itman 1,659 Posted January 21, 2020 Share Posted January 21, 2020 (edited) Quote Signature-based software may not be enough to protect Microsoft’s Windows EFS against evolving ransomware families. Researchers have disclosed how an EFS attack launched by ransomware leaves systems relying on signature-based antivirus solutions open to attack, with major vendors pushing fixes left, right, and center as a result. On Tuesday, Amit Klein, the VP of Security Research at Safebreach Labs revealed an investigation into how the Windows Encrypting File System (EFS) can be abused by ransomware, a form of malware that encrypts systems and demands payment in return for the restoration of access. Safebreach Labs developed Proof of Concept (PoC) code and provided this, together with a report, to 17 cybersecurity vendors. As a result, the team realized more products were affected than originally thought. Below is the rundown on each vendor, their susceptibility, and any actions taken: ESET, Ransomware Shield technology products: "In June of 2019, ESET was made aware of a possible security bypass of its consumer, business and server products for Windows via the standard Windows API EncryptFile. ESET was able to validate the underlying method used to administer this attack. We are now rolling out an update to mitigate the bypass and would like to kindly ask all customers to refer to Customer Advisory 2020-0002 for more information on mitigation options regarding the bypass published in this report." https://www.zdnet.com/article/antivirus-vendors-scramble-to-fix-new-efs-ransomware-attack/ Ref.: https://support.eset.com/en/ransomware-shield-bypass-mitigations Edited January 21, 2020 by itman Nightowl 1 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted January 21, 2020 Most Valued Members Share Posted January 21, 2020 This is what I ranted all about in that other post , it will eventually happen and keep happening , they will keep bypassing things , until the system itself is secure enough to prevent more variants from doing the same damage. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted January 21, 2020 Most Valued Members Share Posted January 21, 2020 2 hours ago, Rami said: This is what I ranted all about in that other post , it will eventually happen and keep happening , they will keep bypassing things , until the system itself is secure enough to prevent more variants from doing the same damage. But my point was the system will never be secure enough. Everything has flaws. The perfect system doesn't exist. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 21, 2020 Author Share Posted January 21, 2020 (edited) Of note per the Eset customer advisory: Quote ESET remedied this by preparing an updated version of the HIPS module (1380.2 and later), which contains the Ransomware Shield feature, for version 13 of ESET consumer products, along with a detection engine update for all affected products that block the malicious files used to administer this attack. I have this HIPS module, dated 1/20/2019, installed on my EIS 13.0.24 version. Edited January 21, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 21, 2020 Author Share Posted January 21, 2020 Also of note is what Microsoft thinks about this vulnerability in regards to Windows Defender: Quote Microsoft, Windows Controlled Folder Access: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense-in-depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows. Microsoft may consider addressing this in a future product." Err, what? Link to comment Share on other sites More sharing options...
Purpleroses 21 Posted January 21, 2020 Share Posted January 21, 2020 I don't have the latest hips support module. I have 1379.3 hips module but I'm also not on pre-release updates I'm on regular updates. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 21, 2020 Author Share Posted January 21, 2020 22 minutes ago, Purpleroses said: I don't have the latest hips support module. I have 1379.3 hips module but I'm also not on pre-release updates I'm on regular updates. I'm on pre-release updates. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 21, 2020 Author Share Posted January 21, 2020 (edited) One additional comment about this mitigation: Quote Workaround A user with administrator rights for a Windows machine can turn off EFS by setting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration to 1 (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpef/0382ec4d-bfa9-46c9-a99a-1f2e042938c0). Group Policy can be used for enterprise-wise disabling of EFS. Of course, this will disable EFS for the entire machine, so if EFS was used (legitimately), it too will be disabled. https://safebreach.com/Post/EFS-Ransomware This will in all likelihood "bust" any password manager and like type app software installed on the mitigated device. Edited January 21, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 21, 2020 Author Share Posted January 21, 2020 Since we are talking about EFS exploiting, let's talk about a vulnerability it has had since day one: Quote EFS encryption encrypts files or folders one by one. Unlike BitLocker that encrypts them together. This also means that when a file is executed, and Windows creates a temporary cache of that file, that temporary cache can be used as a leak to the information and unauthorized access can be taken over by an unintended user. EFS works with NTFS only. https://www.thewindowsclub.com/encrypting-file-system-efs-windows-10 Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 21, 2020 Author Share Posted January 21, 2020 (edited) There is also another mitigation to this EFS ransomware issue mentioned in the safebreach.com article corps. should take a look at: Quote data recovery agent (DRA) A data recovery agent (DRA) is a Microsoft Windows user who has been granted the right to decrypt data that was encrypted by other users. The assignment of DRA rights to an approved individual provides an IT department with a way to unlock encrypted data in case of an emergency. Data Recovery Agents can be defined at the domain, site, organizational unit or local machine level. In a small to mid-sized business, the network administrator is often the designated DRA. https://searchitchannel.techtarget.com/definition/data-recovery-agent-DRA Of most importance is: Quote If the recovery agent certificate is created after the encryption of the resource, however, the resource cannot be decrypted by the DRA. Edited January 21, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 22, 2020 Author Share Posted January 22, 2020 Something about this safebreach.com EFS abuse POC: Quote The ransomware sets the current EFS key to this certificate using AdvApi32!SetUserFileEncryptionKey. According to Microsoft, the only protocol that supports this is SMB 3.0: https://docs.microsoft.com/en-us/windows/win32/api/winefs/nf-winefs-setuserfileencryptionkey . If NetBIOS is disabled in Win 10, does not that prevent this API from being invoked? Link to comment Share on other sites More sharing options...
Recommended Posts