I wrote a blog post three years ago about a virtual epidemic that was in the news — WannaCry. Most of the post focused on multi-layered security and how to be prepared for the unexpected. After all, you never know when the next attack will come or what form it will take.
I wrote that “IT security is like a disease that cannot be cured — you can only carefully treat it and hope that it will never hit any of your vital organs. Prevention, emergency planning, and recovery are more important than ever.” This is true especially in times like now, when IT personnel are busy trying to keep the business running and security personnel are busy trying to keep their assets secure while enabling employees to work from home. Not only are security teams stretched to their limits, but the users they support are more likely to fall victim to phishing attacks.
Threat actors are divided now on the use of coronavirus as a bait. While some feel it’s morally wrong to exploit it, others see a unique opportunity. Some ransomware operators have said they won’t target health and medical organizations (see responses from some of these gangs). Monopoly Market has even banned sellers claiming to have a cure or vaccine.
But hackers are taking an economic hit because of the COVID-19 pandemic, and the dark web is a rational place. After prices skyrocketed in 2019 (phishing kit prices were up 149 percent), a lot of marketplaces started offering deep discounts on attack tools and COVID-19 “specials.” Microsoft has reported that while they haven’t seen an increase in attack volume, they have seen a quick switch to COVID-19-based attacks: “Every country in the world has seen at least one COVID-19 themed attack. The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information grows”.
For many attackers, this is only beginning. Now is a good time to launch phishing campaigns, with the goal of planting back doors to companies that have had to transition quickly to support remote work. They lay in wait because successful breaches are an investment they can exploit later.
EternalDarkness/SMBGhost Privilege Escalation (CVE-2020-0796)
Threat actors often try to exploit SMB vulnerabilities. One reason? They’re easy to “wormify,” allowing for quick, scalable attacks that are mostly executed on their own, without much effort from attackers. SMB vulnerabilities should be considered high-severity threats, and security teams should prioritize them.
As a quick reminder, both Conficker (MS08-067) from 2008 (still the second-most popular module in Metasploit) and EternalBlue (MS17-010) from 2017 (the core of the WannaCry and NotPetya epidemics) fell into this category.
EternalDarkness, or SMBGhost, is the latest remote execution vulnerability affecting the Microsoft SMB protocol and was first reported in March 2020. While this vulnerability is more difficult to successfully exploit due to various OS security improvements and the SMBv3.1.1 requirement, a local privilege escalation PoC has already been publicly released (GitHub). After the PoC code is available, vulnerabilities are often rapidly weaponized. This is having an impact on SMB servers and SMB clients.
You can read more in the CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability security advisory from Microsoft. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available.
As with EternalBlue (the exploit used as an initial attack vector by WannaCry, which we tested and blocked a whole month before WannaCry was even created), BlueKeep, and other past high-profile exploits, we have confirmed with our friends at Bitdefender that Hypervisor Introspection (HVI) on Citrix Hypervisor stops EternalDarkness. It enables third-party security companies to leverage memory introspection techniques from a hypervisor-layer security appliance. Partners such as Bitdefender can integrate with Citrix Hypervisor and work with the raw memory and without any in-guest (VM) agents. Bitdefender HVI detects techniques rather than detecting patterns, which means that it can prevent even unknown attacks and exploits.
We first used the above mentioned PoC code and executed the privilege escalation attack on an unprotected, unpatched Windows 10 version 1903. The exploit successfully exploited the bug in the SMB driver. It achieved code execution capabilities and used a code-injection technique to provide an elevated privilege Command Prompt shell.
We repeated the exercise with Hypervisor Introspection (HVI) enabled. HVI successfully prevented the attack by preventing the code injection technique which is required for the attack to succeed. No updates to HVI were required because detecting code injection is considered a baseline attack technique. The conclusion is that HVI, once again, provides true zero-day prevention.
Check out this demo of HVI in action:
You can read more about secure browsing architecture with Citrix Virtual Apps and Desktops with HVI protection in our white paper on secure browsing.
Summary
IT security is like a disease that cannot be cured — you can only carefully treat it and hope that it will never hit any of your vital organs. Prevention, emergency planning, and recovery play critical roles, and it is important to focus on them before the attack occurs, not after. Having a security framework that can cover all your applications and data, from the old legacy systems to the latest and greatest SaaS/web apps, is critical to succeed in protecting your most value assets.
Zero trust security and Citrix Workspace can help you to build solutions that cater to all type of devices, that support access to all types of applications and data, and that are delivered across all type of networks. Learn more today!
Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Click here for more Tech Bytes and subscribe.
Want specific Tech Bytes? Let us know! tech-content-feedback@citrix.com.