The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against the malicious attachments.
The vulnerability, classified as CVE-2017-8759, was used in limited targeted attacks and reported to us by our partner, FireEye. Microsoft would like to thank FireEye for responsibly reporting this vulnerability and working with us to protect customers.
Customers receiving automatic updates for Microsoft products are protected from this attack without any additional action required. Customers not enjoying the benefits of Microsoft automatic updates should consider immediately applying this month’s updates to avoid unnecessary exposure.Office 365 ATP and Windows Defender ATP customers protected
Customers running Microsoft advanced threat solutions such as Office 365 Advanced Threat Protection or Windows Defender Advanced Threat Protection were safe from this attack without the need of additional updates. The security configuration and reduced attack surface of Windows 10 S blocks this attack by default.
Office 365 ATP blocked the malicious attachments automatically in customer environments that have adopted the mail detonation and filtering solution. The attachment was blocked based on the detection of the malicious behaviors, as well as its similarity with previous exploits. SecOps personnel would see an ATP behavioral detection in Office 365’s Threat Explorer page:
Figure 1. Block reasons for the exploit attachment as seen in Office 365 ATP console
Windows Defender ATP was also able to raise multiple alerts related to post-exploitation activities performed by this exploit using scripting engines and PowerShell. Additional alerts may also be visible for subsequent stages of the attack performed after malware installation.
In addition, Windows Defender Antivirus detects and blocks exploits against this vulnerability as Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A and Exploit:RTF/CVE-2017-8759.A using cloud the protection service to deliver near-real-time protection against such never-before-seen threats.
Figure 2. Windows Defender ATP alerts raised for CVE-2017-8759 zero-day exploitProtection with Windows Defender Exploit Guard
We are also happy to share with customers testing our upcoming Windows 10 Fall Creators Update that Windows Defender Exploit Guard was also able to prevent this attack using one of the many Attack Surface Reduction rules and exploit protection features.
Figure 3. Example of exploit blocking event logged by Windows Defender Exploit Guard
The CVE-2017-8759 vulnerability can allow remote code execution after users open a spam email, and double-click on an untrusted attachment and disable the Microsoft Office Protected View mode. The exploit uses Microsoft Word as the initial vector to reach the real vulnerable component, which is not related to Microsoft Office and which is responsible for certain SOAP-rendering functionalities through .NET classes.
For more information on this new campaign our partner FireEye has a good technical blog describing the infection mechanism and the details of the exploit.
After the initial notification from FireEye, Windows Defender telemetry revealed very limited usage of this zero-day exploit. The attacker used this exploit to deploy a spyware detected as Wingbird and also known to the security community as “FinFisher”, a commercial surveillance package often seen combined with expensive zero-day vulnerabilities and used by sophisticated actors.
Microsoft researchers believe that the adversary involved in this operation could be linked to the NEODYMIUM group, which has used similar zero-day exploits with spear-phishing attachments combined with the usage of FinFisher spyware. We previously reported about the NEODYMIUM group in the Windows Security blog in 2016. For additional information about this new attack as well as other NEODYMIUM attacks, we encourage ATP customers to review the in-product Threat Intelligence reports on this activity group.
Windows Defender ATP Research Team
In the first six months of 2017, ransomware threats reached new levels of sophistication. The same period also saw the reversal of a six-month downward trend in ransomware encounters. New ransomware code was released at a higher rate with increasing complexity. Two high-profile ransomware incidents brought cybersecurity to the forefront of mainstream conversations as the impact of attacks was felt around the world by organizations and individuals alike.
The recently released Microsoft Security Intelligence Report summarizing movements in different areas of the threat landscape in the first quarter of the year showed the continued global presence of ransomware. The highest encounter rates, defined as the percentage of computers running Microsoft real-time security products that report blocking or detecting ransomware, were registered in the Czech Republic, Korea, and Italy from January to March 2017.
Sustained ransomware campaigns and high-profile attacks continued to highlight the need for advanced comprehensive cybersecurity strategy. In this blog entry, we share our key observations on the ransomware landscape and offer insights on what can be learned from trends and developments so far in 2017.Ransomware growth rallies
In March of 2017, the volume of ransomware encounters started to pick up again after several months of decline. The growth is driven to a certain extent by sustained activities from established ransomware operations like Cerber, with an onslaught of attacks powered by ransomware-as-a-service.
Figure 1. Total ransomware encounters by month, July 2016-June 2017 (source: Ransomware FAQ page)
In part, this surge is also driven by the emergence of new ransomware families, which are being released into the wild at a faster rate. In the first half of 2017, we discovered 71 new ransomware families, an increase from the 64 new families we found in the same period in 2016.
Some of these new ransomware families stand out because they exhibit new behaviors that make them more complex. For instance, the latest Microsoft Security Intelligence Report shows that in March 2017, two-month old Spora overtook Cerber as the most prevalent ransomware family.
Figure 2. Trends for several commonly encountered ransomware families in 1Q17, by month (source: Microsoft Security Intelligence Report 22)
Spora’s quick rise to the top may be traced to its capability to spread via network drives and removable drives, such as USB sticks. Initial versions targeted Russia and featured a ransom note in the local language. It has since gone global, spreading to other countries with a ransom note in English.
Other notable new ransomware families in 2017 include Jaffrans, Exmas, and Ergop. While these families have not quite achieved the prevalence of Spora, they show signs of persistence and periodic improvements that are observed in older, successful families.
Microsoft protects customers from new and emerging ransomware like Spora using a combination of advanced heuristics, generics, and machine learning, which work together to deliver predictive, real-time protection. In a recent blog post, we demonstrated how we could better protect from never-before-seen ransomware with enhancements to the Windows Defender Antivirus cloud protection service.The rise of global ransomware outbreaks
WannaCrypt (also known as WannaCry) is one of the most well-known new ransomware to surface so far this year. It emerged in May carrying an exploit for a patched vulnerability and quickly spread to out-of-date Windows 7 computers in Europe and later the rest of the world (the exploit did not affect Windows 10). The attack left several impacted organizations, high-tech facilities, and other services affected in its aftermath.
Only a few weeks after the WannaCrypt outbreak, a new variant of Petya wreaked havoc in June. This Petya variant applied some of the propagation techniques used by WannaCrypt, but incorporated more methods to spread within a network. The outbreak started in Ukraine, where a compromised supply-chain delivered the ransomware through a software update process. The Petya infections swiftly spread to other countries in the course of a few hours. Petya’s impact was not as widespread as the WannaCrypt outbreak; however, as our in-depth analysis of Petya revealed, its upgrades made it so much more complex and caused more damage to organizations affected.
WannaCrypt and Petya defied the trend of more targeted and localized attacks and became the first global malware attacks in quite a while. They generated worldwide mainstream interest. Interestingly, this attention might have added more challenges for attackers. For instance, the Bitcoin wallets used in these attacks were closely monitored by security researchers.
WannaCrypt and Petya showed that ransomware attacks powered by sophisticated exploits on a global scale can be particularly catastrophic. Global attacks emphasize the need to avert ransomware epidemics by enabling responders to detect, respond to, and investigate attacks so infections can be contained and not allowed to swell. Security patches need to be applied as soon as they become available.
Figure 3. Global distribution of ransomware encounters by month, January-June 2017Increasing sophistication
The trend of global outbreaks is likely a result of more techniques incorporated by ransomware. WannaCrypt, Petya, Spora, and other new ransomware variants sported new capabilities that allowed them to spread faster and wreak more havoc than other malware.Lateral movement using exploits
Spora’s aforementioned ability to spread via network drives and removable drives made it one of the most widespread ransomware. Though it was not the first ransomware family to integrate a worm-like spreading mechanism, it was able to use this capability to infect more computers.
With worm capabilities, ransomware attacks can have implications beyond endpoint security, introducing challenges to enterprise networks. This was particularly true for WannaCrypt, which spread by exploiting a vulnerability (CVE-2017-0144, dubbed EternalBlue, previously patched in security update MS17-010), affecting networks with out-of-date computers.
Petya expanded on WannaCrypt’s spreading mechanism by exploiting not one, but two vulnerabilities. Apart from CVE-2017-0144, it also exploited CVE-2017-0145 (known as EternalRomance, and fixed in the same security update as EternalBlue), affecting out-of-date systems.
These two attacks highlighted the importance of applying security patches as they become available. They likewise highlight the importance of immediately detecting and stopping malicious behavior related to exploits.
It is important to note that the EternalBlue and EternalRomance exploits did not affect Windows 10, underscoring the benefits of upgrading to the latest, most secure version of platforms and software. Even if the exploits were designed to work on Windows 10, the platform has multiple mitigations against exploits, including zero-days. In addition, Windows Defender Advanced Threat Protection (Windows Defender ATP) detects malicious activities resulting from exploits without the need for signature updates.Credential theft
One of Petya’s more noteworthy behaviors is its credential-stealing capability, which it does either by using a credential dumping tool or by stealing from the Credential Store. This capability poses a significant security challenge for networks with users who sign in with local admin privileges and have active sessions opens across multiple machines. In this situation, stolen credentials can provide the same level of access the users have on other machines.
The Petya outbreak is testament to the importance of credential hygiene. Enterprises need to constantly review privileged accounts, which have unhampered network access and access to corporate secrets and other critical data. Credential Guard uses virtualization-based security to protect derived domain credentials and stop attempts to compromise privileged accounts.Network scanning
Armed with exploits or stolen credentials, ransomware can spread across networks through network scanning. For example, Petya scanned affected networks to establish valid connections to other computers. It then attempted to transfer copies of the malware using stolen credentials. Petya also scanned for network shares in an attempt to spread through those shares.
WannaCrypt, on the other hand, ran massive scanning of IP addresses to look for computers that are vulnerable to the EternalBlue exploit. This gave it the ability to spread to out-of-date computers outside the network. Network defenders can uncover and stop unauthorized network scanning behaviors.Destructive behavior
In most ransomware cases, the attacker motivation is clear: victims need to pay the ransom or never gain back access to encrypted files. While there is no guarantee that files are decrypted after payment is made, most ransomware infections make their intention clear through a ransom note. In August, WannaCrypt actors wrapped up their campaign by withdrawing ransom pain in Bitcoins from online wallets.
Petya behaved like other ransomware in this aspect. Attackers emptied the Petya online wallets earlier in July. However, Petya had far more destructive routines: it overwrote or damaged the Master Boot Record (MBR) and Volume Boot Record (VBR), rendering affected computers unusable. This started a conversation about whether this Petya variant was primarily a ransomware like WannaCrypt or a destructive cyberattack like Depriz (also known as Shamoon).
Figure 4. Petya incorporated complex behaviors not typical of ransomware
The debate is not settled, but the Petya attack does raise an important point—attackers can easily incorporate other payloads into ransomware code to facilitate targeted attacks and other types of destructive cyberattacks. As the threat of ransomware escalates, enterprises and individuals alike need a sound cybersecurity strategy and a protection suite that will defend against the end-to-end ransomware infection process.Integrated end-to-end security suite against ransomware
With high-profile global outbreaks and other notable trends, the first six months of 2017 can be considered one of the more turbulent periods in the history of ransomware. The observations we summarized in this blog highlight the potency of the ransomware threat. Unfortunately, given the trends, we may see similarly sophisticated or even more complex attacks in the foreseeable future. More importantly, however, we should learn from these attacks and developments, because they highlight the areas of cybersecurity that need to be improved and reevaluated.
At Microsoft, we’re always hard at work to continuously harden Windows 10 against ransomware and other attacks. In the upcoming Windows 10 Fall Creators Update, we will integrate Microsoft security solutions into a powerful single pane of glass—centralized management that will allow customers to consume, manage, and integrate security for devices in the network. Windows Defender ATP will be expanded to include seamless integration across the entire Windows protection stack. The suite of tools will include the new Windows Defender Exploit Guard and Windows Defender Application Guard, as well as the enhanced Windows Defender Device Guard and Windows Defender AV.
Today, Windows 10 Creators Update has next-gen technologies that protect against ransomware attacks.
Figure 5. Windows 10 end-to-end protection stack (source: Next-gen ransomware protection with Windows 10 Creators Update)
Windows 10 has multiple exploit mitigations, including control flow-guard for kernel (kFCG), kernel mode code integrity (KMCI), better kernel address space layout randomization (KASLR), NX HAL, and PAGE POOL (non-executable kernel regions). These mitigations help make Windows 10 resilient to exploit attacks, such as those used by WannaCrypt and Petya.Intelligent Security Graph and machine learning
Security built into Windows 10 is powered by the Microsoft Intelligent Security Graph, which correlates signals from billions of sensors. Unique insights from this vast security intelligence enable Microsoft to deliver real-time protection through Windows Defender AV, Windows Defender ATP, and other next-gen security technologies.
The increasing magnitude and complexity of ransomware require advanced real-time protection. Windows Defender AV uses precise machine learning models as well as generic and heuristic techniques, improved detection of script-based ransomware, and enhanced behavior analysis to detect common and complex ransomware code. Using the cloud protection service, Windows Defender AV provides real-time protection. In recent enhancements, the cloud protection service can make a swift assessment of new and unknown files, allowing Windows Defender AV to block new malware the first time it is seen.
Windows Defender Advanced Threat Protection empowers SecOps personnel to stop ransomware outbreaks in the network. Both WannaCrypt and Petya showed how critical it is to detect, investigate, and respond to ransomware attacks and prevent the spread. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to ransomware attacks.Online safety with Microsoft Edge and Office 365 Advanced Threat Protection
Microsoft Edge can help block ransomware infections from the web by opening pages within app container boxes. It uses reputation-based blocking of downloads. Its click-to-run feature for Flash can stop ransomware infections that begin with exploit kits.
To defend against ransomware attacks that begin with email, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. Outlook.com anti-spam filters also provide protection against malicious emails.Virtualization-based security and application control
Credential Guard can protect domain credentials from attacks like Petya, which attempted to steal credentials for use in lateral movement. Credential Guard uses virtualization-based security to protect against credential dumping.
Enterprises can implement virtualization-based lockdown security, which can block all types of unauthorized content. Windows Defender Device Guard combines virtualization-based security and application control to allow only authorized apps to run. Petya, whose first infections were traced back to a compromised software update process, was blocked on devices with Device Guard enabled.Microsoft-vetted security with Windows 10 S and more security features in Windows 10 Fall Creators Update
Devices can achieve a similar lockdown security with Windows 10 S, which streamlines security and performance by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.
All of these security features make Windows 10 our most secure platform. Next-gen security technologies in Windows 10 provide next-gen protection against ransomware.
Figure 6. Windows 10 next-gen security
But the work to further harden Windows 10 against ransomware and other threats continues. Expect more security features and capabilities in the upcoming Windows 10 Fall Creators Update.
Tanmay Ganacharya (@tanmayg)
Principal Group Manager, Windows Defender Research
Talk to us
Questions, concerns, or insights on this story? Join discussions at the Microsoft community.