Risk for Windows Archives

Maybe you haven’t really thought a whole lot about your managed IT services? So, far you’ve been able to handle everything. When it breaks…you call someone, and they fix it. But you know it won’t stay that way for long. Your business is growing, and your customers expect and even demand to know that their data is safe and protected. And so, they should. Just as you trust your bank, your credit card company, your health care provider, or your favorite on-line shopping site with your personal and business data. So, what’s causing you to lose sleep at night? What IT challenges have stolen your PEACE OF MIND?

Are these some of your IT challenges that cause you to lose sleep at night?

• CyberSecurity?
• What happens if I get hacked?
• What is the backup plan?
• Lack of IT knowledge or expertise?
• Is my software and hardware up-to-date?
• Are my systems running efficiently?
• What’s this going to cost?
• Not enough time?
• Who’s going to take care of my company’s IT if I don’t
• Who can I trust?

What Type of Business Owner Are You? And How that Affects Your IT.

There are as many different types of business owners as there are stars in the sky! And no matter what type of business owner you are—none of them are wrong or bad. They’re just different and Spry Squared excels in dealing with different types of business owners and we believe that there is no one-size fits all solution for IT Managed Services.

• You aren’t an IT expert and don’t want to be
• You started taking care of your IT when you first started your business, but as the business has grown you have less time to manage it and you may be spread too thin
• Your IT needs have grown, so you’ve hired either one or two full-time IT employees
• Your IT needs have exploded, and you have a full-blown IT department

Regardless of what type of business owner you may be, it may be in your best interest to consult with Managed Services Provider (MSP) to ensure that your business IT needs are where they should be—not only for today, but for future growth as well.

What Does Your IT Department Look Like?

As business owners ourselves…we totally get it! There are only so many hours in a day and what do we want to be spending those hours doing? Doing what we love to do—running our businesses? Doing the hands-on stuff we love to do, getting our hands dirty?  Doing the things that motivated us to start our own business in the first place? Or, are we doing the stuff we don’t like to do, want to do, or enjoy doing?

How Can Spry Squared, Inc. Help with Your IT Needs?

If you’ve made the decision that handling your IT program is beyond your abilities, not worth your time and effort, or if you’re just not sure if it makes financial sense, then contact Spry Squared and we can provide you with a free consultation.

Although we are ultimately an IT Managed Services Provider (MSP), more importantly, we are good listeners! There is no on-size fits all solutions at Spry Squared.We listen so we can provide the best IT solution for your business, your staff, and your budget.

We understand that technology is changing at the speed of light! Data breaches and ransomware are now the new normal. Software and hardware are constantly being upgraded and updated, sometimes fixing something that is broken, sometimes adding new functionality. Security protocols are coming and going faster than you can keep up.

With over 30 years of Information Technology experience the IT experts at Spry Squared, have seen it all and done it all. From managed services for “mom and pop shops”, to IT projects with multi-million dollar IT budgets. No project is too small or too big.

Some Important IT Managed Services Questions to Ask:

• Is the cloud the best option for my storage needs?
• Has my operating system been updated?
• Is my data secure?
• Is my client’s data secure?
• Do we have a recovery plan in place?
• Is my data backed up on a regular basis?
• Does my staff follow best practices protocol for IT security?
• Is my network secure?
• Could my system run more efficiently?
• Is my business compliant with specific industry standards?
• Is my IT infrastructure set-up properly to accommodate future growth?

Here’s Why You Need Spry Squared to Evaluate Your IT Needs

As business owners sometimes we overdo it and try to do everything ourselves. But at a certain point, doing everything ourselves is not what is best for the business. Sometimes we overdo it for what seems to be all the right reasons:

• Nobody else knows my business like I do
• I’m so busy that I don’t have time to even think about my managed IT services
• I can’t afford to hire someone to take care of my IT managed services
• I hired an MSP before and they didn’t meet my expectations
• My existing MSP is doing okay for now

Here’s How a Managed Services Provider (MSP) Like Spry Squared Can Help

No matter what your level of involvement is in your company’s IT program, Spry Squared has a solution for you.

You aren’t an IT expert and don’t want to be

• • • A monthly managed IT services program is a perfect solution
    • After the initial free consultation, we propose a monthly plan that takes care of your immediate IT needs as well as the future needs within your budget
    • We can supplement your monthly plan with project work as the need arises
    • Your monthly plan can include storage, maintenance, patches and updates for hardware and software, security monitoring, data backups and recovery, and antivirus updates

You started taking care of your IT when you first started your business, but as the business has grown you have less time to manage it and you may be spread too thin

• • • You understand the benefits of a monthly managed services plan, but may be reluctant to pull the trigger because you believe you can handle it
    • You’re not sure if you can afford to hire an MSP
    • When you’ve had a problem you haven’t been able to fix, you rely on a “break and fix” provider, which is not always timely or cost-effective
    • Another way to consider an MSP for you would be…what can you do for your business with the time you would save?
    • Just as your clients hire you for your expertise, so should you hire an MSP for their IT expertise
    • You may be surprised how cost effective an MSP is versus the cost involved due to a data breach

Your IT needs have grown, so you’ve hired either one or two full-time IT employees

• • • As your business grows, so does your IT infrastructure
    • While your existing IT employees may be very competent on a small scale, they may not have the knowledge base and experience to handle the growth of your IT needs
    • Spry Squared, can work with your existing IT staff with training and make any upgrades necessary to keep you IT department running efficiently and cost effectively
    • Perhaps you’re not sure if you existing IT staff is doing what they should be. We can suggest upgrades/updates or worst case scenario, we can help you with staffing to find replacements
    • It may be more cost effective to hire an MSP instead of maintaining in-house staff
    • An experienced MSP will usually have a greater depth of knowledge and broader IT experience than an in-house staff

Your IT needs have exploded, and you have a full-blown IT department

• • • As your business grows, so does your IT needs and so does your IT staff
    • Spry Squared can provide support for special projects
    • Spry Squared can help with new IT hires, either on a contract basis or direct hire
    • We can provide consulting services to assess your architecture, infrastructure, and strategies
    • We can assist in vendor management

So What are You Really Getting When You Hire an MSP?

There are many services that a managed services provider can offer. But, it really comes down to three simple words:  PEACE OF MIND! Contact us now at 720.724.7730 and we’ll get you on the path to a good night’s sleep!

The clock is ticking. Support for Windows 7 will officially end on January 14, 2020. That is less than 90 days from now. The Windows 7 end-of-life is significant because it’s very popular and widely used version of the Windows operating system. Businesses and individuals around the world will be exposed to increased risk from using an unsupported operating system.

Windows 7 End-of-Life

It’s hard to believe, but it’s been nearly 10 years since Microsoft introduced the Windows 7 operating system. That means that official support will expire on January 14, 2020 and Microsoft will no longer issue updates or patches for the OS. On a related side note, support for Office 2010 is also set to expire at the beginning of 2020, so many small and medium organizations may find most of their business conducted using unsupported software on unsupported platforms.

66% of SMB Devices at Risk

There is reason for concern. In our Critical Watch Report: 2019 SMB Threatscape, Alert Logic revealed the 66% of the devices scanned at small and medium business clients are running a Microsoft operating system that will be out of support by January 2020—meaning Windows 7 or older versions of the Windows operating system.

The report explains, “Additionally, there are still a non-trivial number of Windows XP and even 20-year-old Windows NT devices out there. Even if they are not exposed to the internet, these targets make lateral movement relatively easy once a host has been compromised. With the discontinuation of security updates and bug fixes for Windows Server 2008 scheduled for 2020, combined with the SMB trend of holding on to old operating systems, this security issue is likely to get much worse next year.”

The Case for Upgrading

What’s the big deal? Windows 7 is a great operating system. If it still works and it does what you need it to do, why should you invest in upgrading to Windows 10?

That’s a fair question. In fact, as long as Windows 7 is still a supported operating system it is a very reasonable perspective. There are features Windows 10 that aren’t available in Windows 7, but that’s not incentive if you aren’t interested in those additional capabilities.

Being unsupported changes things. Dramatically.

Microsoft is constantly researching vulnerabilities in the platforms and software it supports, and patches and updates are released on the second Tuesday of each month. Cyber criminals can work backwards from the vulnerability disclosure and the patch to figure out precisely where the flaw is and how to exploit it. There is a lot of shared components between the different versions of Windows so there’s a good chance that the same (or very similar) flaw will also exist in Windows 7. You just won’t have a patch to fix it.

Maintaining Compliance

Aside from putting your systems at risk by running unsupported operating systems, there’s also a very good chance that you will violate any compliance frameworks that apply to your business. The various industry guidelines and legislative mandates have unique requirements and directives, but the goal of all of them is to instill some sort of baseline or minimum acceptable security posture. It’s hard to claim to be secure while running operating systems that can’t be patched or updated.

This is just one example, but PCI-DSS requirement 6.2 states:

“Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”

In other words, if you’re running an unsupported operating system that does not receive patches and updates for known vulnerabilities, you are no longer compliant and may be held accountable if your systems are compromised.

Time to Upgrade

You have less than three months left to upgrade your Windows 7 systems. That’s a daunting task if you haven’t even begun the process, but better late than never. Delaying the effort won’t make it faster or easier.

Of course, this is just one challenge facing small and medium businesses when it comes to cybersecurity. To learn more about the threat landscape and how Alert Logic can help you defend your networks and data, check out the Alert Logic Critical Watch Report: 2019 SMB Threatscape.

New Vulnerability, Same Old Tomcat: CVE-2017-12617

by Chris Myers, Barrett Adams | Oct 30, 2017 | Red Teams

Tomcat has been a staple target for penetration testers and malicious actors for years. With ample opportunities to exploit security misconfigurations in the management GUI (tomcat:tomcat….) or technical vulnerabilities, it’s no wonder attackers continue to pay attention to the platform. On top of these issues, Apache Tomcat is often running as a System service, elevating its allure even further.

Despite this scrutiny by security professionals, we continue to see more vulnerabilities discovered. A recent example of this is CVE-2017-12617, in which servers with PUTs enabled are subject to arbitrary JSP file uploads via specially crafted requests. This vulnerability allows an attacker to gain potentially privileged remote code execution on the system. The initial POC can be found here: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542. Since this exploit is fairly straightforward and can give us remote code execution on our engagements, we decided to test it out, then weaponize it in the form of a Metasploit module 🙂

1. The Vulnerable Environment

We first needed a vulnerable version of Tomcat running on a Windows server to test the POC. This was fairly straightforward to set up and a quick trip to the Apache Tomcat archives armed us with a vulnerable version (7.0.81). Our setup is as follows: Windows Server 212 R2 (Amazon AMI), Apache Tomcat 7.0.81, “readonly” initialization variable set to “false”.

2. Weaponizing the POC

Our next step was to take the POC and test it out on our environment. Are we actually working with a legitimate set-up?

A 201 Response from our POC request to /1.jsp/ results in the jsp code executing server side, outputting “hello” to the browser.

Yep! Our proof of concept code and test environment both look to be in order. So, now to build a metasploit module and take advantage of some of the more useful payloads the framework has to offer.

Being a Tomcat vulnerability, we decided to start with an existing Tomcat module, exploit/multi/http/tomcat_mgr_upload and tweak it to our needs. But, as it turns out that one does a ton of stuff we don’t need! The next approach was to take an existing JSP module, adobe_robohelper_authbypass, and go from there. This turned out to be much more fruitful (fruitier?). With just a few changes and some simplifications, we managed to get a working module to upload our choice of JSP command shell to a vulnerable Tomcat instance. You can grab the full module on our github (we’ve also made a pull request to the master branch).

**UPDATE** Our pull request was accepted! You can now find the module in the official repository: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_jsp_upload_bypass.rb.

In the end, we turned a new Tomcat POC into a convenient Metasploit module that will upload and execute a JSP shell and includes a checker function to determine if a given instance is vulnerable (this will also clean itself up from the system).

3. Profit 🙂

You might be thinking that this vulnerability is only going to show up once in a blue moon, given the relatively restrictive configuration prerequisites. And, you’d be correct… You will probably not encounter this vulnerable setup very often on engagements. So why take the time to make a Metasploit module for it? Having a module like this takes the hassle out of determining if a Tomcat instance is vulnerable to a less common exploit like this. Now, we can easily run this check against all identified Tomcats in the background on pentests. If any come back as vulnerable, there is a good chance we have System level access and a new way into the Windows Domain! We hope you enjoy and profit on your own engagements as well 🙂

Using our metasploit module to upload a jsp shell to a vulnerable Tomcat version via a PUT request. The module can be found here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_jsp_upload_bypass.rb

Detecting In-Memory Mimikatz

by Jake Liefer | May 16, 2016 | Blue Teams

One of the most pressing internal network security issues is limiting the ability of an attacker to perform privilege escalation. In my experience, once administrative level access is obtained to a Windows system it is trivial for an attacker to dump user credentials and pivot throughout the network, eventually gaining the most privileged accounts without detection.

While preventative controls such as hardening Windows group policy configurations, LAPS, MFA, and segmentation can be implemented to slow an attacker down, the ability to detect remains the most readily available method. In order to detect the password extraction stage of the attack, we need to identify processes that hook into LSASS. For my testing, I used the popular Mimikatz toolset for extracting passwords / password hashes and Sysmon, Microsoft’s free event extension to research the DLLs. Based on my research, using a basic (and free) endpoint tool, Sysmon, I believe we have the capability to detect Mimikatz in all flavors: in-memory, on-disk, and packed on-disk. Once identified in Sysmon, the Windows logs still need to be forwarded on to your SIEM to trigger an alert. In my analysis, this detection method results in very few false positives. This method can also be extended to Endpoint Detection and Response (EDR) tools that capture processes.

*** Full caveat: I have only tested this in a few environments, so your mileage may vary. Further testing should be performed prior to rollout. In addition, the SIEM will need to correlate the events that happen in succession. ***

Uncovering Mimikatz Activity

To detect Mimikatz activity, I went to the core of what Mimikatz needs to run, namely its loading of Windows DLLs. This is important as this will always occur no matter what process Mimikatz is injected into and cannot be obfuscated via in-memory execution or a packed exe. Using Sysmon with the -l flag to identify DLL image loading, I extracted the DLLs of both in-memory execution via a beacon (spawned in the context of rundll32.exe via Cobalt Strike) and Mimikatz executing on disk via command prompt.

As some of these libraries may differ between methods, I wanted to identify only libraries that were persistent across both methods and came up with the following list, highlighting similarities:

From this list of shared DLLs, I then started to build out my DLLs for detection. Searches with a subset of these DLLs against a Carbon Black instance showed a small number of false positives using the following DLL list:

– ntdsapi.dll
– netapi32.dll
– imm32.dll
– samlib.dll
– combase.dll
– srvcli.dll
– shcore.dll
– ntasn1.dll
– cryptdll.dll
– logoncli.dll

Hit Rate

Querying for these unique DLLs in the EDR solution Carbon Black resulted in only 17 processes. This is great news as it appears that the fingerprint for Mimikatz is unique from other processes, resulting in very few false positives. This Carbon Black instance has over 2 months of process information for 9,000,000+ processes across workstations and servers, so a pretty significant sample size. Further opportunities exist for strengthening this search by decreasing the time window for ensuring all DLLs are loading in conjunction, but that was outside the scope of this exercise. Using this detection method, either in Sysmon or an EDR tool, we should be able to key off of all instances of Mimikatz.

UPDATE:

Due to changes in reflective DLL loading that are used by Mimikatz in-memory (Powersploit, Cobalt Strike, Powershell Empire), the method to detect Mimikatz in memory has changed. Previously, when Mimikatz loaded in memory via DLL injection, Sysmon would show both the requested DLL, as well as dependencies when they were loaded by the process. However, with the changes to DLL injection, only the requested libraries, not the dependencies are shown in Sysmon.

Therefore, rather than a list of ~10 DLLs, we now see two DLLs in sysmon when mimikatz is run in memory: vaultcli.dll and wlanapi.dll. These two API’s then load a set of dependencies (1,2) that are not populated in sysmon when Mimikatz runs in memory. We do still see these dependencies loaded in sysmon when Mimikatz is run on disk. Therefore, detection alerts should still use the previous rule, as well as key off of vaultcli.dll and wlanapi.dll.

Given this smaller list, they’ll be some more false positives, but this can be resolved. In my test environment with 10m+ processes, we’re at roughly 500 false positives vs 20 previously when searching for these two DLLs. However, removing two known applications, I was able to remove the false positives and set up a rule that will properly trigger when Mimikatz is used in-memory. As each environment is unique, these applications will vary on environment and can be identified and whitelisted after enabling the query.
In addition, as more companies move to newer Windows Operating Systems, LSA Protection should be enabled. Doing so will require Mimikatz to load mimidrv.sys, which can be logged as well. Either loading of the driver or the DLL loading listed above will detect Mimikatz usage in-memory and on disk. This was out of scope for this review, but I will discuss in a future blog post about detection when LSA protection is enabled.