For more information on these advisories, please visit:

https://www.oxfordsolutions.com/threat-advisories/


 

Advisory 0115-18: Security updates available for Adobe Acrobat and Reader’s Information Disclosure Vulnerability

 

What is the threat?

All Windows PDF-viewers have been vulnerable to a security flaw which allows attackers to insert malicious files into a PDF document and use it to steal NTLM credentials. Adobe claimed to have fixed this information disclosure vulnerability as part of the Adobe Reader version released in May (CVE-2018-4993), but it was an incomplete patch and addressed only part of the vulnerability. A new patch has been released on 13th November 2018, which fixes this vulnerability altogether. 

 

Why is this noteworthy?

Attackers have been taking advantage of a feature that allows embedding of remote documents and files inside a PDF file. The attacker can then use this to inject malicious content into a PDF file, so that when the file is opened, the target’s credentials are automatically leaked in the form of NTLM hashes. It does not require any further user interaction or exploitation. What makes it more of a concern is that there is no evidence or security alert of the attacker’s activity from the perspective of the target, which makes it impossible to notice and prevent this unusual behavior.

 

What is the exposure or risk?

By embedding malicious files into a normal PDF file, an attacker can tempt arbitrary targets to open this harmful but normal-looking PDF file, which will automatically leak the NTLM hash, challenge, user, host name and domain details of the unsuspicious target. These details are leaked via SMB traffic and stored on the attacker’s server. They can then be used to cause other SMB relay attacks. 

 

What are the recommendations?

SkOUT strongly recommends upgrading to the latest versions of Adobe Acrobat and Acrobat Reader. The link is provided in the references. Updates are also available for Adobe Photoshop CC and Adobe Flash Player.  

 

References:

For more in-depth information about the recommendations, please visit the following links:

·     https://www.bleepingcomputer.com/news/security/adobe-releases-security-update-for-acrobat-vulnerability-with-public-poc/

·     https://www.tenable.com/blog/adobe-patches-incomplete-fix-for-ntlm-credential-leaking-bug-cve-2018-15979

·     For a list of affected and updated and patched versions and instructions for installing the patches, please refer to this link: https://helpx.adobe.com/security/products/acrobat/apsb18-40.html

·     If you need to identify the systems affected by this vulnerability, a list of plugins that can identify it can be found here: https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2018-4993%22%20OR%20%20%22CVE-2018-15979%22)&sort=newest

 


Advisory 0039-17 “Microsoft Issues Critical Patch for Office Products, Mid-November 2017”

 EXECUTIVE SUMMARY:

On Tuesday November 14th, Microsoft released a critical security patch to address a vulnerability in their Microsoft Equation Editor, a feature embedded in all Microsoft Office products to include Office 365. The vulnerability centers on interfaces for Object Linking and Embedding (OLE) which is a feature known to be exploited by hackers [1]. Successful exploitation would allow an attacker to execute malicious code on a victim computer system. Due to the severity of this threat and the prevalence of Microsoft Office, Oxford Solutions recommends customers apply the latest Microsoft security patch [2] as soon as possible.

 SOC ASSESSMENT:

Microsoft Equation Editor is a feature within Office that allows users to embed mathematical calculations within Office documents. It was replaced by new methods in Office 2007 but was kept in subsequent Office instances for backwards compatibility [3]. “The component is an OutPorc COM server executed in a separate address space. This means that security mechanisms and policies of the Office processes do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” as noted in the research paper which disclosed the vulnerability [1]. 

 RECOMMENDATIONS:

Due to the severity of this threat and the prevalence of Microsoft Office, Oxford Solutions recommends customers apply the latest Microsoft security patch [2] as soon as possible.

 REFERENCES:

[1] https://embedi.com/files/white-papers/skeleton-in-the-closet.pdf 

[2] https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/bae9d0d8-e497-e711-80e5-000d3a32fc99

[3] http://www.securityweek.com/microsoft-patches-17-year-old-vulnerability-office


Advisory 0020-17 “ NemucodAES Ransomware on the Rise, Mid-July 2017”  

Oxford Solutions is aware of an increase in the spread of the NemucodAES family of ransomware through “UPS Parcel Delivery Problems” themed phishing emails. [1] Companies should continue to educate their users of email-borne threats and deploy defensive technologies such as spam filters and endpoint protection in order to counter this threat.  Companies are also advised to ensure critical data are backed-up on a periodic basis to facilitate a quick restoral of your computer network in the event it falls victim to a ransomware attack.  Oxford Solutions SOC will notify customers if any family of ransomware is detected that infects our client networks.  The disruptive effects of ransomware to a victim network is significantly reduced if the infection is quickly caught and isolated, usually within 30-60 minutes.

 

Additional information, analysis and recommendations can be found via our website:
https://www.oxfordsolutions.com/wp-content/uploads/2017/07/Advisory-0020-17.pdf


SECURITY OPERATIONS CENTER ADVISORY: Considerations following a Global Outbreak of Perty Ransomware, Late-June 2017

 This advisory may be downloaded from our website:

https://www.oxfordsolutions.com/wp-content/uploads/2017/06/Advisory-0019-17.pdf

EXECUTIVE SUMMARY:   On Tuesday June 27th, a second round of ransomware within six weeks has spread across the Internet causing global concern.  The Petya\NotPetya ransomware worm is using multiple techniques in order to lock down computer networks for ransom in many countries.  Customers who have patched all of their Windows operating systems and Microsoft Office software since April 12, 2017 should be immune to this threat.  However, if the ransomware happens to infect a system on the network that is not patched, it has other methods to move laterally within the victim network which includes the ability to infect systems that have the latest Microsoft Office security patches.  Oxford Solutions has received updated Indicators of Compromise (IOCs) in our threat intelligence feeds to detect this activity on our client networks.

SOC ASSESSMENT:   The initial threat vector is via email with an attached crafted RTF file that is opened within Microsoft Office.  The malicious file attempts to exploit a MS Office vulnerability in CVE-2017-0199 which was patched in mid-April [1]. Properly patched MS Office software will stop the initial threat vector.  If an unpatched system happens to become infected, the ransomware looks to further spread laterally within a network.  As a result of this additional infection vector, systems with the updated MS Office patch may become vulnerable to lateral movement.  Once the ransomware is within the network, it looks to spread using the SMBv1 vulnerability (EternalBlue) which has been patched by MS17-010 [2].  If the SMBv1 exploit doesn’t work on a targeted system, it appears the ransomware also looks to spread internally via PSEXEC and WMIC techniques.  From our research [3], it appears the ransomware is unable to spread internally if an extensionless file titled “perfc” file is already created in the Windows directory.  Note that a similarly named file c:\windows\perfc.dat or perfc.dll may already exist. These files do not have to be modified or removed [4].  System Administrators should note that they can automate this task through group policy by creating a file in the directory. If the perfc file is in place, the malicious software does not overwrite and this tactic effectively fixes the issue.  

If it is found there is an active infection in your network, your company may want to consider preventing any .docx files from being sent/received via your mail server for a period of time until the infection is contained.  This is a last resort approach and should only be taken in the event of an infection. 

RECOMMENDATIONS:   Customers should ensure their Windows operating systems and Microsoft Office software have been patched since April 12, 2017.  If a company wishes to take an extra precautionary step, consider a mass deployment of a blank file named “perfc” with no extension in the Windows directory. This prevents the ransomware from spreading internally via PSEXEC and WMIC techniques.  If it is found there is an active infection in your company network, your company may want to consider preventing any .docx files from being sent/received via your mail server for a period of time until the infection is contained. 

REFERENCES:

[1]https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

[2]https://www.oxfordsolutions.com/wp-content/uploads/2017/05/Advisory-0003-17.pdf

[3] https://twitter.com/0xAmit/status/879778335286452224

[4] https://www.binarydefense.com/petya-ransomware-without-fluff/

 

 

DISCLAIMER: The material contained in these Advisories do not constitute legal, risk management or business advice, and is provided for general informational purposes only, and may not be relied upon with regard to any specific situation.  Each company’s issues, systems and exposures are different, and you should consult your own legal counsel, information systems personnel and risk management professionals before undertaking any action.

Joomla25 Appliance - Powered by TurnKey Linux