Video: Microsoft fends off mining malware attack
Microsoft’s Patch Tuesday updates for March deliver fixes for 75 security bugs, including patches for 15 critical flaws and a serious vulnerability that exposes sysadmins to credential theft.
CredSSP is used in Microsoft’s widely used Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) to relay user credentials from a client to an application’s server.
Microsoft says: “CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack.”
It’s rated as important as it can only be exploited in tandem with a man-in-the-middle attack. However, in that position, the attacker could steal session authentication from a user with local administrative privileges and then run unauthorized commands on a target server with the same privileges.
According to Preempt, this bug isn’t an attacker’s entry point, but rather a technique for lateral movement and privilege escalation after they’ve either gained physical access to the target’s Wi-Fi network, or once they’ve exploited a remote code execution in a firm’s routers, such as Cisco’s severe ASA VPN bug which was patched through January and February.
“The attacker will set up the man-in-the-middle, wait for a CredSSP session to occur, and once it does, will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to (eg, the server user connected with RDP),” explains Preempt researcher Yaron Zinar.
“An attacker [who has] stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in the case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.”
If the attacker exploits a vulnerable router, they could infect a router near the server and wait for an IT admin to log in to the server using RDP.
The attacker may also exploit the recent KRACK Wi-Fi key reinstallation vulnerabilities to use this attack against any machine with RDP enabled over Wi-Fi.
Zinar’s colleague Eyal Karni notes customers can mitigate the flaw by ensuring the Windows firewall is on, because RPC is not enabled by default for any interface.
However, domain admins are particularly vulnerable to this attack until Microsoft’s patch has been installed.
Now read: How to build a successful career in cybersecurity (free PDF)
“This is because a rule concerning RPC exists in Domain Controllers that enables any svchosts.exe DCOM interfaces. Furthermore, a quick survey found that RDP is the most common way in which domain admins tends to access the DC. In other words, by exploiting this attack, an attacker is likely to gain full control over the domain,” writes Karni.
Microsoft was informed of the issue in August, but needed an extension well beyond the agreed 90-day disclosure timeframe to deliver a fix, according to Preempt’s timeline.
Microsoft has a fix available for every supported version of Windows and Windows Server, but admins will also need to make configuration changes to fully remediate the bug. Microsoft has provided group policy instructions.
Previous and related coverage
Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.
Microsoft is continuing to polish its coming Windows 10 release with Fast Ring Insider Build 17120 as it heads toward the finish line.
Slingshot malware infects PCs via files downloaded from compromised routers.
The removal of the AV compatibility checks will mean that patches to mitigate the risk from Spectre and Meltdown attacks released since January will now be available to a wider range of PCs.
Because not all Microsoft services support security codes for two-step verification.