Jump to content

Antivirus vendors push fixes for EFS ransomware attack method


Recommended Posts

Posted (edited)

 

Quote

Signature-based software may not be enough to protect Microsoft’s Windows EFS against evolving ransomware families.

Researchers have disclosed how an EFS attack launched by ransomware leaves systems relying on signature-based antivirus solutions open to attack, with major vendors pushing fixes left, right, and center as a result. 

On Tuesday, Amit Klein, the VP of Security Research at Safebreach Labs revealed an investigation into how the Windows Encrypting File System (EFS) can be abused by ransomware, a form of malware that encrypts systems and demands payment in return for the restoration of access. 

Safebreach Labs developed Proof of Concept (PoC) code and provided this, together with a report, to 17 cybersecurity vendors. As a result, the team realized more products were affected than originally thought. 

Below is the rundown on each vendor, their susceptibility, and any actions taken:

  • ESET, Ransomware Shield technology products: "In June of 2019, ESET was made aware of a possible security bypass of its consumer, business and server products for Windows via the standard Windows API EncryptFile. ESET was able to validate the underlying method used to administer this attack. We are now rolling out an update to mitigate the bypass and would like to kindly ask all customers to refer to Customer Advisory 2020-0002 for more information on mitigation options regarding the bypass published in this report."

 

https://www.zdnet.com/article/antivirus-vendors-scramble-to-fix-new-efs-ransomware-attack/

Ref.: https://support.eset.com/en/ransomware-shield-bypass-mitigations

Edited by itman
  • Most Valued Members
Posted

This is what I ranted all about in that other post , it will eventually happen and keep happening , they will keep bypassing things , until the system itself is secure enough to prevent more variants from doing the same damage.

  • Most Valued Members
Posted
2 hours ago, Rami said:

This is what I ranted all about in that other post , it will eventually happen and keep happening , they will keep bypassing things , until the system itself is secure enough to prevent more variants from doing the same damage.

But my point was the system will never be secure enough. Everything has flaws. The perfect system doesn't exist.

Posted (edited)

Of note per the Eset customer advisory:

Quote

ESET remedied this by preparing an updated version of the HIPS module (1380.2 and later), which contains the Ransomware Shield feature, for version 13 of ESET consumer products, along with a detection engine update for all affected products that block the malicious files used to administer this attack.

I have this HIPS module, dated 1/20/2019, installed on my EIS 13.0.24 version.

Edited by itman
Posted

Also of note is what Microsoft thinks about this vulnerability in regards to Windows Defender:

Quote

Microsoft, Windows Controlled Folder Access: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense-in-depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows. Microsoft may consider addressing this in a future product."

Err, what?

Posted

I don't have the latest hips support module.  I have 1379.3 hips module but I'm also not on pre-release updates I'm on regular updates.

Posted
22 minutes ago, Purpleroses said:

I don't have the latest hips support module.  I have 1379.3 hips module but I'm also not on pre-release updates I'm on regular updates.

I'm on pre-release updates.

Posted (edited)

One additional comment about this mitigation:

Quote

Workaround

A user with administrator rights for a Windows machine can turn off EFS by setting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration to 1 (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpef/0382ec4d-bfa9-46c9-a99a-1f2e042938c0). Group Policy can be used for enterprise-wise disabling of EFS.

Of course, this will disable EFS for the entire machine, so if EFS was used (legitimately), it too will be disabled.

https://safebreach.com/Post/EFS-Ransomware

This will in all likelihood "bust" any password manager and like type app software installed on the mitigated device.

Edited by itman
Posted

Since we are talking about EFS exploiting, let's talk about a vulnerability it has had since day one:

Quote

EFS encryption encrypts files or folders one by one. Unlike BitLocker that encrypts them together. This also means that when a file is executed, and Windows creates a temporary cache of that file, that temporary cache can be used as a leak to the information and unauthorized access can be taken over by an unintended user. EFS works with NTFS only.

https://www.thewindowsclub.com/encrypting-file-system-efs-windows-10

Posted (edited)

There is also another mitigation to this EFS ransomware issue mentioned in the safebreach.com article corps. should take a look at:

Quote

data recovery agent (DRA)

A data recovery agent (DRA) is a Microsoft Windows user who has been granted the right to decrypt data that was encrypted by other users. The assignment of DRA rights to an approved individual provides an IT department with a way to unlock encrypted data in case of an emergency.

Data Recovery Agents can be defined at the domain, site, organizational unit or local machine level. In a small to mid-sized business, the network administrator is often the designated DRA.

https://searchitchannel.techtarget.com/definition/data-recovery-agent-DRA

Of most importance is:

Quote

If the recovery agent certificate is created after the encryption of the resource, however, the resource cannot be decrypted by the DRA.

 

Edited by itman
Posted

Something about this safebreach.com EFS abuse POC:

Quote

The ransomware sets the current EFS key to this certificate using AdvApi32!SetUserFileEncryptionKey.

According to Microsoft, the only protocol that supports this is SMB 3.0: https://docs.microsoft.com/en-us/windows/win32/api/winefs/nf-winefs-setuserfileencryptionkey . If NetBIOS is disabled in Win 10, does not that prevent this API from being invoked?

 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...