Microsoft's Strike on Cybercriminals and SFX backdoor- April 1st-April 7th - This Week in Security

Hello Everyone, this week your editor is Dharminder.

I am back again with another edition of This Week in Security, This week I have looked at a study on how fast AI powered tool can crack any password, hackers using SFX for stealthy backdoor and Microsoft's strike on cyber criminals. 

We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.

Ok so let's get started to find details of security news. 

 

A study on AI’s ability to crack password

We all have been listening a lot about AI and its capability to do various things. Latest addition to that is cracking password.

A latest study published by Home Security Heroes shows that password cracking tool PassGAN can crack 51% of all common passwords in less than one minute, 65% in less than an hour, 71% in less than a day, and 81% in less than a month. Reason behind such a speed is  that, instead of having to run manual password analysis on leaked password databases, PassGAN is able to “autonomously learn the distribution of real passwords from actual password leaks.”

 

Here are the stats produced by Home Security Heroes on how much time it takes to crack the password using AI.

Result is really alarming. In my opinion time has come that all applications should enforce a password which

  • Use at least 15 characters.
  • Have at least two letters (upper and lower-case), numbers, and symbols in the password.
  • Avoid obvious password patterns, even if they have all the required character lengths and types.

User should also follow best practices such as

  • Use 2FA/MFA
  • Avoid re-using passwords across accounts
  • Use auto-generated passwords when possible
  • Change passwords regularly, especially for sensitive accounts

https://www.homesecurityheroes.com/ai-password-cracking/

https://leedaily.com/2023/04/10/ai-at-cracking-passwords/

Stealthy back-door using Self Extracting archives (SFX).

The CrowdStrike has recently observed that hackers are using SFX archive to install backdoor to the target system. Before we understand more about the exploit let’s understand SFX files.

SFX or Self-extracting archives are executable files which extracts information inside it. It does not require any utility to extract the package on the target system hence makes the distribution of archives easy. SFX files can be password-protected to prevent unauthorized access which is a common practice to protect important files. On the same lines, hackers are also using password protected SFX file to exploit. During the investigation and research CrowdStrike has observed that to lay the foundation hacker had abused utilman.exe functionality using stolen credentials to launch a password-protect SFX file which was planted before abusing utilman.exe.

Since, utilman utility executes before user login, hence abusing this functionality helped attacker to bypass system authentication. Interestingly the password protected SFX file, executed by utilman in the exploit was an empty text file but the real Moto was hidden in the functionality of Winrar setup options. There is a functionality call setup options in Winrar where you may define what commands would you like to run before or after the extraction. Hacker had used this functionality to run powershell.exe, cmd.exe and taskmgr.exe.

Because SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor that could be accessed to run PowerShell, Windows command prompt and task manager with NT AUTHORITY\SYSTEM privileges, as long as the correct password was provided. As per Crowdstrike, this type of attack is likely to remain undetected by traditional antivirus software that is looking for malware inside of an archive (which is often also password-protected) rather than the behavior from an SFX archive decompressor stub.

So far we have understood how the exploit works, but it is equally important to understand the options to combat such exploit. Here are some of tips provided by crowd strike.

  1. Examine SFX archives through unarchiving software or other tools to view any potential scripts or executables that are set to extract and run upon execution.
  2. Look beyond what is contained within an SFX archive, and examine the functionality provided by the SFX archive decompressor stub itself to identify any commands that will be run either during, before or after successful extraction.
  3. Develop a process to validate if a password-protected SFX archive contains malicious or suspicious content.
  4. Thoroughly examine any SFX archive that contains only a null-byte file for any added functionality.
  5. Wherever possible, use installed unarchiving software to extract or view a SFX archive rather than running the SFX archive itself. Because the archive exists as an overlay, it can also be carved out from the executable using a hex editor if required.

 

https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/

https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-powershell-without-being-detected/

 

Microsoft's legal strike on cybercriminals abusing security tools

These days one of the most common type of attack is Ransomware.  Cobalt Strike is one of the tools which is commonly used by attackers, after obtaining initial access to a target environment to escalate privileges, lateral move across the network, and other related malicious activities.

Cobalt Strike is a legitimate and popular post-exploitation tool used for adversary simulation provided by Fortra.  Attackers uses Cobalt Strike cracked versions to launch destructive attack.

As per Microsoft, The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few. The government of Costa Rica and Irish Health Service Executive are few known examples.

 

To counter such attacks, Microsoft’s Digital Crime Unit (DCU), Fortra and Health Information Sharing and Analysis Center have come together. This time instead of targeting command and control channel, they are taking technical and legal action to remove cracked, legacy copies of Cobalt Strike and abused Microsoft software which are being used to distribute malware. Forta has vetted the legitimate security practitioner and also helping its customer in determining license compromise. Apart from that, Fortra has adapted the security controls in the Cobalt Strike software to eliminate the methods used by the hackers to crack older versions of Cobalt Strike.

In my opinion this is very good initiative, I am hoping that more and more companies will take such initiatives to make environments safe and secure.

https://blogs.microsoft.com/on-the-issues/2023/04/06/stopping-cybercriminals-from-abusing-security-tools/

https://thehackernews.com/2023/04/microsoft-takes-legal-action-to-disrupt.html

 

Published Apr 12, 2023
Version 1.0
  • Really nice article, Dharminder!

    On the subject of password strength, I think I'd be fine with 12+ mixed case letters - I'm not going to be around in ~300 years.. of course there is the argument that compute speed is going to continue to improve, and 289 years could quickly become 5 minutes but then where do you draw the line? 2Bn years could become a week, etc.. I think it's too soon to say how fast crack time is going to decrease.

    One thing that is indisputable though - 8 characters with a mandate for a single number and punctuation character definitely isn't enough in 2023.

  • Thanks Aaron, you are obsolutely correct. We dont know how fast things can change, that's the only reason I mentioned 15 days, so that some buffer is there, incase things will change faster then expected . 😊