Practical Execution Control

Airlock Digital - Allowlisting Software

  • Home
  • Features
  • Blogs
  • Resources
  • FAQs
  • About us
  • Contact us

Airlock Digital - Allowlisting Software

  • Home
  • Features
  • Blogs
  • Resources
  • FAQs
  • About us
  • Contact us
Request a demo
Log in
Preventing Ransomware and Zero Days Using an Overlooked Basic Security Control
Back to Blogs

Preventing Ransomware and Zero Days Using an Overlooked Basic Security Control

18 Jul 2021

Continued successful exploitation of the software supply chain

As the world continues to assess the scope of the biggest global ransomware attack on record – with the REvil/Sodinokibi group claiming to have infected over one million systems, outpacing even WannaCry from 2017, it is becoming clear that ransomware continues to be a successful business model for criminal groups and poses as a significant risk to businesses and government organisations. 

Just this month, Australian businesses UnitingCare Queensland and JBS Foods became the latest victims of ransomware and the exploitation of a vulnerability on the US based managed services platform provider Kaseya showed continued escalation of successful attacks targeted on the software supply chain.

While the full impact of the attack is still undergoing investigation, the Australian Cyber Security Center has confirmed that at least three Australian MSPs had been affected by the attack and had customers data encrypted.

The PrintNightmare that won’t go away

Continuing to make big news for the last couple weeks is the PrintNightmare privilege escalation vulnerability (CVE-2021-167, CVE-2021-28344) which refuses to go away despite multiple patches from Microsoft and mixed messaging with-in the the information security community on how to effectively mitigate vulnerability in the Windows Print Spooler service.

How did this Happen?

REvil Ransomware delivered via Kaseya Platform

For the Kaseya supply chain attack the REvil group used the Kaseya Agent software itself to distribute malware, going through a variety of steps before executing the file “agent.exe” which had been signed with a likely stolen certificate.

The payload distributed by the REvil group using Kaseya platform

When executed the file extracted an old copy of Windows Defender binary “msmpeng.exe” and a DLL file “mpsvc.dll” which is the actual ransomware payload. The agent then starts the Windows Defender binary which sideloads payload the DLL and the machine contents are encrypted.

Whats HapPen? Workstation after being ransomwared by REvil on Kaseya platform

PrintNightmare delivered via user action

Looking  into the recent PrintNightMare vulnerability (CVE-2021-167), we can observe that that either locally or remotely an unprivileged user can escalate their privileges to SYSTEM by calling the AddPrinterDriverEx API call, delivering malicious code that will then be executed as a DLL on the target.

A malicious DLL file being loaded by the printer service, creating a new local adm1n user

In both these cases, these vulnerabilities rely on the deployment of malicious code using trusted processes. These are run with system privileges by executing malicious .dll files and even used PowerShell (trusted system process) to turn off Microsoft Defender.

The Race To The Fix

As security professionals across the world scramble to apply patches, mitigations and IOCs to their security suite, is there a security control that is able to prevent such threats from happening in the first place? 

Yes, Allowlisting  – A long forgotten friend

One of these foundational controls, Allowlisting (formerly Application Whitelisting), is a security strategy that involves only allowing applications trusted by an organisation to run and then blocking all other files. This an alternative strategy to a signature based blocklisting approach of allowing everything to run by default and only blocking what’s known to be bad (eg anti-virus).  

Allowlisting is not a new idea; it has been around for a long time and has been regarded as one of the most effective controls against threats like ransomware, fileless malware and lateral movement. Yet it is also one of the most overlooked security controls and is often put on the backburner. Most organisations that are not mandated by the ACSC Essential 8 framework, do not feel inspired to pick it up. This is mostly due to the first-hand experience people have had or have heard of, with Allowlisting taking an excruciatingly long time to implement and at some point, or another, resulting in situations of heated user disruption (especially with the dev team).

No security practitioner wants to devote huge amounts of skilled resources and time into implementing a security policy which at the end results in major BAU interruptions. Apart from problems with implementation, there are also significant gaps in the majority of allowlisting solutions like:

  • Focusing only on controlling applications (.exe files) when adversaries are utilising .dll and script-based processes to deploy payloads
  • Policies not applying to privileged user groups like admin and system accounts (exploited in these recent attacks)
  • Confusing Allowlisting with privilege access management and often mixing the two together
  • No way to make temporary exceptions to run unapproved apps that are needed urgently

Do these problems and gaps still hold up in 2021? 

The answer is no. 

Airlock Digital, an Australian company, created by security practitioners who were implementing allowlisting solutions at federal government organisations and seeing the traditional problems first hand. Taking these learnings, they developed a solution that covers these gaps and busts the myth that allowlisting is simply too hard to do. 

This is made possible through features like:

  • Workflow driven processes to trust applications quickly and easily;
  • The ability for all IT staff to learn and manage the allowlist, with no previous security experience required;
  • Allowlisting that applies to all security contexts (including admin & system);
  • Comprehensive self managed policies which include .dll files and scripts;
  • Blocklist rules to perform system hardening and prevent the execution of legacy software; 
  • Blacklisting policies that block malicious use of core system processes like PowerShell 
  • End to end average deployment time to enforcement mode of 3-4 weeks.

With comprehensive policies in place, threats like REvil ransomware and zero day exploits like Kaseya & PrintNightmare, will automatically be blocked because the publisher of the executables, and the .dll files that are run afterwards, are simply not approved to run in the environment.

Airlock preventing untrusted DLL being loaded by Windows Print Spooler

This avoids a lot of panic and saves time from trying to find a fix for zero days that are regularly found. Here’s what one of Airlock’s customers recently said in the light of the recent attacks:

“Airlock Digital worked great for the Kaseya ransomware threat last weekend. While we were not hit, we use Kaseya, and after analysing the Indicators of Compromise, our Airlock Digital Allowlisting solution would have blocked the main applications used for delivery of the code even though they were delivered using Kaseya and MS defender. Airlock also allowed us to react quickly by blocklisting the malicious and known indicators of compromise as they were being identified.”

Airlock preventing untrusted agent.exe extractor being called. If this would be allowed, the subsequent DLL sideload would also have been blocked.

Conclusion

While there is no silver bullet to cyber risk and defence in depth is always best practice, performing basic security practices like Allowlisting right, can go a long way in proactively stopping breaches. 

If you would like to know more about Allowlisting and how it can make a difference in your security posture, contact Airlock Digital at [email protected].

Share :
Next

Our Latest Blogs

1 Feb 2023
Airlock v5.1 & v5.0.9 avail...
This month we are excited to announce the release of two new versions of Airlock: Airlock v5.0.9: This version is the Long Term Support (LTS) branch ...
Read more
7 Dec 2022
Risky business – is the ke...
This week Airlock Digital sponsored the Risky Business podcast #688 and spoke to Patrick Gray about admin to kernel as a security boundary, and the li...
Read more
29 Sep 2022
Risky business – why micro...
In this Soap Box podcast Patrick Gray interviews Airlock Digital CTO Daniel Schell and CEO David Cottingham about Microsoft’s new Smart Application ...
Read more
31 May 2022
Risky business – vsto offi...
This week Daniel Schell discussed some research done in house at Airlock Digital on the Risky Business podcast, regarding VSTO office files. Check it ...
Read more
17 May 2022
Make phishing great again. vsto ...
This article can also be read on medium here: https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightma...
Read more
22 Mar 2022
Risky biz soap box: why allowlis...
This week Airlock Digital co-founders Daniel Schell and Dave Cottingham join host Patrick Gray to talk about: What an effective allowlisting program ...
Read more
18 Jul 2021
Preventing ransomware and zero d...
Continued successful exploitation of the software supply chain As the world continues to assess the scope of the biggest global ransomware attack on ...
Read more

Airlock Digital Pty Ltd
Level 2/136 Greenhill Rd
Unley, SA 5061
Australia

  • About us
  • Blogs
  • Features
  • Resources
  • Contact us
  • FAQs

Newsletter Subscription

Subscribe to the Airlock Digital mailing list to be notified of the latest news and updates

© Copyright 2023 – Airlock Digital

Privacy Policy

Allowlisting: Reimagined