Jump to content

ESET need realy an antiCryptor module


Recommended Posts

Hi Dears.

as you know about kaseya ransomware Attack. it is necessary that ESET work on a antiCryptor Module .

As We test REvil sample in a Not Updated EES , Ransomware Shied do nothing while LiveGride was Enable !

If you test it in a not updated product you can see that Ransomware Shied can not detect the encryption possess.

https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection

 

So before this detection Win32/Filecoder.Sodinokibi.N trojan on July 2nd at 3:22 PM (EDT; UTC-04:00) Agent.exe was able to crypt all infected system files.

We think that Ransomware Shied must be more powerful !

 

Link to comment
Share on other sites

Posted (edited)

REvil definitely knows how to hack.

As far as this attack goes:

Quote

AGENT.EXE dropped an unexpected file: MSMPENG.EXE, an outdated and expired version of Microsoft’s Antimalware Service executable. This is a benign yet vulnerable application from Windows Defender, version 4.5.218.0, signed by Microsoft on March 23, 2014:

This version of MSMPENG.EXE is vulnerable to side-loading attacks—and we’ve seen this particular version of the application abused before. In a side-load attack, malicious code is put into a dynamic link library (DLL) named to match one required by the targeted executable, and usually placed into the same folder as the executable so it is found before a legitimate copy.

In this case, AGENT.EXE dropped a malicious file named MPSVC.DLL alongside the MSMPENG.EXE executable. AGENT.EXE then executes MSMPENG.EXE, which detects the malicious MPSVC.DLL file and loads it into its own memory space.

The MPSVC.DLL also contains the “PB03 TRANSPORT LTD.” certificate that was applied to AGENT.EXE. The MPSVC.DLL appears to have been compiled on Thursday July 1, 2021 (14:39:06), just prior to the compilation of AGENT.EXE.

From that moment on, the malicious code in MPSVC.DLL hijacks the normal execution flow of the Microsoft branded process, when MSMPENG.EXE calls the ServiceCrtMain function in the malicious MPSVC.DLL (this is also the main function in a benign MPSVC.DLL)

Once the DLL is loaded into memory, the malware deletes it from disk.

The MSMPENG.EXE, now under control of the malicious MPSVC.DLL, begins to encrypt the local disk, connected removable drives and mapped network drives, all from a Microsoft signed application that security controls typically trust and allow to run unhindered.

https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/

The only thing that would have stopped this attack is protected folder protection on all devices on the network. And properly configuring protected folder protection is a real pain in the butt.

BTW - I have blacklisted this MSMPENG.EXE version by hash value with another security product I use.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)

Well Microsoft never cease to amaze me

That exe used here , or the Printer vulnerability that could allow the attacker to gain control over everything or this

https://www.bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco/

But still I also believe that security products we have lacks the power to identify a normal encryption/decryption process that is happening by the user , and an encryption that is taking the whole system down , security product should flag something when there is mass encryption that is seen suddenly and wasn't noticed by normal behaviour before.

Since it was leaked by American agencies the ransomware variant , from that time till now , there is no stop for these and no prevention , unless you have the signature with your AV

MSMPENG.EXE is trusted yet it's job not to encrypt and decrypt , yet it has done something very ugly and still wasn't detected because it was trusted?

And microsoft has been signing malware as trusted.

When normally there is a minimal encryption decryption on the user machine , then suddenly a ransomware comes and encrypts the whole machine , the ransomware protections should kick in , and ask the user if to continue that or not

I believe that it's not possible these days to rely on signature based security products , we are not in 2006 anymore , all these hacks and ransoms happen because of a zero day vuln or an exploit , yet the security product just doesn't react , simply because it doesn't have a signature.

What is the point of having an AV if it doesn't protect you in the critical time ?

 

(I'm not talking about ESET , I talk generally).

 

Edited by Nightowl
Link to comment
Share on other sites

Posted (edited)
4 hours ago, Nightowl said:

But still I also believe that security products we have lacks the power to identify a normal encryption/decryption process that is happening by the user , and an encryption that is taking the whole system down , security product should flag something when there is mass encryption that is seen suddenly and wasn't noticed by normal behaviour before.

Actually, almost all the major AV solutions have some form of protected folders protection presently.

Most employ "bait" files within the protected folders which act as "triggers" when encrypted to alert that abnormal encryption activities are taking place. At most, only a few files get encrypted before detection takes place. Some AV products like Kaspersky due to their system snapshot capability can actually restore the few files that end up encrypted. Note that this concept is not "bullet proof" and a dedicated APT actor employing a targeted attack can bypass it. However, it does take a bit of work to do so.

My take is that Eset doesn't want to get involved with the protected folder approach due to the incessant user requests that will follow due to legit processes being blocked access to the protected folders. There also might a legal liability element here. If ransomware was successfully performed on a network employing protected folders, I would suspect the plaintiff's lawyers would have a better case for damages against the AV concern.  

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
14 hours ago, itman said:

Actually, almost all the major AV solutions have some form of protected folders protection presently.

Most employ "bait" files within the protected folders which act as "triggers" when encrypted to alert that abnormal encryption activities are taking place. At most, only a few files get encrypted before detection takes place. Some AV products like Kaspersky due to their system snapshot capability can actually restore the few files that end up encrypted. Note that this concept is not "bullet proof" and a dedicated APT actor employing a targeted attack can bypass it. However, it does take a bit of work to do so.

My take is that Eset doesn't want to get involved with the protected folder approach due to the incessant user requests that will follow due to legit processes being blocked access to the protected folders. There also might a legal liability element here. If ransomware was successfully performed on a network employing protected folders, I would suspect the plaintiff's lawyers would have a better case for damages against the AV concern.  

Don't expect the normal users to configure protected folders and be able to identify problems from the configurations and etc , still not using the protected folders options , still you need the AI of the AV to act upon it's intelligence not upon signatures or pre-defined rules.

As 0-day attacks doesn't have signatures and will avoid these pre-defined known rules.

Link to comment
Share on other sites

Posted (edited)

Of recent note:

Fake Kaseya VSA security update backdoors networks with Cobalt Strike

Quote

Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates.

https://www.bleepingcomputer.com/news/security/fake-kaseya-vsa-security-update-backdoors-networks-with-cobalt-strike/

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
20 hours ago, itman said:

Actually, almost all the major AV solutions have some form of protected folders protection presently.

Most employ "bait" files within the protected folders which act as "triggers" when encrypted to alert that abnormal encryption activities are taking place. At most, only a few files get encrypted before detection takes place. Some AV products like Kaspersky due to their system snapshot capability can actually restore the few files that end up encrypted. Note that this concept is not "bullet proof" and a dedicated APT actor employing a targeted attack can bypass it. However, it does take a bit of work to do so.

My take is that Eset doesn't want to get involved with the protected folder approach due to the incessant user requests that will follow due to legit processes being blocked access to the protected folders. There also might a legal liability element here. If ransomware was successfully performed on a network employing protected folders, I would suspect the plaintiff's lawyers would have a better case for damages against the AV concern.  

Surely if they could legally sue, they could do so without protected folders?

I mean an AV is never going to be a 100 percent so even without that option a user could be infected. I've always been a believer that the weakest part in anything is the user e.g. that old saying that is like if you keep looking under rocks you will eventually find a snake.

Link to comment
Share on other sites

Posted (edited)

Getting back to lack of initial AV's detection of this attack, it was victim self-inflicted with Kaseya's help:

Quote

Anti-Virus and Firewall Exclusions and Trusted Apps

The following list of exclusions and trusted apps are needed to ensure any Anti-Virus coexisting with the Kaseya Agent allow it to function appropriately:

https://helpdesk.kaseya.com/hc/en-gb/articles/229014948-Anti-Virus-Exclusions-and-Trusted-Apps

Also, this is not the first supply chain incident against Kaseya. This reinforces my opinion that many corp. IT security decision makers "don't know their butt hole from a hole in the ground."

-EDIT- Oops! I forgot that the whole reason for using Kaseya software is that you don't have to hire "expensive" in-house IT support personnel. So this fall into the category of " pay a little now, or a lot latter."

Edited by itman
Link to comment
Share on other sites

I'll also pass on this "tidbit:"

Quote

The report published by cybersecurity company Trustwave on Wednesday said that ransomware code used by REvil during the attack against software vendor Kaseya “avoids systems that have default languages from what was the USSR region.”

The default languages listed by the cybersecurity firm include Russian, Ukrainian, Belarusian, Armenian and Arabic. Ziv Mador, vice president of security research at Trustwave SpiderLabs, told NBC News, "They don't want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way."

http:// https://thehill.com/policy/cybersec...attack-bypasses-systems-using-russian-related

Now read this for a bit of ransomware prevention "enlightment:"

Try This One Weird Trick Russian Hackers Hate

https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/

Link to comment
Share on other sites

Posted (edited)

Getting back to the protected folders concept as prevention against ransomware, it can be described as a "Band-Aid" mitigation at best. 

To begin, your system has been compromised if ransomware activity in any form is detected. It does not prevent any other the other activity associated with ransomware attacks such as deletion of file backups; data uploading to the attacker's server; and placement of other malware on the attacked devices. It also doesn't protect against "system destroyer" ransomware such as NotPetyra which encrypted the MFT rendering a system useless.

This recent Kaseya software attack is turning out to be far less impacting than originally thought since the above activities did not take place:

Quote

The REvil ransomware gang's attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments.

When ransomware gangs conduct an attack, they usually breach a network and take time stealing data and deleting backups before ultimately encrypting the victim's devices.

When a victim is shown proof of stolen data, backups are deleted, and their devices are encrypted, it creates a much stronger incentive for them to pay the ransom to restore their data and prevent the leak of data.

However, the REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya's VSA servers to perform a massive and widespread attack without actually accessing a victim's network.

This tactic led to the most significant ransomware attack in history, with approximately 1,500 individual businesses encrypted in a single attack.

Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected.

The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims.

https://www.bleepingcomputer.com/news/security/revil-victims-are-refusing-to-pay-after-flawed-kaseya-ransomware-attack/

Edited by itman
Link to comment
Share on other sites

On 7/7/2021 at 2:58 AM, itman said:

Actually, almost all the major AV solutions have some form of protected folders protection presently.

Most employ "bait" files within the protected folders which act as "triggers" when encrypted to alert that abnormal encryption activities are taking place. At most, only a few files get encrypted before detection takes place. Some AV products like Kaspersky due to their system snapshot capability can actually restore the few files that end up encrypted. Note that this concept is not "bullet proof" and a dedicated APT actor employing a targeted attack can bypass it. However, it does take a bit of work to do so.

My take is that Eset doesn't want to get involved with the protected folder approach due to the incessant user requests that will follow due to legit processes being blocked access to the protected folders. There also might a legal liability element here. If ransomware was successfully performed on a network employing protected folders, I would suspect the plaintiff's lawyers would have a better case for damages against the AV concern.  

These "bait" files can use special file names to make them the first to be encrypted.

Remind users not to open them or set hidden attributes for them.

This technique used by many AVs effectively prevents ransomware and rarely causes unnecessary user requests.

At least, it can be used in personal products.

As for the legal issue you mentioned, the "bait" files does not need to appear in the form of a "protected folder" function, but only as a means of detection.

Link to comment
Share on other sites

  • Most Valued Members

So the next second best tactic would be having different languages like Eastern Europe languages and Arabic so the ransomware can evade me because it was built so? , or I must use Protected Folders that Microsoft introduced but actually nobody knows that it exists or the normal user won't even know how to use it.

Link to comment
Share on other sites

As far as using the protected folders concept where Eset is installed, here's my implementation of it.

Win 10 has a built-in feature called File History. It just needs to be set up initially to be functional. Ideally, a second internal HDD or external drive should be used to protect you against boot drive failure. But, File History can be also set up on the OS resident drive. Once File History has been setup, Win 10 will backup up all your user folders at whatever frequency you specify.

Next, you need to create Eset HIPS rules to both allow the File History related process access to the File History backup folder and block all other access to the backup folder.

You now have protected your personal folders against ransomware or other adverse factors without the hassle of having to configure  multiple process access  as required when using WD protected folders protection.

Link to comment
Share on other sites

On 7/6/2021 at 5:34 PM, kamiran.asia said:

Hi Dears.

as you know about kaseya ransomware Attack. it is necessary that ESET work on a antiCryptor Module .

As We test REvil sample in a Not Updated EES , Ransomware Shied do nothing while LiveGride was Enable !

If you test it in a not updated product you can see that Ransomware Shied can not detect the encryption possess.

https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection

 

So before this detection Win32/Filecoder.Sodinokibi.N trojan on July 2nd at 3:22 PM (EDT; UTC-04:00) Agent.exe was able to crypt all infected system files.

We think that Ransomware Shied must be more powerful !

 

Sadly this has been a known weak point of ESET and hasn't been improved it seems. Even in the last MRG-Effitas test, ESET missed 7 ransomware which is the worst result by far in the test. ESET is very weak against ransomware.  

https://www.mrg-effitas.com/wp-content/uploads/2021/05/MRG_Effitas_360_2021Q1.pdf

Edited by SeriousHoax
Link to comment
Share on other sites

10 hours ago, SeriousHoax said:

ESET missed 7 ransomware which is the worst result by far in the test.

To be fully accurate, Eset did detect the ransomware by sig. under 24 hour detection criteria. If Eset detected after that period or not at all, it would have been graded as a full miss and Eset would have never passed this certification test.

However to my knowledge, this is the first time in this AV lab test series Eset did not detect all ransomware samples in the initial test phase.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

[KB6132] Configure firewall rules for ESET Endpoint Security to protect against ransomware

[KB3433] Best practices to protect against Filecoder (ransomware) malware (eset.com)

 

Seems rather obvious Eset is aware their products could do more to stop ransomware then the default settings.

Link to comment
Share on other sites

18 hours ago, itman said:

To be fully accurate, Eset did detect the ransomware by sig. under 24 hour detection criteria. If Eset detected after that period or not at all, it would have been graded as a full miss and Eset would have never passed this certification test.

However to my knowledge, this is the first time in this AV lab test series Eset did not detect all ransomware samples in the initial test phase.

Still that's not good enough. Maybe we could ignore if it was one or maybe two. But 7 ransomware miss at the time of testing is a huge number. It shows again what the OP suggested that ESET's ransomware shield is very bad and almost not effective at all. ESET needs to improve.

Link to comment
Share on other sites

  • ESET Insiders
32 minutes ago, SeriousHoax said:

Still that's not good enough. Maybe we could ignore if it was one or maybe two. But 7 ransomware miss at the time of testing is a huge number. It shows again what the OP suggested that ESET's ransomware shield is very bad and almost not effective at all. ESET needs to improve.

 Especially given that they ARE aware of the problem, yet unwilling to address it. Seems to me they focus on minimal false positives to the extreme that they would rather accept missed detections as a result of that focus on reducing FP's.

Link to comment
Share on other sites

  • 2 weeks later...
On 7/16/2021 at 10:28 PM, NewbyUser said:

 Especially given that they ARE aware of the problem, yet unwilling to address it. Seems to me they focus on minimal false positives to the extreme that they would rather accept missed detections as a result of that focus on reducing FP's.

Yes exactly. They are very sensitive about false positives and this is why they falling behind. Some other products are doing well in this regard while maintaining low false positives. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...