Preventing Ransomware and Zero Days Using an Overlooked Basic Security Control

Continued successful exploitation of the software supply chain

As the world continues to assess the scope of the biggest global ransomware attack on record – with the REvil/Sodinokibi group claiming to have infected over one million systems, outpacing even WannaCry from 2017, it is becoming clear that ransomware continues to be a successful business model for criminal groups and poses as a significant risk to businesses and government organisations.

Just this month, Australian businesses UnitingCare Queensland and JBS Foods became the latest victims of ransomware and the exploitation of a vulnerability on the US based managed services platform provider Kaseya showed continued escalation of successful attacks targeted on the software supply chain.

While the full impact of the attack is still undergoing investigation, the Australian Cyber Security Center has confirmed that at least three Australian MSPs had been affected by the attack and had customers data encrypted.

The PrintNightmare that won’t go away

Continuing to make big news for the last couple weeks is the PrintNightmare privilege escalation vulnerability (CVE-2021-167, CVE-2021-28344) which refuses to go away despite multiple patches from Microsoft and mixed messaging with-in the the information security community on how to effectively mitigate vulnerability in the Windows Print Spooler service.

How did this Happen?

REvil Ransomware delivered via Kaseya Platform

For the Kaseya supply chain attack the REvil group used the Kaseya Agent software itself to distribute malware, going through a variety of steps before executing the file “agent.exe” which had been signed with a likely stolen certificate.

The payload distributed by the REvil group using Kaseya platform

When executed the file extracted an old copy of Windows Defender binary “msmpeng.exe” and a DLL file “mpsvc.dll” which is the actual ransomware payload. The agent then starts the Windows Defender binary which sideloads payload the DLL and the machine contents are encrypted.

Whats HapPen? Workstation after being ransomwared by REvil on Kaseya platform

PrintNightmare delivered via user action

Looking into the recent PrintNightMare vulnerability (CVE-2021-167), we can observe that that either locally or remotely an unprivileged user can escalate their privileges to SYSTEM by calling the AddPrinterDriverEx API call, delivering malicious code that will then be executed as a DLL on the target.

A malicious DLL file being loaded by the printer service, creating a new local adm1n user

In both these cases, these vulnerabilities rely on the deployment of malicious code using trusted processes. These are run with system privileges by executing malicious .dll files and even used PowerShell (trusted system process) to turn off Microsoft Defender.

The Race To The Fix

As security professionals across the world scramble to apply patches, mitigations and IOCs to their security suite, is there a security control that is able to prevent such threats from happening in the first place?

Yes, Allowlisting – A long forgotten friend

One of these foundational controls, Allowlisting (formerly Application Whitelisting), is a security strategy that involves only allowing applications trusted by an organisation to run and then blocking all other files. This an alternative strategy to a signature based blocklisting approach of allowing everything to run by default and only blocking what’s known to be bad (eg anti-virus).

Allowlisting is not a new idea; it has been around for a long time and has been regarded as one of the most effective controls against threats like ransomware, fileless malware and lateral movement. Yet it is also one of the most overlooked security controls and is often put on the backburner. Most organisations that are not mandated by the ACSC Essential 8 framework, do not feel inspired to pick it up. This is mostly due to the first-hand experience people have had or have heard of, with Allowlisting taking an excruciatingly long time to implement and at some point, or another, resulting in situations of heated user disruption (especially with the dev team).

No security practitioner wants to devote huge amounts of skilled resources and time into implementing a security policy which at the end results in major BAU interruptions. Apart from problems with implementation, there are also significant gaps in the majority of allowlisting solutions like:

Focusing only on controlling applications (.exe files) when adversaries are utilising .dll and script-based processes to deploy payloads
Policies not applying to privileged user groups like admin and system accounts (exploited in these recent attacks)
Confusing Allowlisting with privilege access management and often mixing the two together
No way to make temporary exceptions to run unapproved apps that are needed urgently

Do these problems and gaps still hold up in 2021?

The answer is no.

Airlock Digital, an Australian company, created by security practitioners who were implementing allowlisting solutions at federal government organisations and seeing the traditional problems first hand. Taking these learnings, they developed a solution that covers these gaps and busts the myth that allowlisting is simply too hard to do.

This is made possible through features like:

Workflow driven processes to trust applications quickly and easily;
The ability for all IT staff to learn and manage the allowlist, with no previous security experience required;
Allowlisting that applies to all security contexts (including admin & system);
Comprehensive self managed policies which include .dll files and scripts;
Blocklist rules to perform system hardening and prevent the execution of legacy software;
Blacklisting policies that block malicious use of core system processes like PowerShell
End to end average deployment time to enforcement mode of 3-4 weeks.

With comprehensive policies in place, threats like REvil ransomware and zero day exploits like Kaseya & PrintNightmare, will automatically be blocked because the publisher of the executables, and the .dll files that are run afterwards, are simply not approved to run in the environment.

Airlock preventing untrusted DLL being loaded by Windows Print Spooler

This avoids a lot of panic and saves time from trying to find a fix for zero days that are regularly found. Here’s what one of Airlock’s customers recently said in the light of the recent attacks:

“Airlock Digital worked great for the Kaseya ransomware threat last weekend. While we were not hit, we use Kaseya, and after analysing the Indicators of Compromise, our Airlock Digital Allowlisting solution would have blocked the main applications used for delivery of the code even though they were delivered using Kaseya and MS defender. Airlock also allowed us to react quickly by blocklisting the malicious and known indicators of compromise as they were being identified.”

Airlock preventing untrusted agent.exe extractor being called. If this would be allowed, the subsequent DLL sideload would also have been blocked.

Conclusion

While there is no silver bullet to cyber risk and defence in depth is always best practice, performing basic security practices like Allowlisting right, can go a long way in proactively stopping breaches.

If you would like to know more about Allowlisting and how it can make a difference in your security posture, contact Airlock Digital at [email protected].