Latest Posts

KrackAttack – Vulnerability in WPA2 – Disclosed

SEC-LABS R&D 2017-10-16 0 Comments

A security researcher Mathy Van Hoef will disclose a vulnerability in WPA2 within a few hours.

The vulnerability leaves Wi-Fi traffic open to eavesdropping and it will be possible to inject malicious content and much more.

CVE’s
CVE-2017-13077
CVE-2017-13078
CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082

Important URLs
https://www.krackattacks.com/
https://github.com/valentijnscholten/krackattacks/

Van Hoef on Twitter
https://twitter.com/vanhoefm

::Updates::

From Krackattacks.com

Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network). At the same time, the 4-way handshake also negotiates a fresh encryption key that will be used to encrypt all subsequent traffic. Currently, all modern protected Wi-Fi networks use the 4-way handshake. This implies all these networks are affected by (some variant of) our attack. For instance, the attack works against personal and enterprise Wi-Fi networks, against the older WPA and the latest WPA2 standard, and even against networks that only use AES. All our attacks against WPA2 use a novel technique called a key reinstallation attack (KRACK):

Basically all Wireless networks are vulnerable and the vendors are working to get the patches out.
Microsoft was mitigating this on the client side in the October patch release cycle
If you won’t get an update to your router your really only option is to get a new one (if it’s out of support)
Recommendations are to apply patches as soon as they’re available.

This post will be updated

Detect, Identify, Uncategorized

krackattacks, Vulnerability, WPA2

EVENT: Åtgärder mot finansiell brottslighet [Swedish Event]

SEC-LABS R&D 2017-09-03 0 Comments

SEC-Labs R&D will be presenting at – Åtgärder mot finansiell brottslighet – in Stockholm in December.

During the session – Digital World, Digital Criminals – From code to cash – We will give you an insight to the darkest corner of the internet. We will share our knowledge about hackers and how they can get to your secret information without you even know it happened.

URL
http://insightevents.se/events/atgarder-mot-finansiell-brottslighet

Events

Event: SCUG.SE – Client days in October 2017

SEC-LABS R&D 2017-08-21 0 Comments

The popular client event is back in October held by System Center User Group Sweden.

A mix of good to know and news where the field experts will share their knowledge during these two dates at the Microsoft office in Akalla – Stockholm

Most of the sessions are in Swedish

Date and Time
Thu, Oct 12, 2017, 8:30 AM –
Fri, Oct 13, 2017, 3:30 PM CEST

Location
Microsoft Sweden
36 Finlandsgatan
164 74 Akalla

Agenda (current)

Day 1

0815 – Doors Open
0830 – 0900 – Keynote – Future of a managed client – Jörgen & Stefan
0915 – 1015 – What’s new in Configuration Manager 1706 and beyond! – Jörgen
1030 – 1130 – The latest news on Windows 10 17xx modern management – TBA
1130 – 1230 – Lunch
1230 – 1315 – Sponsor Session
1315 – 1345 – Scripting, Code and APIs the good, bad and the ugly – Fredrik Wall
1400 – 1430 – Intune and PowerShell – Nickolaj Andersen
1445 – 1545 – Best of Ignite – Stefan Schörling
1545 – 1645 – Plan and deploy efficient content management – Andreas Hammarskjöld
1645 – Q&A – Expert panel!
1930 – Mingel på Stan

Day 2

0815 – Doors Open
0830 – 0930 – Windows 10 Enterprise Adoption – TBA
0930 – 1030 – (EMS) TBA – Jan-Ketil Skanke
1045 – 1115 – Using Ci’s in Configuration Manager deep-dive – Jörgen
1115 – 1130 – Increase your patch compliance to 99% using ConfigMgr Health Script – Anders Rödland
1130 – 1215 – TBA
1215 – 1300 – Lunch
1300 – 1345 – Managing Office 365 using Configuration Manager real world challenges – Stefan Schörling
1400 – 1500 – Task Sequence Optimizations and Tricks – Jörgen / Johnny / Nickolaj

Get your tickets here:
https://www.eventbrite.com/e/scugse-klientdagarna-oktober-2017-tickets-37120053078

Join SCUG.SE User group on facebook

https://www.facebook.com/groups/241438124169

/SEC-LABS R&D

Events

EVENT, SCUG

TechDays Sweden – Take care of your clients, you don’t WannaCry

SEC-LABS R&D 2017-06-07 0 Comments

In October SEC-LABS R&D Crew will be presenting at the Swedish Premier Microsoft IT Event TechDays. We will be talking about how to Secure your Windows clients, we are going to walk you through the Microsoft security stack you can use to protect your Windows client with. We will be focusing not only on Windows 10 but other solutions and practices you can leverage to build a more secure client environment.

http://tdswe.se/events/take-care-of-your-clients-you-dont-wannacry/

We hope to see you there / Stefan and Mattias

We have embedded a video from last years event below (Swedish)

Detect, Events, Protect, Respond

Security by obscurity is not so obscure

SEC-LABS R&D 2017-05-13 0 Comments

This scenario was discoverd in the real world.

A VPN solution which had a device verification functionality which is all fine but the problem was that the verification is executed only on the client side.

And you don’t only want to protect from external attackers but also users connecting their home PC to the internal network.

We only want managed devices on the inside and one unmanaged home device with i.e. no AV and lots of keyloggers and other malicious code running.

When this kind of verifications are executing on the client side there is no guarantee that the outcome is correct (which is why certificate based authentication is prefered as one of the factors since you can assure that it’s your internal device)

In this example there was a client side verification which was querying (amongst other things) a file on the local system.

The endpoint compliancy failed due to some security setting

Remediation required

Let’s do the same thing again with procmon running

The service tries to query for a file in the c:\windows\system32 folder xxx.dll

So we create an empty dummy file, xxx.dll.

When we try to connect again with process monitor running we have a different result.

And we are prompted for user name and password, and hopefully this customer has an extra factor of protection, like SMS or certificate

Certificate is the best way to verify a device, to verify a user it depends on your identity management and how you choose to manage the identities and how to verify them

Uncategorized

Massive ransomware campaign hits victims in at least 74 countries

SEC-LABS R&D 2017-05-12 0 Comments

Today reports was flooding the internet about an large scale ransomware campaign.

*** Update 2017-05-13 : Microsoft has put together a detailed post about the matter now since they have gotten the time to reverse the malware. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems
Microsoft has also released updates for Windows XP and 2003 Server that you can apply for the MS17-010 SMB Vulnerability KB4012598 http://www.catalog.update.microsoft.com/search.aspx?q=4012598

***

–his time the attack had a massive impact on the society – according to reports multiple hospitals was taken out of business in the UK with local files and network files encrypted.

The following picture from MalwareTech showing the infections which has an extreme hitrate

WannaCry infections (pic from malwaretech)

It’s using the NSA exploit leaked by Shadow Brokers (EternalBlue which uses a vulnerability in the SMB Protocol to spread.

This means that unpatched systems are spreading this ransomware internal on the network.

Initial infection is still not clear but most likley it’s a phishing campaing and we can’t really point out how important Security Awareness training is for your end users.

Mitigations (for this specific campaign)

Patching
- You need to have a good patching process to patch your systems this would most likley stop the spread of this malicous code
- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Office 365 ATP (Advanced Threat Protection)
- Office 365 ATP
- Protecting against unsafe attachments
  all suspicious content goes through a real-time behavioral malware analysis that uses machne learning to evaluate the content for suspicious activities.
  unsafe attachments are sandboxed in a detonation chamber before being sent to recipients
  
  Protect your environment when users click malicious links.
  The URL s are examined in real time when a user clicks them.
- Office 365 ATP URL SCAN
  
  One benefit is the reporting to so administrators can track which users clicked a link
- For further information about Office 365 ATP please visit https://products.office.com/en-us/exchange/online-email-threat-protection
Security Awareness
- Most likley this started by an email (well multiple emails) but I assume someone clicked on a link named invoice or something else
  Security awareness still very common to be overseen by secyurity teams and IT departments in general
  We can’t simple protect against every bad thing by technical means and we need to raise the awareness for the end users.
  Make sure to kick off a Security awareness program, This could be seminars, intranet information.
Segmentation
- Make sure you have network segmentation to avoid spreading
- Use a Local Firewall to block traffic usually there is no need to have SMB open against clients
Access to critical assets
- Separation of duties
- Users should only have access to what they need
- Don’t set up a share where all users can read and write files from all departments
Windows 10 Device guard
- Blocking untrusted code from executing. I bet this code wasn’t signed by a trusted certificate authority

Detect, News, Protect

Office365ATP, Patching, SecurityAwareness, ShadowBrokers, WannaCry

CVE-2017-0290 – RCE in The Microsoft Malware Protection Engine

SEC-LABS R&D 2017-05-11 0 Comments

Last Friday, Tavis Ormandy and Natalie Silvanovich reported that they had discovered “the worst Windows remote code exec in recent memory”.

The vulnerability was reported to Microsoft who released an advisory: https://technet.microsoft.com/library/security/4022344.aspx

The good thing, no action is requred by the Enterprise administrators if default configuration to automatic upate definitions and the Malware Protection Engine are kept up to date.

Otherwise, patch now!

From the advisory:

Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

CVE ID	Vulnerability Title	Exploitability Assessment for Latest Software Release	Exploitability Assessment for Older Software Release	Denial of Service Exploitability Assessment
CVE-2017-0290	Scripting Engine Memory Corruption Vulnerability	2 – Exploitation Less Likely	2 – Exploitation Less Likely	Not applicable

To exploit this vulnerability a special crafted file has to be scanned by the system. The file can be delivered in numerous ways – Via WEB, attachment etc.

The real-time scan will automatically scan the files and this funtionality is nothing you should disable.
The real-time scan runs on file shares so this vulernability doesn not only apply on clients

Affected products

Antimalware Software	Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290
Microsoft Forefront Endpoint Protection 2010	Critical Remote Code Execution
Microsoft Endpoint Protection	Critical Remote Code Execution
Microsoft Forefront Security for SharePoint Service Pack 3	Critical Remote Code Execution
Microsoft System Center Endpoint Protection	Critical Remote Code Execution
Microsoft Security Essentials	Critical Remote Code Execution
Windows Defender for Windows 7	Critical Remote Code Execution
Windows Defender for Windows 8.1	Critical Remote Code Execution
Windows Defender for Windows RT 8.1	Critical Remote Code Execution
Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703	Critical Remote Code Execution
Windows Intune Endpoint Protection	Critical Remote Code Execution

Actions:

Verify that the update is installed
If necessary, install the update

For further information:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

News, Protect

Antimalware, RCE, Vulnerabilities

Security Best Practice for Active Directory

SEC-LABS R&D 2017-05-10 0 Comments

Securing active directory is really important.

We still see help desk staff being added to Domain Admins group, Admins are elevating to their DA account to run powershell, RSAT etc on their device which they also use to download software, browse the internet and basically everything they do on day to day basis.

Domain Admins in the past was the easy way to managing almost everything. Exchange, Users, Systems running on member servers, Servers (I’ve even seen domain controllers), Service accounts have been added to Domain Admins group. The simple reason for this was “It just works and it’s easy” or the worst phrase “We have always done it this way”.

Compromised credentials on servers or computers used for day to day administrative tasks is a common way to get the keys to the kingdom and the high value assests every company tries to hard to protect.

If you have the time and want to provide proper AD security for your environment there is a Best Practice Guide to Secure Active Directory.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Protect

ActiveDirectory, PrivilegedAccess

Guide on how to Configure SQL Server Index Optimization with Ola Hallengrens Maintenance Solution

SEC-LABS R&D 2014-05-14 0 Comments

Jörgen Nilsson and I presented this on TechEd North America and we thougt it would be a good idea to share this information in a more written form.

The purpose of this guide is to get a quick start of how to run SQL Server Index Optimization for non-database administrators.

To maintain performance in a Database it is most often recommended to maintain the indexes in a database. All applications has different support statements and best practices so before you implement this please review the specific application. You also need to consider that doing this will generate lots of transactional logs so keep an eye out for disk space and make sure you schedule backups after the tasks has run.

If you don’t maintain your indexes for System Center Configuration Manager your system will eventually be slow and suffer from performance issues like slow updates of collections different status messages and so on. So it’s vital to maintain your indexes. I have written a step by step to implementing a great community script from Ola Hallengren to do this. To get you started.

Download Olas IndexCheck from http://ola.hallengren.com/scripts/IndexCheck.sql
Download Olas Maintenance Solution from Http://ola.hallengren.com
SQL Server Sysadmin rights are needed
The solution requires the SQL Server Agent to be started

I highly recommend that you read the FAQ before you proceed.

http://ola.hallengren.com/frequently-asked-questions.html

First off you can run the IndexCheck script against the database you suspect has a high grade of defragmentation to display the actual fragmentation performance busters are most likely results with high page counts and high fragmentation.

1. Start SQL Management Studio and Login

2. Open the IndexCheck script. I usually add the extra statements provided below to the script from Ola

To Point out the Database to run against.

USE CM_S01

To sort the output in a more structured way by defragmentation I add

Order by AvgFragmentationInPercent desc

3. Execute the script and it will show you an output of the fragmentation level of the databases, as you see in the AvgFragmentationPercentage it will display the level.

4. OK, so now we see that we have defragmentation on our indexes, so SQL wise to maintain the Indexes there are three methods of doing that. And the solution will automatically choose depending on fragmentation level and if you have SQL Server Enterprise the “Rebuild Online” option will be available.

Reorganize (Kind of a defragmentation)
Rebuild (New indexes are created and rebuilt, NOTE: Its only available in SQL Server Enterprise)
Offline Rebuild (Same as B but it’s done offline)

5. Before we install the Maintenance solution we want to create a database in SQL we can use for logging the activities and saving our tasks in so we don’t put this information in any of the other databases.

6. In SQL Management Studio create a new Database.

7. Give it a Name and set the Size you want the database to have

8. Under Options change the Recovery Model to be Simple and press OK

9. Now when we have created a database to use for the solution we need to start the SQL Server Agent. Right click and start the Server Agent

10. Once it’s started we can open the MaintenanceSolution.sql and do the following edits.

Change Master to the Database name you selected earlier in my case SQL Maintenance
For the other values I suggest that you change the Backup Path to where you want to store the Backup Files the others I usually use the defaults for.

11. Execute the Script and verify that it has run successfully and that the jobs were created under SQL Server Agent

12. Now onto the IndexOptimize job which we need to configure.

By default the job runs on all your user databases on the Server so if you want to only run it on specified databases you need to configure that.
And you also need to set up this on a schedule, and my recommendation is to set it up on a weekly schedule at a time where you don’t have heavy load on the server.

NOTE: The first time you run the task I highly suggest that you have lots of time, we have seen that this task can take from minutes to several 10+ hours if the indexes are really defragmented and your SQL box is really performing well. So plan for that initial execution, once you have this running on a regular basis it will not take that long every time it runs.

13. To change the databases that the IndexOptimize task is run on right click on the job and select properties. Once in the properties go to the Steps section and select edit on the Step

14. To change it change the USER_DATABASES value to the preferred databases you want to run this against.

So if I’d like the job to run against only CM_S01 and SUSDB I would change the value to CM_S01, SUSDB. There are more options to choose from if you’d like to run against all databases and maybe just exclude on there are exclude options as well very well explained at the solution webpage. http://ola.hallengren.com/sql-server-index-and-statistics-maintenance.html

15. So to setup a schedule navigate to the schedule section and click New.

16. Once in the schedule setup the schedule you want and plan so that it doesn’t interfere with any of your other maintenance tasks like backup. Simply give it a name and configure desired schedule.

17. As we enabled the solution to Log to a Table we can explore what actions it has taken by simply reviewing the CommandLog Table. To show what has been going on in my environment run the command below. Where we can track how long Index optimization takes and if we have certain indexes what we frequently hit and so forth.

USE SQLMaintenance
select * from dbo.CommandLog

18. We are also getting log files on the Disk Drives and they are stored under the default SQL Server Installation directory under Log.

19. To maintain the solution itself there are some tasks to do cleanup so we don’t fill the CommandLog table with years of data and the disks with log files for years. So to cleanup all these activities I highly suggest that you configure these additional jobs so that you cleanup after the solution. You may want to adjust the steps in the Jobs to have it keep the activities for the period of time you want to have. By default it keeps the data for 30 days. As a recommendation set them to run on a weekly basis as well

20. So now we have scheduled and configured Index Optimization, is very important that you keep track of disk space and that you schedule backups after the tasks are run as they will generate transaction logs that may fill up your disks.

A Special thanks to fellow MVP Steve Thompson for inspiring me to use the separate Database when using the Maintenance Solution. Also Ola Hallengren for making such an awesome solution and sharing it. Powered by Community

ConfigMgr