Month: May 2017

Your allowed to WannaCry now as it’s not over!

Your allowed to WannaCry now as it’s not over!

Friday is typically a day when everyone’s thought is on the weekend; time to relax, time to escape from work for a precious two days. Friday 12th May 2017 was not one of those days, that Friday the RansomWare game was changed, enter “WannaCry”.

As this particular Friday unraveled computer systems around the world were being taken down; from Telefonica in Spain, the NHS in the UK and FedEx in the US, my own first thoughts when I saw on the news that the NHS was facing major systems outages due to a new RansomWare strain was first “oh great another variant” and second “I wonder how it got in a spread so quickly, it almost looks like a coordinated attack given how much of the NHS has been hit”. Quickly news started to spread about it and the name was out for this new malware “WannaCry” (also known as “WCry” and “WannaDecrypt0r”) and by the evening everyone had heard of it.

WannaCry is just the payload, once that payload is delivered the target system is encrypted and a message is displayed ordering you to pay to get your files back, so the payload itself is a pretty standard form of RansomWare. The intriguing part is the delivery system which makes use of the EternalBlue exploit from the NSA toolkit released last month, via this exploit the payload can then be spread to nearly any Windows devices on the same network as the infected machine. The EternalBlue exploit allows the malware the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, it compromises hosts, encrypting the files stored on them and then demanding a ransom payment in the form of Bitcoin all the while scanning and spreading more allowing the payload to spread quickly around the network with no admin credentials required. An important note to make is that the malware is not just able to spread via internal networks but also externally facing hosts across the internet.

WannaCry primarily utilizes the EternalBlue exploit but is also used in conjunction with the DoublePulsar backdoor. EternalBlue is utilized for the initial exploitation of the SMB vulnerability, if successful then the DoublePulsar backdoor is implanted which in turn is used to install the malware. Microsoft had released security patches for all Operating Systems currently in support and extended support, these were released back in March although this resolves the ExternalBlue exploit this does not necessarily mean you are protected as WannaCry is designed so that if the EternalBlue exploit fails it will proceed and check if the target already has the DoublePulsar back-door installed. This could have been installed prior to the patch by another hacker, even the NSA since this was originally part of their hacking toolkit before ShadowBrokers publicly released it.

On Friday evening the first variant was halted by a British security researcher MalwareTechBlog  who after analyzing some of the code found it pointed to an unregistered domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com) and so decided to buy the domain and sinkhole it. Now maybe I am pessimistic but upon hearing this I immediately thought one thing “it’s not over, this is just the start”, and over the weekend I started to try to gather more and more information on this to understand it, the logical next step for the WannaCry creators is to change the kill-switch or to remove it entirely, without a kill-switch this would be a complete nightmare for all sysadmins around the world.

Throughout the weekend Security Researchers have been working to get hold of some of the samples to break them down and understand them, one researcher from France who uses the twitter handle @benkow_ discovered a new variant, WannaCrypt0r 2.0, he in turn sent it onto anothe IT Security Researcher Matthieu Suiche for an in-depth analysis. Upon analyzing, Matthieu discovered a kill-switch again but this one linked to another domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com). Matthieu has since added a post to his blog explaining how he found it and registered the domain.

Working with MalwareTech, Matthieu transferred this additional domain to MalwareTech’s sinkhole, to which MalwareTech posted the below to Twitter.

“Thanks to @benkow_ who found what looks like a new ‘kill switch’ domain and @msuiche who registered it and transferred it to our sinkhole.”

Earlier I thought “it’s not over” and it appears I might be right, the predictions that the fast-spreading WannaCry RansomWare would quickly evolve to get around its domain-based kill switch were everywhere, and, well… the predictions are starting to come true, we are already seeing reports of different domain names being used and a few where researchers have claimed to have found some without any kill-switch whatsoever, (these researchers have since back tracked and it looks like they might have not been using a fresh sample from the wild). I still believe that the kill-switch will be removed, it might not be done by the original creators but by a copycat group but the exploits and code is out there so its just a matter of time.

The taking down of these kill-switches is just a temporary measure; one should expect new variants released and as such security measure should be implemented now to prevent falling victim later.

  1. Do not open an unknown email
  2. Do not download files from an unknown email
  3. Do not click files from an unknown email
  4. Avoid visiting malicious sites
  5. Do not download software and apps from a third-party store/website
  6. Enable “Show hidden file extensions” and only open a file if its the extension you expect
  7. Apply any pending software updates and keep them up-to date
  8. Make sure you are using a reputable security suite/Anti-Virus
  9. Back up your data on a regular basis
  10. Use System Restore to get back to a known-clean state

What additional steps Microsoft users should take?

Microsoft Windows is the ultimate target of this cyber attack since WannaCry exploits a security flaw within the SMB protocol, to mitigate the risk patch MS17-010 should be applied urgently if not already applied, to aid in this please find below the direct links to each download from Microsoft:

Windows XP SP3 //download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe

Windows Vista x86 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu

Windows Vista x64 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu

Windows 7 x64 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 7 x86 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu

Windows 8 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu

Windows 8.1 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

Windows 10 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu

Windows 2003 x86 //download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe

Windows 2003 x64 //download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

Windows 2008 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu

Windows 2008R2 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 2012 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu

Windows 2012R2 //download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

Windows 2016 //download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu

WannaCRY and the DoublePulsar Exlpoit

WannaCRY and the DoublePulsar Exlpoit

As many saw yesterday the NHS faced a major outage and they were not alone, yesterday saw a mass outbreak of a new strain of RansomWare called “WannaCRY” (aka #WanaCypt0r aka #WCry), this may act like a normal RansomWare (in the sense that it encrypts all your files and demands a Ransom) but it does not necessarily get into systems like we have seen before.

On April 14th, 2017 some of you may have seen that group “Shadow Brokers” released a collection of tools that the NSA was using for hacking and taking unrestricted control of systems around the world, they did try to auction this off last year but were unsuccessful and so chose to release it to all. Within this collection of tools is one that has enabled the global attack yesterday, it has been dubbed the name “EternalBlue” and uses the SMBv1 and SMBv2 protocol of which when paired with “DoublePulsar” (Also in the NSA toolkit) DoublePulsar can then inject DLL’s into the target system enabling the attacker to take full control of the target system. To see how it works check out this link.

This is a very serious attack vector and Microsoft did release a patch on March 14th for it (before Shadow Brokers released it to all), the Microsoft patch is MS17-010 of which a breakdown of that can be found here.

Given the seriousness of this attack vector it is imperative to ensure that all of you business and personal Windows devices are patched an upto date, Microsoft have also released patches last night for some EOL (End of Lifetime) Operating Systems to try and minimize the risk to customer systems. The EOL devices added to receive these patches are for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

Extract from Microsoft Statement: “Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download. This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

MalwareTech has also released a blog post explaining how he stopped WannaCRY in its tracks to read it follow this link.

 

Install VMWare ESXi 6 as a Nested VM in Hyper-V

Install VMWare ESXi 6 as a Nested VM in Hyper-V

Windows Server 2016 is out and has been for a while now, and as a lot of people start to delve into it they will notice some new features lurking in the background. One of the not so obvious new features is Nested VM’s; what this means is that you can run a Hypervisor inside a virtual machine.

Some of you may think why would anyone want to run a Hypervisor inside another Hypervisor of which a couple scenarios spring to mind quite quickly:

  1. You may provide hosting services and a customer requests a Hyper-V (or ESXi) server but rather then use another physical server you could allocate the resources on one of your servers and provide them access to the virtual hypervisor, thus giving them a secluded space to make and delete VMs freely without any risk of them affecting your Virtual Infrastructure.
  2. Another as was the case for me I needed to test something on a Mac to confirm compatibility, not having one to hand I decided a VM would be a simple solution but I needed an ESXi and so I decided to spin up an ESXi server as a VM inside one of my Hyper-V servers. This enabled me to quickly confirm my query without needing to find some spare hardware to spin up a physical ESXi box.

As you can see there could be some uses for Nested VMs although I think it will take time to be adopted… even for non-production systems. When I went to set-up this ESXi server I struggled initially to find a guide that was readily available and simple to follow as such I have decided to share what i’ve learnt below:

Prerequisites:

  1.  A Hyper-V Host:
    1. A Hyper-V host running Windows Server 2016 or Windows 10 Anniversary Update.
    2. A Hyper-V VM running Windows Server 2016 or Windows 10 Anniversary Update (Yes you can do Nested Virtualization inside Nested Virtualization…).
    3. A Hyper-V VM with configuration version 8.0 or greater.
    4. An Intel processor with VT-x and EPT technology.
  2. Enable-NestedVM.ps1 – A PowerShell script for enabling Nested Virtualization in a Hyper-V VM. Click here to get the file from the Microsoft team on GitHub.
  3. VMWare PowerShell CLI installed – I used 6.3 release 1 that I downloaded from here. (Note: you will need a VMWare account, if you don’t have one then you can sign up here.)
  4. ESXi-Customizer-PS.ps1 – A PowerShell script that will download the ESXi 6.0 iso and inject the required network drivers into it for you. I downloaded it from here.

To make matters simpler if you have all three items in the same working folder – mine is “C:\NestedESXi\” then it may be easier to follow my guide, (but of course that is totally up to you).

Phase 1 – Preparing ESXi ISO with Injected Drivers:

As a stock install the ESXi Kernel doesn’t support the “Microsoft Virtual Network Adapter” or indeed the “Legacy Network Adapter”, however as the Legacy Adapter emulates a DECchip 21140 (net-tulip) we can inject the drivers into the ISO thus giving ESXi the ability to use the Legacy Network Adapter.

  1. Install VMWare PowerCLI (simple Next, Next, Next).
  2. Open a PowerShell window
  3. Navigate to your working directory, in my case  CD C:\NestedESXi\
  4. Once in the working directory we can execute the following  .\ESXi-Customizer-PS-v2.5.ps1 -v60 -vft -load net-tulip (Note: the script version may have changed so double check the part as highlighted - ESXi-Customizer-PS-v2.5.ps1).
  5. After a few minutes the ISO will have been downloaded and the net-tulip drivers inserted into it making it ready to use, that ISO is also put straight into the folder that you ran the script from (in my case C:\NestedESXi\).

Phase 2 – Creating the VM

  1. In Hyper-V Manager go to create a new Virtual Machine.
  2. Choose what you want to Name it and make sure the location is where you want the ESXi VM to be stored, then click Next
  3. Select Generation 1 and click Next.
  4.  Set the Memory to at least 4096MB and Uncheck “Use Dynamic Memory for this Virtual Machine” then click Next.
  5. Don’t configure networking now, just click Next since we need to use the Legacy Adapter which can only be selected after the initial config wizard.
  6. Select Create a new virtual hard disk and set the Size to 10GB (this is just going to be the boot disk for the ESXi Hypervisor), click Next.
  7. Select “Install an Operating System from a bootable CD/DVD-ROM” and browse to the ESXi ISO that is in your working directory from Phase 1. 
  8.  Click Next and then Finish to create the VM.  
  9.  Right-Click the new Virtual Machine and select Settings.
  10. Navigate to the Processors tab and change the allocated number of Virtual Processors (it needs to be at least 2) 
  11.  Select the existing Network Adapter and click Remove
  12.  Select the Add Hardware tab and select Legacy Network Adapter then Add
  13.  Select the relevant Virtual Switch so that the ESXi has network access
  14.  Click OK

The majority of the VM configuration is now complete, we just need to enable the Nested Virtualization Extensions for the VM and then we can move onto configuring the ESXi itself.

 

Phase 3 – Enabling Nested Virtualization

  1. Open a PowerShell console.
  2. Enter the following commands (adjusting the vmName to match the name of your Virtual Machine in my case the name is “NestedESXi”)
    CD C:\NestedESXi\
    .\Enable-NestedVm.ps1 -vmName 'NestedESXi'

     

  3. Enter Y when asked to confirm any of the changes (Note : the Y is case sensitive).
  4. The Virtual Machine is now ready to have ESXi installed into it.

 

Phase 4 – Initial Boot of ESXi Virtual Machine

  1. Start up the ESXi Virtual Machine and make sure you’re connected to it so you can see the ESXi boot screen:
  2. Quickly press Tab.
  3. Add the ignoreHeadless=TRUE to the Boot Options
  4. Press Enter.
  5. The ESXi Installation process will now start.
  6. After a few minutes the VMWare ESXi 6 Installer will start up  
  7. You can now go through the ESXi installation process.
  8. You may receive this warning during the installation process but you can ignore it ss_vmwareinhv_esxiinstallerwaring
  9. The installation process will begin 
  10. Once the ESXi installation has completed you will see this message ss_vmwareinhv_esxiinstallercomplete
  11. Make sure the ESXi Installation ISO is ejected prior to rebooting the Virtual Machine
  12. Press Enter to reboot the VM.

Phase 5 – Configure the ESXi Boot Options to persistently use “ignoreHeadless=TRUE”

The last thing we need to do is to set the ESXi VM to persistently use the “ignoreHeadless=TRUE” so that you do not experience any boot issues.

  1. When the ESXi machine reboots, quickly press SHIFT-O to set the boot options.
  2. Add the ignoreHeadless=TRUE to the Boot Options
  3. Press Enter to boot up the ESXi host
  4. Once the ESXi has booted up, press F2.
  5. Enter the root login credentials that were set during the ESXi installation process.
  6. Select Troubleshooting Options and press Enter
  7. Select Enable ESXi Shell and press Enter
  8. Press ALT+F1 to bring up the console
  9. Enter your root credentials.
  10. Enter the following command:
    esxcfg-advcfg --set-kernel "TRUE" ignoreHeadless

     

  11. Press ALT+F2 to return to the main ESXi screen.

The ignoreHeadless=TRUE setting is now persistent and will be applied at ever boot without manual intervention required.

There you have it a fully functional ESXi Host running inside a Hyper-V Server. Of course Microsoft do support running Hyper-V inside another Hyper-V but neither Microsoft or VMWare formally support running an ESXi server in a nested environment (at least at present) and as such this should not be used for any production purposes but hopefully this has opened some eyes to a hidden feature which hasn’t received much publicity. Hyper-V may finally be catching up to the VMWare party after joining exceptionally late who knows what features Microsoft are looking at for future releases.

How To: Stop SQL Server Reporting Services from using Port 80 by default

How To: Stop SQL Server Reporting Services from using Port 80 by default

Problem

SQL Server Reporting Services uses port 80 by default on any server it’s installed on.

This can be rather annoying since SQL is quite often used in conjunction with other web services or applications that also use the default http port 80.

Solution

At first thought I thought ah great time for a google, but its actually a surprisingly easy process:

  • Log on to the server that hosts SQL Reporting Services.
  • Navigate to Start > Programs > SQL Server 2008 R2 > Configuration Tools > Reporting Services Configuration Manager
  • Connect to the SQL instance in question (usually your local server)
  • Go to the “Web Service URL” section
  • Change the TCP port to an open port other than port 80 (I changed mine to 8080) and hit “Apply”
  • Go to the “Report Manager URL” section
  • Click “Advanced”
  • Click the entry with a TCP port of 80 and then click the “Edit” button.
  • Change the “TCP Port” entry to the same thing you changed it to in the “Web Service URL” section previously and Click “OK”.
  • Click “OK” again.