Jump to content

Archived

This topic is now archived and is closed to further replies.

itman

Antivirus vendors push fixes for EFS ransomware attack method

Recommended Posts

 

Quote

Signature-based software may not be enough to protect Microsoft’s Windows EFS against evolving ransomware families.

Researchers have disclosed how an EFS attack launched by ransomware leaves systems relying on signature-based antivirus solutions open to attack, with major vendors pushing fixes left, right, and center as a result. 

On Tuesday, Amit Klein, the VP of Security Research at Safebreach Labs revealed an investigation into how the Windows Encrypting File System (EFS) can be abused by ransomware, a form of malware that encrypts systems and demands payment in return for the restoration of access. 

Safebreach Labs developed Proof of Concept (PoC) code and provided this, together with a report, to 17 cybersecurity vendors. As a result, the team realized more products were affected than originally thought. 

Below is the rundown on each vendor, their susceptibility, and any actions taken:

  • ESET, Ransomware Shield technology products: "In June of 2019, ESET was made aware of a possible security bypass of its consumer, business and server products for Windows via the standard Windows API EncryptFile. ESET was able to validate the underlying method used to administer this attack. We are now rolling out an update to mitigate the bypass and would like to kindly ask all customers to refer to Customer Advisory 2020-0002 for more information on mitigation options regarding the bypass published in this report."

 

https://www.zdnet.com/article/antivirus-vendors-scramble-to-fix-new-efs-ransomware-attack/

Ref.: https://support.eset.com/en/ransomware-shield-bypass-mitigations

Share this post


Link to post
Share on other sites

This is what I ranted all about in that other post , it will eventually happen and keep happening , they will keep bypassing things , until the system itself is secure enough to prevent more variants from doing the same damage.

Share this post


Link to post
Share on other sites
2 hours ago, Rami said:

This is what I ranted all about in that other post , it will eventually happen and keep happening , they will keep bypassing things , until the system itself is secure enough to prevent more variants from doing the same damage.

But my point was the system will never be secure enough. Everything has flaws. The perfect system doesn't exist.

Share this post


Link to post
Share on other sites

Of note per the Eset customer advisory:

Quote

ESET remedied this by preparing an updated version of the HIPS module (1380.2 and later), which contains the Ransomware Shield feature, for version 13 of ESET consumer products, along with a detection engine update for all affected products that block the malicious files used to administer this attack.

I have this HIPS module, dated 1/20/2019, installed on my EIS 13.0.24 version.

Share this post


Link to post
Share on other sites

Also of note is what Microsoft thinks about this vulnerability in regards to Windows Defender:

Quote

Microsoft, Windows Controlled Folder Access: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense-in-depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows. Microsoft may consider addressing this in a future product."

Err, what?

Share this post


Link to post
Share on other sites

I don't have the latest hips support module.  I have 1379.3 hips module but I'm also not on pre-release updates I'm on regular updates.

Share this post


Link to post
Share on other sites
22 minutes ago, Purpleroses said:

I don't have the latest hips support module.  I have 1379.3 hips module but I'm also not on pre-release updates I'm on regular updates.

I'm on pre-release updates.

Share this post


Link to post
Share on other sites

One additional comment about this mitigation:

Quote

Workaround

A user with administrator rights for a Windows machine can turn off EFS by setting the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration to 1 (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpef/0382ec4d-bfa9-46c9-a99a-1f2e042938c0). Group Policy can be used for enterprise-wise disabling of EFS.

Of course, this will disable EFS for the entire machine, so if EFS was used (legitimately), it too will be disabled.

https://safebreach.com/Post/EFS-Ransomware

This will in all likelihood "bust" any password manager and like type app software installed on the mitigated device.

Share this post


Link to post
Share on other sites

Since we are talking about EFS exploiting, let's talk about a vulnerability it has had since day one:

Quote

EFS encryption encrypts files or folders one by one. Unlike BitLocker that encrypts them together. This also means that when a file is executed, and Windows creates a temporary cache of that file, that temporary cache can be used as a leak to the information and unauthorized access can be taken over by an unintended user. EFS works with NTFS only.

https://www.thewindowsclub.com/encrypting-file-system-efs-windows-10

Share this post


Link to post
Share on other sites

There is also another mitigation to this EFS ransomware issue mentioned in the safebreach.com article corps. should take a look at:

Quote

data recovery agent (DRA)

A data recovery agent (DRA) is a Microsoft Windows user who has been granted the right to decrypt data that was encrypted by other users. The assignment of DRA rights to an approved individual provides an IT department with a way to unlock encrypted data in case of an emergency.

Data Recovery Agents can be defined at the domain, site, organizational unit or local machine level. In a small to mid-sized business, the network administrator is often the designated DRA.

https://searchitchannel.techtarget.com/definition/data-recovery-agent-DRA

Of most importance is:

Quote

If the recovery agent certificate is created after the encryption of the resource, however, the resource cannot be decrypted by the DRA.

 

Share this post


Link to post
Share on other sites

Something about this safebreach.com EFS abuse POC:

Quote

The ransomware sets the current EFS key to this certificate using AdvApi32!SetUserFileEncryptionKey.

According to Microsoft, the only protocol that supports this is SMB 3.0: https://docs.microsoft.com/en-us/windows/win32/api/winefs/nf-winefs-setuserfileencryptionkey . If NetBIOS is disabled in Win 10, does not that prevent this API from being invoked?

 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...