM

As part of the July Patch Tuesday, Microsoft has released security patches for a serious privilege escalation flaw affecting all Windows operating system versions for enterprises released since 2007.

Researchers at behavioral firewall specialist security firm Preempt discovered two zero-day vulnerabilities in Windows NTLM security protocols, both of which allow attackers to create a new domain administrator account and take over the target domain.

The NT LAN Manager (NTLM) is an ancient authentication protocol, despite it was replaced by Kerberos in Windows 2000, it is still supported by Microsoft and it is used by many organizations.

NTLM-relay

Although NTLM was replaced by Kerberos in Windows 2000 that adds greater security to systems on a network, NTLM is still supported by Microsoft and continues to be used widely.

Vulnerability 1: LDAP Relay (CVE-2017-8563)

It  involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second impact Remote Desktop Protocol (RDP) Restricted-Admin mode.

LDAP protocol is used in Active Directory to query and update all domain objects (users, groups, endpoints, etc).

Even if LDAP signing protects from both Man-in-the-Middle (MitM) and credential forwarding, the protocol is not able to fully protect against NTLM relay attacks,

The vulnerability could be exploited by an attacker with SYSTEM privileges to use incoming NT LAN Manager sessions and perform the LDAP operations, including the updating of domain objects.

“This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user.” reads a blog post published by Preempt.

“As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network.”

Here is the POC video provided :

Vulnerability 2: RDP Relay

The second issue we reported is with RDP Restricted-Admin. RDP Restricted-Admin allows users to connect to a remote machine without volunteering their password to the remote machine that might be compromised.

According to Preempt researchers, RDP Restricted-Admin allows authentication systems to downgrade to NTLM. This means the attacks performed with NTLM, such as credential relaying and password cracking, could also be carried out against RDP Restricted-Admin.

“Preempt discovered that RDP Restricted-Admin, which is sometimes referred to (mistakenly) as KerberosedRDP, allows downgrade to NT LAN Manager in the authentication negotiation. This means that every attack you can perform with NTLM such as credential relaying and password cracking could be carried out against RDP Restricted-Admin.” continues the analysis.

Chaining the two zero-days, an attacker could create a bogus domain admin account whenever an admin connects with RDP Restricted-Admin and get control of the entire domain.

Microsoft recommends companies running vulnerable servers with NT LAN Manager enabled to patch them as soon as possible.

Other mitigation actions are:

  1. Enable “Require LDAP Signing” in your GPO setting. It is not set to “on” by default and much like “SMB Signing”, if configuration is not set properly you are not protected.
  2. Follow guide to make LDAP authentication over SSL/TLS more secure according to this guide
  3. Monitor NTLM traffic in your network and make sure to review any anomalous usage your encounter.

Microsoft has released patches for 55 security vulnerabilities, including 19 critical issues, in its products, including Edge, Internet Explorer, Windows, Office and Office Services and Web Apps, .NET Framework, and Exchange Server.

Windows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.