Video: Microsoft fends off mining malware attack.
Microsoft’s Patch Tuesday updates for March deliver fixes for 75 security bugs, including patches for 15 critical flaws and a serious vulnerability that exposes sysadmins to credential theft.
CredSSP is used in Microsoft’s widely used Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) to relay user credentials from a client to an application’s server.
Microsoft says, “CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack.”
It’s rated as important as it can only be exploited in tandem with a man-in-the-middle attack. However, in that position, the attacker could steal session authentication from a user with local administrative privileges and then run unauthorized commands on a target server with the same privileges.
As Preempt notes, this bug isn’t an attacker’s entry point but rather a technique for lateral movement and privilege escalation after they’ve either gained physical access to the target’s Wi-Fi network, or once they’ve exploited a remote code execution in a firm’s routers, such as Cisco’s severe ASA VPN bug that was patched through January and February.
“The attacker will set up the man-in-the-middle, wait for a CredSSP session to occur, and once it does, will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to (eg, the server user connected with RDP),” explains Preempt researcher Yaron Zinar.
“An attacker [who has] stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in the case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.”
If the attacker exploits a vulnerable router, they would infect a router near the server and wait for an IT admin to log in to the server using RDP.
The attacker may also exploit the recent KRACK Wi-Fi key reinstallation vulnerabilities to use this attack against any machine with RDP enabled over Wi-Fi.
Zinar’s colleague, Eyal Karni notes customers can mitigate the flaw by ensuring the Windows firewall is on, because RPC is not enabled by default for any interface.
However, domain admins are particularly vulnerable to this attack until Microsoft’s patch has been installed.
“This is because a rule concerning RPC exists in Domain Controllers that enables any svchosts.exe DCOM interfaces. Furthermore, a quick survey found that RDP is the most common way in which domain admins tends to access the DC. In other words, by exploiting this attack, an attacker is likely to gain full control over the domain,” writes Karni.
Microsoft was informed of the issue in August, but needed an extension well beyond the agreed 90-day disclosure timeframe to deliver a fix, according to Preempt’s timeline.
Microsoft has a fix available for every supported version of Windows and Windows Server, but admins will also need to make configuration changes to fully remediate the bug. Microsoft has provided group policy instructions.
Previous and related coverage
Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.
Microsoft is continuing to polish its coming Windows 10 release with Fast Ring Insider Build 17120 as it heads toward the finish line.
Slingshot malware infects PCs via files downloaded from compromised routers.