by jdpoteet | Jul 25, 2024 | News
Blackswan Cybersecurity is proud to sponsor the 2024 InfraGard North Texas Annual Critical Infrastructure Conference at The University of Texas at Dallas on Friday, August 23, 2024.
For over 20 years, members of the leadership team at Blackswan have held various senior positions within InfraGard, including Chapter President, Vice President, Secretary, Treasurer, and Advisory Board Member. If you are planning to attend the conference, please stop by the Blackswan booth to discuss how we can help you mitigate business risk, pick up some free swag, or simply to say ‘hi’.
Register here: https://www.ntinfragard.org/events/north-texas-infragard-members-alliance-conference-2024/
by jdpoteet | Jul 19, 2024 | Threat Advisories
CrowdStrike Causing Widespread Global Outages
DOWNLOAD PDF
Summary
An update pushed out by CrowdStrike within the past 12 hours has caused widespread outages to Windows environments where CrowdStrike is installed. This was not an elective update and therefore was applied to every endpoint with internet connectivity. The impact of this update caused the infamous Blue Screen of Death (BSOD) and will require manual intervention on every device.
QUICK REFERENCE PROTOCOL
Impact
Millions of endpoints globally were rendered inoperable, ranging from the 3 largest airlines, delaying flights, hospital networks, government agencies, and news networks. Any endpoint with CrowdStrike installed with internet connectivity within the past 12 hours is likely affected.
- Endpoints running older Windows 7 and 2008 R2 were not impacted
- Endpoints running Mac or Linux were not impacted.
The channel file “C-00000291*.sys” with a timestamp of 0409 UTC is the problem.
Solution
Windows Endpoint (BitLocker not enabled)
- “Boot Windows into Safe Mode or the Windows Recovery Environment
- Use Windows Explorer or the Command Prompt to “Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- “Locate the file matching ‘C-0000029*.sys’, and delete it.
- “Boot the host normally.”
Windows Endpoint (BitLocker enabled)
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to Troubleshoot > Advanced Options > Startup Settings
- Press “Restart”
- Skip the BitLocker recovery key prompt by pressing “Esc”
- Skip the next BitLocker recovery key prompt by selecting “Skip This Device”, in the bottom right
- Navigate to Troubleshoot > Advanced Options > Command Prompt
- Type “bcdedit /set {default} safebook minimal”, then press “Enter”
- Go back to the WinRE main menu and select “Continue”
- The device may cycle 2 to 3 times
- If booted into Safe Mode, log in as usual
- Use Windows Explorer to “Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
- “Locate the file matching ‘C-00000291*.sys’, and delete it.
- Open Command Prompt as Administrator
- Type “bcdedit /deletevalue {default} safeboot”. Then Press “Enter”
- Restart as normal
Cloud Environment
Option 1
- Detach the operating system disk volume from the impacted virtual server
- Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
- Attach/mount the volume to to a new virtual server
- Navigate to the %WINDIR%\System32\drivers\CrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Detach the volume from the new virtual server
- Reattach the fixed volume to the impacted virtual server
Option 2
- Roll back to a snapshot prior to 0409 UTC
References
- https://mashable.com/article/crowdstrike-crash-microsoft-outage-bsod-fix
- https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/
- https://www.crowdstrike.com/blog/statement-on-windows-sensor-update/
by jdpoteet | Jul 18, 2024 | Threat Advisories
Exim Mail Server Flaw
DOWNLOAD PDF
Summary
A critical security vulnerability has been identified in the Exim mail transfer agent, potentially allowing attackers to send malicious attachments to users’ inboxes. This flaw (CVE-2024-39929) has a CVSS score of 9.1. The issue was resolved in version 4.98.
Technical Details
The vulnerability stems from an improper parsing of multiline RFC2231 header filenames, enabling remote attackers to deliver malicious executable attachments to end users’ mailboxes by bypassing the $mime_filename extension-blocking protection mechanism. Exim, a free mail transfer agent used on Unix and Unix-like operating systems, was first released in 1995 at the University of Cambridge.
According to Censys, there are approximately 4,830,719 public-facing SMTP mail servers running Exim. As of July 12, 2024, 1,563,085 of these Exim servers are running vulnerable versions (4.97.1 or earlier). Most of these vulnerable instances are in the U.S., Russia, and Canada. Censys stated, “The vulnerability could allow a remote attacker to bypass filename extension blocking protection measures and deliver executable attachments directly to end-users’ mailboxes. If a user were to download or run one of these malicious files, the system could be compromised.”
For the attack to succeed, targets must click on an attached executable file. Although there are no reports of active exploitation, users must promptly apply patches to mitigate potential threats. This development comes almost a year after the maintainers of Exim addressed a set of six vulnerabilities that could lead to information disclosure and remote code execution.
Recommendations
- Immediately upgrade to Exim version 4.98 or later to address the vulnerability (CVE-2024-39929).
- Identify and audit all Exim servers within your network to determine which ones are running vulnerable versions (4.97.1 or earlier).
- Apply the latest security patches to all identified Exim servers to mitigate the vulnerability.
- Enable detailed logging and monitoring on Exim servers to detect any unusual activity that may indicate exploitation attempts.
- Educate users about the risks of downloading and executing attachments from unknown or untrusted sources, emphasizing the importance of cautious behavior.
- Ensure that email security policies, such as attachment filtering and extension blocking, are properly configured and enforced to prevent similar vulnerabilities from being exploited in the future.
References
by jdpoteet | Jul 17, 2024 | Threat Advisories
EstateRansomware Threat Group Exploiting Veeam Backup Software Vulnerability (CVE-2023-27532)
DOWNLOAD PDF
Summary
A flaw in Veeam Backup & Replication software (CVE-2023-27532) is being exploited by the EstateRansomware group, as observed by Group-IB through a dormant Fortinet FortiGate SSL VPN account. The attackers establish RDP connections, deploy backdoors, and disable defenses before executing ransomware.
Threat Intelligence
Exploits actively observed.
Technical Details
EstateRansomware is exploiting a security flaw (CVE-2023-27532) in Veeam Backup & Replication software. Initial access is obtained via a dormant account named ‘Acc1’ on a Fortinet FortiGate firewall SSL VPN appliance, then pivoting laterally and establishing RDP connections to a failover server. They then deploy a persistent backdoor named “svchost.exe” connected to a command-and-control (C2) server, enabling the execution of arbitrary commands.
The Veeam flaw is exploited to enable xp_cmdshell on the backup server, create a rogue user account named “VeeamBkp,” and conduct network discovery, enumeration, and credential harvesting using tools like NetScan, AdFind, and NitSoft. They then move laterally across the network, disable Windows Defender using DC.exe, and deploy the ransomware with PsExec.exe.
The attack follows a double extortion model, where data is exfiltrated before encryption. This requires long-term access to explore the environment, elevate privileges, and identify valuable data.
Indicators of Compromise (IOCs)
Executable files:
• DC.exe: CB704D2E8DF80FD3500A5B817966DC262D80DDB8
• DC.ini: 2C56E9BEEA9F0801E0110A7DC5549B4FA0661362
• Svchost.exe: 5E460A517F0579B831B09EC99EF158AC0DD3D4FA
• LB3.exe: 107EC3A7ED7AD908774AD18E3E03D4B999D4690C
• netscan.exe
• veeam-creds-main
• CVE-2023-27532.exe
• VeeamHax
• BulletsPassView64.exe
• netpass64.exe
• PasswordFox64.exe
• ChromePass.exe
• WirelessKeyView64.exe
• mspass.exe
• VNCPassView.exe
• WebBrowserPassView.exe
• mailpv.exe
• RouterPassView.exe
• PstPassword.exe
• OperaPassView.exe
• Dialupass.exe
• BulletsPassView64.exe
• ExtPassword.exe
• pspv.exe
• iepv.exe
• SniffPass64.exe • rdpv.exe
IPv4:
- 28.106[.]252
- 28.99[.]61
- 76.232[.]205
- 238.245[.]11:30001
Recommendations
- Regularly update and patch all software, especially public-facing applications and critical systems.
- Implement multi-factor authentication (MFA) for all remote access points to prevent unauthorized access.
- Regularly review and disable dormant or unused accounts to minimize potential entry points.
- Segment networks to limit lateral movement and isolate critical systems from general user access.
- Implement application control on hosts to prevent execution of unauthorized programs.
- Deploy endpoint detection and response (EDR) solutions to monitor and respond to malicious activities in real-time.
- Maintain regular, secure backups and test restoration processes to ensure data recovery.
- Implement strict access controls and least privilege principles to limit access to critical systems.
- Use intrusion detection systems (IDS) to monitor network traffic for signs of intrusion and unauthorized activity.
- Conduct regular security awareness training for employees to recognize phishing attempts and other social engineering attacks.
- Turn off unnecessary services, ports, and protocols to reduce attack surfaces.
- Continuously monitor and audit network activity for suspicious behavior and signs of compromise.
- Implement advanced defensive measures, such as deception technologies, to detect and mislead attackers.
- Ensure network edge devices are securely configured and regularly updated.
- Restrict the use of built-in administrative tools and monitor their usage to detect living-off-the-land (LotL) techniques.
References
by jdpoteet | Jul 15, 2024 | News
Snap a photo of this beast in the wild, and tag Blackswan when you post it on Instagram, LinkedIn, or X for a chance to receive free swag!
