Category: Microsoft

Microsoft fixes the recent ALPC zero-day in time for September 2018 Patch Tuesday

Microsoft fixes the recent ALPC zero-day in time for September 2018 Patch Tuesday

Last week a security researcher known on Twitter as SandboxEscaper decided to go out with a bang by revealing a zero-day effecting Windows operating systems in the form of a tweet rather than submitting a bug report to Microsoft. SandboxEscaper additionally posted a link to a proof-of-concept on Github, just encase anyone doubted the vulnerability.

The zero-day was in-turn verified by US-CERT (kb article here), Microsoft said in a statement to The Register that it would “proactively update impacted devices as soon as possible.”

The zero-day is in Microsoft Windows task scheduler SchRpcSetSecurity This component (or rather the API within it) contains a vulnerability in how it handles Advanced Local Procedure Call (ALPC). That vulnerability in ALPC can then allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs. This in-turn can then be leveraged to gain SYSTEM privileges. This vulnerability was then incorporated into a current malware distribution campaign by the cyber-criminal group known as PowerPool.

Now let’s get to today, Microsoft has released their September installment or patches and this batch contains 62 important fixes with the most noted being the ALPC Zero-Day tracked as CVE-2018-8440.

Currently it is important to note that this vulnerability is being actively used and their is no “official” mitigation, so the only Microsoft approved fix it to apply the patch as soon as possible, if you want the direct download links or links to the relevant KB article then please find them below.





Windows 10 for 32-bit Systems 4457132 Security Update
Windows 10 for x64-based Systems 4457132 Security Update
Windows 10 Version 1607 for 32-bit Systems 4457131 Security Update
Windows 10 Version 1607 for x64-based Systems 4457131 Security Update
Windows 10 Version 1703 for 32-bit Systems 4457138 Security Update
Windows 10 Version 1703 for x64-based Systems 4457138 Security Update
Windows 10 Version 1709 for 32-bit Systems 4457142 Security Update
Windows 10 Version 1709 for 64-based Systems 4457142 Security Update
Windows 10 Version 1803 for 32-bit Systems 4457128 Security Update
Windows 10 Version 1803 for x64-based Systems 4457128 Security Update
Windows 7 for 32-bit Systems Service Pack 1 4457144 Monthly Rollup
4457145 Security Only
Windows 7 for x64-based Systems Service Pack 1 4457144 Monthly Rollup
4457145 Security Only
Windows 8.1 for 32-bit systems 4457129 Monthly Rollup
4457143 Security Only
Windows 8.1 for x64-based systems 4457129 Monthly Rollup
4457143 Security Only
Windows RT 8.1 4457129 Monthly Rollup 
Windows Server 2008 for 32-bit Systems Service Pack 2 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 for Itanium-Based Systems Service Pack 2 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 for x64-based Systems Service Pack 2 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4458010 Monthly Rollup
4457984 Security Only
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4457144 Monthly Rollup
4457145 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 4457144 Monthly Rollup
4457145 Security Only
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4457144 Monthly Rollup
4457145 Security Only
Windows Server 2012 4457135 Monthly Rollup
4457140 Security Only
Windows Server 2012 (Server Core installation) 4457135 Monthly Rollup
4457140 Security Only
Windows Server 2012 R2 4457129 Monthly Rollup
4457143 Security Only
Windows Server 2012 R2 (Server Core installation) 4457129 Monthly Rollup
4457143 Security Only
Windows Server 2016 4457131 Security Update
Windows Server 2016 (Server Core installation) 4457131 Security Update
Windows Server, version 1709 (Server Core Installation) 4457142 Security Update
Windows Server, version 1803 (Server Core Installation) 4457128 Security Update
An Easy Guide For How To Mitigate Spectre And Meltdown

An Easy Guide For How To Mitigate Spectre And Meltdown

Are you stuck trying to understand how to protect your devices or company against Spectre and Meltdown? Well you are unfortunately not alone. This article should help clear it up though.

Ever since the two vulnerabilities nicknamed Spectre and Meltdown effecting multiple CPU’s dating back to 1995 got leaked a few weeks back vendors have been rushing to release patches and updates to mitigate the issue.

This initial flood of patches has not been smooth and there has been a lot of incompatibility issues and general finger pointing and frustration. To help clear up some misconceptions, I’ve put the following guide together that walks through various major updates to operating systems and browsers, explaining how they address Meltdown and/or Spectre, what they specifically don’t address, and any known compatibility or performance issues that have been reported.

Meltdown and Spectre – What are they?

Before we dive in, here’s a quick explanation of what Meltdown and Spectre are all about.

Meltdown (CVE-2017-5754)

Meltdown is a vulnerability effecting CPU’s that allows a user program to access privileged kernel-mode memory. It affects all out-of-order execution Intel processors released since 1995 with Itanium and pre-2013 Atoms being the only exceptions. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.

Out of the two vulnerabilities, Meltdown is the easier one to fix, and can most commonly be addressed by applying an Operating System update.

Spectre (CVE-2017-5753, CVE-2017-5715)

Spectre is observed to be much more of a whole new attack vector rather than just a standard vulnerability. It’s enabled by the unintended side effects of speculative execution (this is what processors do to achieve higher speeds as they will make assumptions over what they will be asked and the possible results so that when they are asked they will hopefully already have the answer available or at least already working on a solution).

There are two different variants of Spectre — the first variant (bounds check bypass, CVE-2017-5753) and the second (branch target injection, CVE-2017-5715). Both variants can potentially allow attackers to obtain and extract information from other running processes (e.g. stealing login cookies from Internet Browsers).

AMD, ARM and Intel processors have all been reportable vulnerable to Spectre by various degrees, and this poses significant patching problems. While operating system and browser updates have helped mitigate the risk of Spectre to some degree, many experts agree the only true fix is a hardware update. As such, Spectre is likely to remain an issue for many years to come.

Source: SANS / Rendition Infosec. See the full presentation here

It’s important to note that both vulnerabilities are for information disclosure. Neither vulnerability allows remote execution – in other words, they don’t allow attackers to run malware.


Operating System updates

Windows updates

Microsoft’s processes for their Security Update to address Meltdown and Spectre has a bit of a roller-coaster, tainted by incompatibility issues with Anti-Virus software and AMD processors. For some scenarios, the deployment of the 2018-01 Security update has had to be put on hold or restricted altogether.

More details and direct download links to the updates below:

  • Windows 10
  • Windows 8 and Windows Server 2012
  • Windows 7 and Windows Server 2008

What the Microsoft Patches address:

  • Spectre variant 1, bounds check bypass (CVE-2017-5753)
  • Meltdown, rogue data cache load (CVE-2017-5754) –

The original Security update did not provide the mitigation for 32bit OS’s (x86 based OS). 
Microsoft Advisory Regarding 32bit: The 32 bit update packages listed in this advisory fully addressed CVE-2017-5753 and CVE-2017-5715, but did not provide protections for CVE-2017-5754 at this time. Microsoft continued to work with the affected chip manufacturers and have now released an additional Security update to address/mitigate (CVE-2017-5754) for 32bit OS’s : KB4073291

What they don’t address:

  • Currently the second variant of Spectre, branch target injection (CVE-2017-5715) – at present firmware updates are required to fully address Spectre variant 2.

Known issues:

Key=”HKEY_LOCAL_MACHINE” Subkey=”SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc” Type=”REG_DWORD”Data=”0x00000000”

This resulted in a lot of initial confusion from the sector, with all the anit-virus companies providing different updates or some just went silent this did not help, some were setting the registry key for their customers and others requested that users set it themselves. The situation only gets more complicated considering many organisations have more than one Anti-Virus solution to maintain.

Should you use one of Microsoft’s own solutions; Microsoft clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are all compatible with the update and that they do set the registry key.

This means that if you have one of those built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.  However, if you use a third-party antivirus then two things can happen, if Microsoft officially recognises the Anti-Virus software then Windows Defender and Microsoft Security Essentials should automatically be turned off so your third party Anti-Virus will require the update. Should Microsoft not officially recognise your Anti-Virus then Windows Defender or Microsoft Security Essentials will update the registry key when your third party Ant-Virus may not be support the update which could mean blue screen issues.

Kevin Beaumont has created a spreadsheet to keep track of the antivirus vendors and whether they make this key: //


To manually add the registry key and obtain the update now you can enter the following into a command prompt window (as admin) and then run Windows Update ( does not accept any liability for any issues that could arise as a result and would recommend you contact Microsoft and your AV provider prior to doing this): 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v "cadca5fe-87d3-4b96-b7fb-a231484277cc" /t REG_DWORD /d "0x00000000" /f
  • AMD compatibility issues:  Initially reported at the Verge, Microsoft had received numerous reports of PCs running AMD processors getting into a boot loop after installing the latest Windows security update. After some investigation, the company confirmed that there were issues, and temporarily stopped delivering the update to AMD devices. If you are effected by the AMD incompatability with the Windows Update then you will need to visit Microsoft’s support site for details on getting your machine(s) back up and running. Microsoft announced on the 18th January that it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and the latest version of Windows 10… 1709. Updates for four older versions of Windows 10 – 1511, 1607, and 1703 – are still on-hold. As are updates for Windows Server 2016 and Windows 10 Enterprise.
  • Group or MDM policy configurations may be disabling updates: According to Microsoft, if you have Group or MDM policy settings configured to disable preview builds, your machines may not be receiving updates (see what those settings are here). To fix that, Microsoft recommends temporarily changing Group/MDM policy settings to “Not Configured” and changing them back once the updates have been installed.
  • Performance implications: Just as with the other operating systems, patches addressing Meltdown and Spectre are expected to take varied but non major change in performance. In a blog post, Microsoft Executive VP Terry Myerson explained the implications of the fixes can vary depending on factors such as; the version of Windows running and the age of the machine:
    • Windows 10 on circa-2016 PCs with Skylake, Kabylake, or newer CPU: Single-digit slowdowns, which most users shouldn’t notice.
    • Windows 10 on circa-2015 PCs with Haswell or older CPU: Slowdown can be more noticable. Some users may notice a decrease in performance.
    • Windows 8 or Windows 7 on circa-2015 PCs with Haswell or older CPU: Most users will likely notice a decrease in  performance.
    • Windows Server (any CPU): Mitigation’s to isolate code within a Windows Server instance results in a more significant performance impact but as with the above it will very much depend on the workload and age of the hardware. According to Myerson, “This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance trade-off for your environment.”

Enabling protections for Windows Server

Microsoft has also advised Windows Server customers that they need to take the additional step of adding the following registry keys in order to enable patch protections.

To enable the fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f 

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


If this is a Microsoft Hyper-V host and the firmware updates have been applied you will need to fully shutdown all Virtual Machines, the mitigation will not take effect until the VM’s next boot up. When you restart the host make sure to shutdown all Virtual Machines then restart the host, do not “Save” or “Pause” a VM for the reboot since the VM has to boot from scratch for the mitigation to take effect.

To disable this fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f


Again you will need to fully restart the Hyper-V host and Virtual Machines for this change to take effect. (Note there is not any requirement to change MinVmVersionForCpuBasedMitigations to disable the mitigations.)

Microsoft also notes that for Hyper-V hosts, live migration between patched and un-patched hosts may fail. The company also points to an alternative protection mechanism you can use on hosts that don’t have updated firmware yet.

Additional guidance from Microsoft:

Verifying new Windows protections are enabled:

To help confirm whether updates have been implemented correctly Microsoft has provided a PowerShell script that system administrators can run to test Meltdown and Spectre mitigations.

The following command will install the PowerShell module:

PS > Install-Module SpeculationControl

Note: There are a couple of requirements for running this command. First, you’ll need to be running PowerShell with admin privileges and may need to adjust execution policy. Also, the Install-Module command was introduced to PowerShell in version 5.0. Most Windows 7 machines will not have this version, due to the upgrades being optional and unrelated to security. Any device with an older version of PowerShell can still run the “Get-SpeculationControlSettings” function, however, only as long as you obtain the contents of the script and run it ad-hoc.

Once installed, the following command will run the test to check your system:

PS > Get-SpeculationControlSettings

The output will look something like this:

Results for Spectre protections

The first group – “Speculation control settings for CVE-2017-5715 [branch target injection] – refer to the protections in place for the Spectre vulneralbility. If the value for “Windows OS support for branch target injection mitigation is present” is “True” then the Windows Security update has been successfully installed.

The other red text in that section confirm that more complete mitigation for Spectre requires firmware updates, of which Intel has said it’s in the process of rolling these out. According to the company, updates for more than 90 percent of its processor products should be introduced by the end of next week.

Results for Meltdown protections

The second group – “Speculation control settings for CVE-2017-5754 [rogue data cache load] – refers to the protections in place for the Meltdown vulnerability. If you see the following results and no red lines then you’ve confirmed the Windows Security update has been successfully implemented and the machine is protected:

Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True

Test results confirming successful mitigation of the Meltdown vulnerability

If you see any red lines in this section then that means the update has not been successfully applied. For more details on interpreting the PowerShell script output, Microsoft has a full results key here.

MacOS and iOS updates

Apple included mitigations to address Meltdown in its macOS 10.13.2 and iOS 11.2 updates released in December. They have since followed up with additional mitigations addressing the Spectre vulnerability with the recently released macOS High Sierra 10.13.2 Supplemental Update and iOS 11.2.2 update.

What they address:

  • Meltdown (CVE-2017-5754)
  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What they don’t’ address:

  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent
    Apple says its latest updates to MacOS, iOS, and Safari overall help to mitigate the risk of Spectre being exploited, however the company acknowledges it will be continuing to develop and test further mitigations.

No reported issues



Browser updates

Security researchers have been advising that the most likely use case/exploitation of Spectre is most likely to be web-based attacks using JavaScript (as an example, a malicious ad) to leak information, session keys, etc. cached in the browser. Given this, Google, Mozilla, Apple, and Microsoft have all either issued or scheduled new updates for their browsers to reduce that risk.

What browser updates address:

  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What browser updates dont’ address:

  • Meltdown (CVE-2017-5754)
    You will still need to apply Operating System updates to mitigate Meltdown.


Google has announced it will be including the mitigations for Spectre starting with Chrome 64, which will be released on or around January 23. For the time being, Chrome users are advised to enable site isolation, which can help prevent the possibility of one site stealing data from another site.


Mozilla has already issued Firefox version 57.0.4, which helps address Spectre by disabling or reducing Firefox’s internal timer functions and disabling the SharedArrayBuffer feature. Firefox users can take additional precaution by enabling site isolation, as well.


Apple has released Safari 11.0.2 to specifically mitigate the effects of Spectre.

IE and Edge

Microsoft has made changes to both Internet Explorer 11 and Microsoft Edge to mitigate Spectre. In addition to removing support for SharedArrayBuffer from Edge, it has made changes to reduce the precision of several time sources to make successful attacks more difficult.


Firmware updates

Operating System and Internet Browser updates only partially mitigate Meltdown and Spectre. UEFI firmware and BIOS updates, are also required to further mitigate against them. If and when updates will be pushed out will vary from vendor to vendor, adding yet another layer of complexity, uncertainty and frustration to patching. This could easily result in only obtaining the updates by proactively checking for updates from PC/Server Manufacturers periodically over the coming few days or weeks.


Intel has released new Linux Processor microcode data files that can be used to add Meltdown and Spectre mitigations without having to perform a BIOS update.

Intel promised firmware updates for 90 percent of the affected processors made in the past five years by the 15th January. So far, it looks as though they are on-track and it now is resting on the downstream vendors/distributors to complete testing and deployment to their respective customer bases of-which these microcode fixes apply to a specific list of processors provided here.

The microcode updates can be obtained directly from Intel, of which Bleeping Computer has provided instructions and a video example to help walk admins through the install process here. It should be noted that some issues have already been reported with the updates, specifically around unwanted reboots. While Intel initially confirmed machines with Broadwell and Haswell CPUs were experiencing that issue, however later Intel acknowledged machines running newer processors were affected as well.

Windows users need to wait until Microsoft finalizes testing the microcode and releases an additional update to add in these further mitigations.

Known issues:

  • Older Intel Broadwell and Haswell CPUs experiencing sudden reboots: Intel has confirmed they have received reports of some glitches resulting from the firmware update on systems running Intel Broadwell and Haswell CPUs.
  • Newer Intel CPUs also experiencing sudden reboots: Intel has confirmed the firmware update is causing machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake processors to suffer from sudden reboots too.
  • Performance impact: Information regarding the potential performance implications as a result of these updates have been inconsistent, however Intel has most recently said the patches are slowing processors down by six percent in certain situations. Intel has shared more details on performance impact based on specific workloads in a chart you can find here.

NOTE: Intel has currently requested customers stop installing its firmware update, they are aware of the issue and are working on a resolution


AMD has officially acknowledged that its processors are vulnerable to both variants of Spectre, but denies being vulnerable to Meltdown. While AMD says that OS, patches are sufficient to mitigate the first variant for Spectre, they have also started rolling out optional microcode updates starting last week; the initial fixes are focused on the Ryzen and EPYC processors.

Known issues:

  • Windows OS update compatibility issues: As first reported at the Verge, Microsoft had received numerous reports of PCs running AMD processors getting into a boot loop after installing the latest Windows security update. After some investigation, the company confirmed that there were issues, and temporarily stopped delivering the update to AMD devices. Affected users needed to visit Microsoft’s support site for instructions on getting their machines back up and running. Microsoft announced on the 18th January that it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and the latest version of Windows 10… 1709. Updates for four older versions of Windows 10 – 1511, 1607, and 1703 – are still on-hold. As are updates for Windows Server 2016 and Windows 10 Enterprise.


Right now the priority is not to stress and not to rush out and deploy all the updates you can find, instead take a step back and asses the situation and work-out how you can best mitigate these vulnerabilities. At present I would concentrate on Operating System and Internet Browser updates if your Anti-Virus is up-to date, the Firmware updates are fresh and seem to be experiencing more issues so I would hold of on them a little bit longer whilst the dust settles and you can be reassured of their stability. As always remember to test before mass scale deployment and make sure you have a proven restore-able Backup to revert to encase you encounter any issues.

Fresh information surrounding Meltdown and Spectre is coming out everyday, so there is likely much more to come. I will be following closely and providing updates as soon as possible.

Microsoft Newly Launched $250,000 Bug Bounty

Microsoft Newly Launched $250,000 Bug Bounty

With major security flaws in the news more and more at present it may come as no surprise that technology companies are looking to invest in defensive technologies more and endeavour to maintain a high standard of security. Following this path Microsoft has now unveiled the new Windows Bounty Program. Including all features of the Windows Insider Program and further introducing a heightened focus on products such as Windows Defender and the Microsoft Edge Browser with the top bounty of $250,000 going to Hyper-V.

“Since 2013, we have launched multiple bounties for various Windows features, Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.”

The program will pay out anywhere between $500 to $250,000 USD depending on the type of bug identified with the aim being to find any critical or important class remote code execution, elevation of privilege, or design flaws that could compromise a customer’s privacy and security.

Microsoft of not alone in enhancing its money incentives with the Facebook chief security officer Alex Stamos announcing earlier this week that Facebook is increasing its Internet Defense Prize to $1 Million USD, that’s a 10-times increase from what they were offering last year, when it awarded just $100,000 in prizes.

Windows 365! Is it time for a subscription based OS?

Windows 365! Is it time for a subscription based OS?

There has long been rumors that Microsoft may have plans for a subscription model that would encompass more then it’s Office suite, when Windows 10 was still in beta testing their was a buzz surrounding how they would price this new Operating System and many summarized that with Microsoft leaning towards a subscription based service on other key product lines that it was only natural for them to move this model onto the core OS as well. As we all know that didn’t happen and Microsoft chose to give away Windows 10 via free upgrade for consumers, however that upgrade period has been and gone and Windows 10 went back to the standard retail pricing of previous incarcerations. A few builds later and Microsoft executives were out at the last unveiling explaining the new features that we will get to enjoy but this time it kept being referred to as Windows-As-A-Service.

Windows as a Service, well we have heard that before, some people might just say that its marketing jargon but I believe it’s more, Microsoft has now trademarked the term “Windows 365”, does this mean a subscription model is really coming…

For the most part people don’t tend to buy an Operating System and instead opt for buying a new computer with a pre-loaded OS ready for them, but for the ones that do buy the OS this could bring some interesting pricing points and deals into the mix, Microsoft would likely offer a bundle option with it’s current 365 line offering Office, OneDrive and the OS together in one neat package. Or even a gamer pack where they could pair it with an Xbox Live Gold membership and some store credits. Of course none of us can see Microsoft deciding to only offer this model but rather having it as an additional option for its customers, after all a low monthly figure is a lot easier then a couple hundred pounds upfront for a OS.

Your allowed to WannaCry now as it’s not over!

Your allowed to WannaCry now as it’s not over!

Friday is typically a day when everyone’s thought is on the weekend; time to relax, time to escape from work for a precious two days. Friday 12th May 2017 was not one of those days, that Friday the RansomWare game was changed, enter “WannaCry”.

As this particular Friday unraveled computer systems around the world were being taken down; from Telefonica in Spain, the NHS in the UK and FedEx in the US, my own first thoughts when I saw on the news that the NHS was facing major systems outages due to a new RansomWare strain was first “oh great another variant” and second “I wonder how it got in a spread so quickly, it almost looks like a coordinated attack given how much of the NHS has been hit”. Quickly news started to spread about it and the name was out for this new malware “WannaCry” (also known as “WCry” and “WannaDecrypt0r”) and by the evening everyone had heard of it.

WannaCry is just the payload, once that payload is delivered the target system is encrypted and a message is displayed ordering you to pay to get your files back, so the payload itself is a pretty standard form of RansomWare. The intriguing part is the delivery system which makes use of the EternalBlue exploit from the NSA toolkit released last month, via this exploit the payload can then be spread to nearly any Windows devices on the same network as the infected machine. The EternalBlue exploit allows the malware the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, it compromises hosts, encrypting the files stored on them and then demanding a ransom payment in the form of Bitcoin all the while scanning and spreading more allowing the payload to spread quickly around the network with no admin credentials required. An important note to make is that the malware is not just able to spread via internal networks but also externally facing hosts across the internet.

WannaCry primarily utilizes the EternalBlue exploit but is also used in conjunction with the DoublePulsar backdoor. EternalBlue is utilized for the initial exploitation of the SMB vulnerability, if successful then the DoublePulsar backdoor is implanted which in turn is used to install the malware. Microsoft had released security patches for all Operating Systems currently in support and extended support, these were released back in March although this resolves the ExternalBlue exploit this does not necessarily mean you are protected as WannaCry is designed so that if the EternalBlue exploit fails it will proceed and check if the target already has the DoublePulsar back-door installed. This could have been installed prior to the patch by another hacker, even the NSA since this was originally part of their hacking toolkit before ShadowBrokers publicly released it.

On Friday evening the first variant was halted by a British security researcher MalwareTechBlog  who after analyzing some of the code found it pointed to an unregistered domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com) and so decided to buy the domain and sinkhole it. Now maybe I am pessimistic but upon hearing this I immediately thought one thing “it’s not over, this is just the start”, and over the weekend I started to try to gather more and more information on this to understand it, the logical next step for the WannaCry creators is to change the kill-switch or to remove it entirely, without a kill-switch this would be a complete nightmare for all sysadmins around the world.

Throughout the weekend Security Researchers have been working to get hold of some of the samples to break them down and understand them, one researcher from France who uses the twitter handle @benkow_ discovered a new variant, WannaCrypt0r 2.0, he in turn sent it onto anothe IT Security Researcher Matthieu Suiche for an in-depth analysis. Upon analyzing, Matthieu discovered a kill-switch again but this one linked to another domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com). Matthieu has since added a post to his blog explaining how he found it and registered the domain.

Working with MalwareTech, Matthieu transferred this additional domain to MalwareTech’s sinkhole, to which MalwareTech posted the below to Twitter.

“Thanks to @benkow_ who found what looks like a new ‘kill switch’ domain and @msuiche who registered it and transferred it to our sinkhole.”

Earlier I thought “it’s not over” and it appears I might be right, the predictions that the fast-spreading WannaCry RansomWare would quickly evolve to get around its domain-based kill switch were everywhere, and, well… the predictions are starting to come true, we are already seeing reports of different domain names being used and a few where researchers have claimed to have found some without any kill-switch whatsoever, (these researchers have since back tracked and it looks like they might have not been using a fresh sample from the wild). I still believe that the kill-switch will be removed, it might not be done by the original creators but by a copycat group but the exploits and code is out there so its just a matter of time.

The taking down of these kill-switches is just a temporary measure; one should expect new variants released and as such security measure should be implemented now to prevent falling victim later.

  1. Do not open an unknown email
  2. Do not download files from an unknown email
  3. Do not click files from an unknown email
  4. Avoid visiting malicious sites
  5. Do not download software and apps from a third-party store/website
  6. Enable “Show hidden file extensions” and only open a file if its the extension you expect
  7. Apply any pending software updates and keep them up-to date
  8. Make sure you are using a reputable security suite/Anti-Virus
  9. Back up your data on a regular basis
  10. Use System Restore to get back to a known-clean state

What additional steps Microsoft users should take?

Microsoft Windows is the ultimate target of this cyber attack since WannaCry exploits a security flaw within the SMB protocol, to mitigate the risk patch MS17-010 should be applied urgently if not already applied, to aid in this please find below the direct links to each download from Microsoft:

Windows XP SP3 //

Windows Vista x86 //

Windows Vista x64 //

Windows 7 x64 //

Windows 7 x86 //

Windows 8 //

Windows 8.1 //

Windows 10 //

Windows 2003 x86 //

Windows 2003 x64 //

Windows 2008 //

Windows 2008R2 //

Windows 2012 //

Windows 2012R2 //

Windows 2016 //

WannaCRY and the DoublePulsar Exlpoit

WannaCRY and the DoublePulsar Exlpoit

As many saw yesterday the NHS faced a major outage and they were not alone, yesterday saw a mass outbreak of a new strain of RansomWare called “WannaCRY” (aka #WanaCypt0r aka #WCry), this may act like a normal RansomWare (in the sense that it encrypts all your files and demands a Ransom) but it does not necessarily get into systems like we have seen before.

On April 14th, 2017 some of you may have seen that group “Shadow Brokers” released a collection of tools that the NSA was using for hacking and taking unrestricted control of systems around the world, they did try to auction this off last year but were unsuccessful and so chose to release it to all. Within this collection of tools is one that has enabled the global attack yesterday, it has been dubbed the name “EternalBlue” and uses the SMBv1 and SMBv2 protocol of which when paired with “DoublePulsar” (Also in the NSA toolkit) DoublePulsar can then inject DLL’s into the target system enabling the attacker to take full control of the target system. To see how it works check out this link.

This is a very serious attack vector and Microsoft did release a patch on March 14th for it (before Shadow Brokers released it to all), the Microsoft patch is MS17-010 of which a breakdown of that can be found here.

Given the seriousness of this attack vector it is imperative to ensure that all of you business and personal Windows devices are patched an upto date, Microsoft have also released patches last night for some EOL (End of Lifetime) Operating Systems to try and minimize the risk to customer systems. The EOL devices added to receive these patches are for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

Extract from Microsoft Statement: “Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download. This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

MalwareTech has also released a blog post explaining how he stopped WannaCRY in its tracks to read it follow this link.