Thanks for subscribing to the HonestRepair Newsletter!
Without further adieu, I am proud to announce the release HRScan2, our own self hosted and open source virus and malware scanning server. HRScan2 harnesses the power of ClamAV and PHP-AV into a no-sql file scanning server that's easy to install and maintain.
In addition HRScan2 I am also introducing the HRScan2-based Quick Scan feature on the HonestRepair website. Much like Quick Convert, the new app with a similar name aims to scan user uploaded files regardless of logged-in status. It also securely deletes uploaded files regularly, so there's no need to worry about infringing on intellectual property when using it. It also serves as a reference installation for HRScan2.
So that's the good news. The bad news is that our featured content (the blog post that premieres in our Newsletter and gets added to the blog afterwards) was supposed to be "Un-Google Your Life - Part II," but the deadline for sending this newsletter is approaching and the project behind the article isn't done yet. Look for it on the HonestRepair Blog before next month's newsletter to catch the sequel. I'll link it in next month's newsletter too, just-in-case.
Atoner (first-person shooter game) - Nothing to report from last time.
HonestRepair Network - Going strong. Bot traffic has been trending up lately. We have tested our website and our apps for vulnerability to a recently disclosed PHP exploid relating to .phar archives and found that no apps on the Valkerie platform (HRCloud2+App Pack, HRConvert2, HRScan2) are vulnerable to this exploit. Additionally our WordPress installation don't seem vulnerable either. Just to be safe I updated HRCloud2 to v2.9.2 which removed .phar archive upload support.
Other Stuff - On a personal note, my refridgerator, washer, and car all died and needed to be replaced this month. That's gotta be some kind of record, right? Luckily all of those things have been sorted out and things are looking much good. Maybe by next month's newsletter I'll have remembered that my refridgerator handle is on the other side of the door now... but probably not. I'll be grabbing for an imaginary door handle for probably the next 8-10 years.
In The News
Snapchat source code somehow wound up on Github this month, with Snapchat submitting a DMCA takedown request to Github with a rambling all-caps message. Source: https://gizmodo.com/snapchat-files-all-caps-dmca-takedown-after-the-source-1828170154
Apple becomes a trillionaire. It's hard to believe that in 1997 Apple was on the verge of bankruptcy and it took a $150m investment from Microsoft to solidify a future for the struggling company. Source: https://www.theguardian.com/technology/2018/aug/02/apple-becomes-worlds-first-trillion-dollar-company
Google can't make up their mind about their role in China. On the one hand, they have an exclusive opportunity to potentially the largest market on Earth. On the other hand, Google would have to give up some of it's core principals to take the plunge. The question on everyone's mind is if Google will censor the truth and adhere to China's strict cyber laws or if they will back out of the deal. Many Googlers have voiced their opposition of the deal, citing the companies slogans including "Don't be evil" and more recently, "Do the right thing." Source: https://www.seattletimes.com/business/economy/behind-the-fight-over-googles-china-project-a-battle-for-the-companys-soul/
Microsoft requested that over 70 domains related to the Russian "Fancy Bear" hacking group be revoked in US court, essentially dismantling many of the groups command and control servers. Microsoft cited targeted spearphishing attempts against US political players as the reason for the legal movements. Source: https://www.wired.com/story/microsoft-russia-fancy-bear-hackers-sinkhole-phishing/
Un-Google Your Life - Part II Coming Soon!
Sorry for the delay. I promise to make this a really, really good one.
Windows Accessibility Tools... For Hackers Too???
Setting The Stage
The hack involves the accessibility tools built into Windows. An attacker with physical access to your machine can abuse them at your Windows logon screen to do pretty much whatever they want. I know what you're thinking, "But if the attacker already has physical access, why bother?"You have a point. Most attackers who have physical access to a machine will be able to gain control over that machine. This is true in almost every scenario. An attacker with physical access can almost always find some workaround to undermine your security. Whether they use a removable devices, brute force attacks, or just plain-old-taking the cover off and making off with the disk drives... You'd be hard pressed to beat an attack when the attacker has your equipment and you don't.
But there are circumstances where a potential attacker has physical access but still lacks the time, privacy, or tools to pull off an attack. Like in prison, where you have to be covert or guards will spot you. Or at work, where your co-workers might ask how you managed to get into the BIOS of a company computer, or at school where the librarian might ask why you're taking her computers apart. These are all places where internal attacks become too risky and/or time-consuming to pull off. The Accessibility Tools hack is one where you need to enter the BIOS of the machine and reboot several times. That takes a while, and although the skill level of the attack is low, it's still a very dangerous proposition to have an attacker with local admin access on your network. Lets setup a sandbox scenario...You're a domain administrator named Bob with 50 machines on your network. Someone has pulled off an Accessibility Tools hack on a machine and has local admin rights whenever they want. They install a keylogger on the machine and forget about it until 3 days later you get a ticket to take a look at the machine because someone can't get into their email. You log on remotely but nothing is broken. You sip your coffee and work up the nerve to go teach this person how to use their email. You make your way to the machine and, without thinking twice, blast your domain admin credentials into their machine in the process of helping them. Now the attacker has your domain admin credentials, and they don't even need physical access anymore.
So, back to the attack. You start off with a USB thumb drive. Install your favorite flavor of Linux Live onto it so you can boot straight into a root shell. I like the Trinity Rescue Kit for this type of thing, because it comes with tons of tools like Windows password resetting, ClamScanning, and tons more.
Next, boot the target machine to the USB stick where you installed Linux. If you have it boot right into a shell, great! If not, get to a shell, and make it root! Next mount the local Windows filesystem somewhere and use cp or rm to get "/Windows/System32/Magnify.exe" out of the way. Then cp or mv "/Windows/System32/cmd.exe" to "/Windows/System32/Magnify.exe." The commands you use depend on stealth/time constraints and how much the you care about putting things back later. You can also use any of the other accessibility tools to achieve the same attack.
Next reboot the machine and load the accessibility tool that you replaced with cmd.exe. You now have a SYSTEM command prompt. Because the file is owned by TrustedInstaller, it's extremely difficult to modify this in a production domain environment with a standard user account, but if you can find a computer with USB ports enabled and an unprotected BIOS this should be relatively easy to pull off.
There are several prerequisites that need to be in-place for this attack to work.
If number 4 from the list above combines with number 1 or 3 then the conditions exist for Accessibility Tool exploits. So the easiest way out of this mess for might just be to flip-the-switch on numbers 1 and 3 using built-in Windows functionality, or disable number 4 either on a standalone machine using the Local Group Policy Editor, or on a domain network using Group Policy Management.
Of course the easiest way isn't always the best way. The Accessibility Tools do provide valuable features. I can't tell you how many times the on-screen-keyboard has helped me fix laptops that took spills, or get around dead keyboard batteries, or diagnose machines with wonky drivers. Group Policy can control which machines get which policies, so it's possible to be selective... but I'd rather just leave them on incase someone needs them. We can figure out a programmatic solution for this problem.
We need to develop a script for detecting this attack. As far as attacks go, this one is pretty noisy. Moving around Windows files in the System32 directory is the hacker equivilent of sticking your head out of the trenches. Since we know specifically which files are going to be affected we should be able to simply diff some hashes and check for file existence to be sure there was no tampering. Other possible metrics to use for tamper detection include filesize caching/diff'ing and date modified caching/diff'ing. By checking, caching, or simply hardcoding a predicted filesize or date modified we can compare the cache or hardcoded data with the current ecosystem. If things aren't exactly the way we left them, we know someone's tampered with the system.
Obviously, like all good programmers, we're going to want to log the results of our script. I like to keep a centralized log location for all my network wide scripts so that I can breeze through it every few hours to spot problems.
Ok, so we have a good idea of how we can detect and keep track of these issues. But how can we stop it? The damage has already been done. We need an administrator to come investigate. A lot of old school Windows script blogs will tell you to use the deprecated Microsoft schemas for sending emails with Windows scripting languages, but I prefer Fake Sendmail For Windows by Byron Jones. It's small, lightweight, and easy to use. Especially programmatically. I like to write my emails to a file and then execute sendmail on the file. That way there's an intrinsic logging process built-in when the script leaves the sent mail message file behind. You will need to download this program and copy all of its files to your project folder.
Now we've detected an exploit in-progress and notified our IT department. We still have an attacker on a vulnerable machine staring down the sights of a loaded root shell with our machine on the receiving end. The only thing we can really do is log what's happening to this machine and shut it down in the attackers face. He can always turn it back on, but it will just power off again once our script executes.
Awesome! Now we've created all of the functionality we need and it's all neatly organized into cohesive functions that we can call. It's now time to write the bread-and-butter of our script. This is going to control the flow of our application and run all of the functions we made in the desired order. Note the conditional statement that executes if one of the Accessibility Tools has been compromised.
The Victory Lap
Now our attacker is a deer in the headlights. He's staring at a broken shutdown loop that he probably realizes he created, and IT is probably on the way. Typically when I write scripts that write data to the log directory I like to add the username that generated the log as well, but in this case that's not possible because the script runs on machine startup, before a user has logged in.
And there you have it! We've just written our own heuristic tool for determining when someone is messing around on our network. You should still seek to password protect the BIOS's in your organization and remove all the boot devices except for the primary OS drive. If possible, consider disabling unpopulated USB ports. If that's impossible without creating mutiny, try to make a script of your own to detect when someone plugs in a USB device. I made one that sends me an email and writes a log whenever someone plugs in a storage device. It could easily be modified to reject certain devices, or quietly scan them in the background for large file changes or sensitive data your business doesn't want exfiltrated. That's a project for another day. When you're an administrator you've got the best team in the entire company on your side.... The equipment. Don't work hard, work smarkt... And make your equipment work hard for you.
Rowley MA, USA
All work licensed under GPLv3.
To change your subscription, click here.