[German]What’s about the CVE-2019-0708 vulnerability in Windows Remote Desktop services? Microsoft released updates from Windows XP to Windows 7 on May 14, 2019? Are there exploits? Are there tools to test if an environment is vulnerable?

Vulnerability CVE-2019-0708, some background

Remote Desktop Services – formerly known as Terminal Services – has a serious vulnerability called CVE-2019-0708 in older Windows versions. An unauthenticated attacker can connect to a target system via RDP using special requests. The problem is that the attacker does not need to authenticate to gain access to the system.

An attacker who has successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. This critical vulnerability exists in the following versions of Windows:

• Windows XP
• Windows Server 2003
• Windows Vista
• Windows 7
• Windows Server 2008
• Windows Server 2008 R2

Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. On May 14, 2019, Microsoft released a security update for older versions of Windows, from Windows XP to Windows 7, that closes the critical CVE-2019-0708 vulnerability in Remote Desktop Services. I had warned about that vulnerability within my blog post Critical update for Windows XP up to Windows 7 (May 2019).

What’s about BlueKeep exploits?

Well, we have updates to close the vulnerability. But not all administrators can install those updates just in time. So the question raises: How dangerous is this vulnerability, that is called now BlueKeep, in reality. Are there exploits available and in use in the wild?

Security researchers expected that working exploits would be available within hours or days for vulnerability CVE-2019-0708. Security researcher Kevin Beaumont (@GossiTheDog) has monitored this topic and published some information on Twitter. Until the end of last week, there were no signs that any RDP exploits were being practically exploited for attacks.

Researchers at Mcafee and Zerodium both have working exploits for this. Neither have released technical details. There are no publicly available exploits at this stage, nor evidence of exploitation in wild.

— Kevin Beaumont (@GossiTheDog) 19. Mai 2019

According to last Sunday’s post above, Mc Afee and Zerodium have functional exploits. But these are not publicly known and there are no details about them.

Kaspersky dude has blue screen of death https://t.co/QQ2J2RRTQC

— Kevin Beaumont (@GossiTheDog) 20. Mai 2019

Kaspersky has tried an exploit and so far only managed to trigger a blue screen with manipulated RDP messages, as the above tweet suggests. According to Beaumont there is only one working exploit on GitHub so far, the rest is probably fake. But Bleeping Computer espects in this article, that exploits are coming soon.

I get the CVE-2019-0708 exploit working with my own programmed POC (a very real dangerous POC).This exploit is very dangerous. For this reason i don´t will said TO ANYBODY OR ANY ENTERPRISE nothing about it. You are free of believe me or not,i dont care.https://t.co/o7wwEazgK0

— Valthek (@ValthekOn) 18. Mai 2019

It seems that the above Proof of Concept (POC) has been confirmed by Christiaan Beek, senior principal engineer at McAfee. And the tweet below demonstrats the vulnerability.

We analyzed the vulnerability CVE-2019-0708 and can confirm that it is exploitable.
We have therefore developed detection strategies for attempts to exploit it and would now like to share those with trusted industry parties.
Please contact: nomoreworm@kaspersky.com pic.twitter.com/pEzuEzok0d

— Boris Larin (@oct0xor) 20. Mai 2019

A first network test on BlueKeep vulnerability

It is interesting to note that the Vulcan team of the Chinese security provider Qihoo 360has developed a remote scan tool with which a network can be scanned to see whether it can be attacked via the vulnerability CVE-2019-0708 via BlueKeep exploits. 

CVE-2019-0708 remote scan tool by 360Vulcan team. Detect the recent RDP bug via RDP packet behavior, without trigger the final bug path(no BSOD or any side effect on the target system), ask for it to scan your network by sending mail to cert at https://t.co/bf3ebtruY0 pic.twitter.com/0roL3SGTbJ

— mj0011 (@mj0011sec) 20. Mai 2019

According to the tweet above, this remote scan tool can scan a network on demand without causing a blue screen or other side effects. Currently, interested parties can only send an e-mail to 360.cn and ask for a network scan. But this is probably only possible for paying customers who are powerful in China. So it seems as if networks will be spared a BlueKeep attack wave for a few more days – and there are probably no generally available test tools yet.

[German]A brief overview of the status of known issued during update installation under Windows, if antivirus software from third party manufacturers is installed. Microsoft warns of security solutions from McAfee and Sophos in the list of known issues for the 14 May 2019 security updates. But also Sophos is causing issues.

A brief review of the problem

In April 2019, the Patchday (2nd Tuesday of the month) significant install issues with Windows updates has been observed on systems where third-party antivirus products from Avira, Avast, McAffee and Sophos were installed. Microsoft even had to block the distribution of updates to systems on which the affected security solutions were installed. I’ve made reference to this in the following articles on this blog, among others:

Windows 7: Mc Afee is causing issues with April Updates
Windows patchday issues–one week later (April 17, 2019)
AVAST and Avira confirms April 2019 Update issues

Avira and Avast had improved their security solutions and stated that there were no more problems with the April 2019 updates. Before the May 2019 patchday (14 May 2019), I had explicitly asked in my German blog post Windows Mai 2019-Patchday, wo steht Avira?  if there were any known issus. Avira told me that the issues have been fixed and that Microsoft is releasing the blocked April 2019 updates. There were also no comments from blog readers on new problems.

May updates: Issues with Sophos and Mc Afee

In April 2019 both, Mc Afee and Sophos antivirus software has been causing issues with Windows security updates. And for May 2019 updates Microsoft explicitly mentioned again issues with Mc Afee antivirus software for Windows 7 and Windows 8.1 and their server counterparts (see Patchday: Updates for Windows 7/8.1/Server (May 14, 2019)).

There is a problem that was identified in April 2019 on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8. The antivirus solution may cause the system to boot slowly after this update is installed, or may cause the system to stop responding when rebooted.

Microsoft is silent about Sophos in its KB articles. But the manufacturer Sophos has published the support article Following the Microsoft Windows 14th May update some machines hang on boot. For some customers, the May 14 security updates on Windows cause an error. After the update installation the systems get stuck when booting with the message “Configuring 30%”. This refers to:

• KB4499164 (Monthly Rollup) for Windows 7/Windows Server 2008 R2
• KB4499175 (Security-only update) for Windows 7/Windows Server 2008 R2

The problem occurs when Sophos has installed the following security solutions for corporate environments.

• Sophos Endpoint Security and Control
• Sophos Central Endpoint Standard/Advanced

According to the support article, Sophos is still investigating the problem with Microsoft. At the moment there is only the blocking of updates and, if already installed, their uninstallation.

Mc Afee has a fix

A few hours ago, German blog reader Michael Py left a comment, mentions that Mc Afee released a fix (thx for the hint). A support articles about Mc Afee Endpoint Security 10.6.1 mentioned within a linked PDF file a ‘May 2019 Update’. Referenz 1270648 says:

Systems no longer have slower restart times and performance after installing Microsoft Windows April 2019 updates. See KB91476 and KB91465 for more information.

The KB articles listed above are Mc Afee Support articles and have nothing to do with the Microsoft KB articles for updates. However, according to my reading, Mc Afee only mentioned a fix for the issues related to the April 2019 Windows updates. Since the Mc Afee warnings in the Know-Issues for the May 2019 updates in the Microsoft KB articles have not yet disappeared, it is currently unclear to me whether the fix will finally fix the problems. Hence the question to administrators using Mc Afee Endpoint Security 10.6.1 in corporate environments: Does it fix the patchday issues?

[German]On May 21, 2019, the developers of the Tor project released the new version 8.5 of the Tor bundle for the desktop. Tor is now also available in an Android version.

Tor Browser 8.5 for Desktop

Blog reader lodenhainz has already pointed out in this comment (thanks for that) on May 21, 2019 the update of the Tor browser to version 8.5. The announcement was made in this blog post from the Tor project. I used the Help menu to check the Tor browser on my Windows system for updates. The dialog box claimed to have an update for the Tor 8.0.9 browser. However, after restarting the browser, I was notified of version 8.5.

Tor Browser 8.5 is now available on the Tor browser download page and in the Tor distribution directory. Tor Browser 8.5 includes Firefox ESR 60.7, which contains important security updates.

Tor available for Android

The developers of the Tor project have now released a version for Android. They are writing: After months of work and feedback from our users, Tor Browser 8.5 contains our first stable version for Android as well as many new features on all platforms. The Android version is available at Google Play and should be available the next day at F-Droid.

[German]How to assure, that authentication at network level is on in Windows, if no Group Policies are available (for instance in all Windows Home editions)? Here is a short advise.

In the days of a new network flaw discovered (see Critical update for Windows XP up to Windows 7 (May 2019)) users should ensure, that authentication is enabled at network level. This can be established also, if a Windows machine doesn’t support group policies (which requires Windows Pro or Enterprise). SwiftOnSecurity has an advice on Twitter.

How to assure Network Level Authentication is on, without Group Policy.

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
Value: UserAuthentication
Data: 1

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\
Value: UserAuthentication
Data: 1

— SwiftOnSecurity (@SwiftOnSecurity) 24. Mai 2019

Translated for the Noobs: Just fire up Registry editor regedit.exe via Run as administrator, navigate to to the two Registry-Keys mentioned above and add the DWORD value UserAuthentication set to 1. HKLM stands for HKey_Local_Machine. A 2nd advice may be found here. (Thx @PhantomofMobile)

[German]Currently, there is an attempt from cyber criminals to scan the Internet for Windows systems vulnerable to BlueKeep vulnerabilities and then attack them.

BlueKeep: Remote Desktop Services vulnerability

In Remote Desktop Services – formerly known as Terminal Services – there is a serious vulnerability CVE-2019-0708. An unauthenticated attacker can connect to a target system via RDP using special requests. The problem is that the attacker does not need to authenticate to gain access to the system.

An attacker who has successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. This critical vulnerability exists in the following versions of Windows:

• Windows XP
• Windows Server 2003
• Windows Vista
• Windows 7
• Windows Server 2008
• Windows Server 2008 R2

Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. On May 14, 2019, Microsoft released a security update for older versions of Windows, from Windows XP to Windows 7, that closes the critical CVE-2019-0708 vulnerability in Remote Desktop Services.

I reported on this vulnerability in the blog post Critical update for Windows XP up to Windows 7 (May 2019). There was also a warning from the German Federal Office for Information Security (BSI) that there was a similar threat to the vulnerability responsible for the WannaCry outbreak.

Attacks only a matter of time

It was clear that it would not be that long before the first attacks on systems where the BlueKeep gap was not closed took place. In the blog post , I had pointed out the current state of exploits. A few days ago there were no public exploits, but this has changed. And now Catalin Cimpanu points out in the following tweet that an attacker behind a Tor node is now scanning the Internet for Windows systems vulnerable to BlueKeep vulnerability.

A threat actor hidden behind Tor nodes is scanning the internet for Windows systems vulnerable to the BlueKeep flawhttps://t.co/TWel5bKUjd pic.twitter.com/NUoDS4O325

— Catalin Cimpanu (@campuscodi) 26. Mai 2019

Those who have not yet patched the vulnerability should do so urgently for systems connected to the Internet.

Similar articles:
Critical update for Windows XP up to Windows 7 (May 2019)
BlueKeep: Windows Remote Desktop Services vulnerability exploits status

[German]On Windows 7 and Windows Server 2008 R2, there are sporadic issues when using Sophos anti-virus solutions. Now one possible cause seems to have been found. Here is some background information on what this is all about.

Windows update and Sophos issues

As early as April 2019, the Patchday (2nd Tuesday of the month) saw significant problems with Windows updates on systems where third-party antivirus products from Avira, Avast, McAffee and Sophos were installed. Microsoft even had to block the distribution of updates to systems on which the affected security solutions were installed. I’ve blogged about that here reference to this in the following articles on this blog, among others:

Windows 7: Mc Afee is causing issues with April Updates
Windows patchday issues–one week later (April 17, 2019)
AVAST and Avira confirms April 2019 Update issues

During the May 2019 patchday, security solutions from Sophos and Mc Afee proved to be causing potential issues. In the blog post Patchday: Updates for Windows 7/8.1/Server (May 14, 2019), I pointed out that Microsoft explicitly mentioned issues with Mc Afee antivirus software for Windows 7 and Windows 8.1 and their server counterparts.

Microsoft has been silent about Sophos in its KB articles so far. But the manufacturer Sophos has published the support article Following the Microsoft Windows 14th May update some machines hang on boot. For some customers, the May 14 security updates on Windows cause an error. After the update installation the systems get stuck when booting with the message “Configuring 30%”. This refers to:

• KB4499164 (Monthly Rollup) for Windows 7/Windows Server 2008 R2
• KB4499175 (Security-only update) for Windows 7/Windows Server 2008 R2

The problem occurs when Sophos has installed the following security solutions for corporate environments.

• Sophos Endpoint Security and Control
• Sophos Central Endpoint Standard/Advanced

According to the support article, Sophos is still investigating the problem with Microsoft. At the moment there is only the blocking of updates and, if already installed, their uninstallation (see also Windows Updates: Issues with McAfee and Sophos AV SW).

Collision with Windows Defender ATP

Now we got more insights into that stuff. Sophos released the following tweet on 26 May 2019:

[Update] May 24 – Microsoft has provided the following information: Customers running Windows Defender ATP on Win 7 or Win Server 2k8 R2 may see sporadic issues installing Windows updates. Microsoft is aware of the issue and is rolling out a fix: https://t.co/ha0eflqjYz ^fs

— Sophos Support (@SophosSupport) 26. Mai 2019

In this support post there is an addendum dated 24 May 2019 from Sophos addressing the tweet above. Microsoft may have found the cause. Customers running Windows Defender ATP on Windows 7 or Windows Server 2008 R2 may experience sporadic issues installing Windows updates. Microsoft is aware of the issues and will introduce a fix for Windows Defender ATP in the next 36 hours. No customer action is required. The fix is applied automatically by the Microsoft Monitoring Agent Service.

Similar articles
Windows Updates: Issues with McAfee and Sophos AV SW
Windows 7: Mc Afee is causing issues with April Updates
Windows patchday issues–one week later (April 17, 2019)
AVAST and Avira confirms April 2019 Update issues

[German]Almost one million systems with Windows XP up to Windows 7 and their server counterparts are accessible via the Internet and can be attacked via BlueKeep vulnerability due to missing updates.

BlueKeep vulnerability: The risk increases

The CVE-2019-0708 vulnerability, known since May 14, 2019, could soon become one of the biggest security risks to Windows systems since WannaCry and NotPetya. Many Windows systems are still not provided with the necessary security updates.

The situation is still ‘relatively relaxed’, as I am not aware of any publicly available exploit that could be used to exploit the vulnerability to spread malware via the network. But that’s a matter of time. And in the blog post A threat actor scans Windows systems for BlueKeep vulnerability I reported that an attacker had probably already started scanning networks for vulnerable Windows computers via a Tor node.

A first BlueKeep scanner

Security researcher Kevin Beaumont has written a scanner to test network segments for the BlueKeep vulnerability.

Unauthenticated CVE-2019-0708 (RDP RCE) scanner PoC from @JaGoTu and I. Can be automated to check your systems or pad your pentest report this week. @Metasploit port in progress. Submit fixes not tixes.https://t.co/hjsPQdmI2w pic.twitter.com/eOrNm3TRHe

— zǝɹosum0x0 (@zerosum0x0) 22. Mai 2019

It’s  is a Docker project and available on GitHub. Since I don’t have a docker infrastructure here, I couldn’t test anything by myself. But Kevin Beaumont points out in the following tweet that the explosiveness is increasing.

A warning re CVE-2019-0708 aka BlueKeep.

There are significantly higher number of internet accessible devices vulnerable than vulnerable to MS17-010 during WannaCry. I have scan results from back then using @zerosum0x0’s scanner (they also wrote the BlueKeep scanner).

— Kevin Beaumont (@GossiTheDog) 28. Mai 2019

He found a significantly higher number of Windows systems vulnerable to the BlueKeep vulnerability on scans than he did on the EternalBlue vulnerability (MS17-010) that caused the WannaCry Ransomware outbreak in 2017. Not exactly reassuring news.

One million machines unpatched

Robert Graham, head of security research firm Errata Security, has also conducted an Internet scan for the BlueKeep vulnerability. He used the masscan tool to find machines with port 3389 (used by Remote Desktop). After a few hours he received 7 million hits. With further tools rdpscan he then tested this list on Windows systems that were vulnerable via BlueKeep. As he writes here, he came across almost 1 million unpatched systems. In concrete terms, there are probably around 950,000 publicly accessible computers on the Internet that are susceptible to the BlueKeep bug. The Hacker News has prepared the whole thing here.

Since the BlueKeep vulnerability allows systems to be taken over by an attacker and can be used for worm-like propagation, there is an increasing danger of ransomware attacks using techniques such as NotPetya and WannaCry. It may only be a matter of time.

Robert Graham believes that hackers can develop a robust exploit to exploit this vulnerability within a month or two. And then I can expect an outbreak of malware that will affect those 1 million computers. Graham writes:

This is likely to lead to an event as damaging as WannaCry and notPetya of 2017 – possibly worse, as hackers have refined their ability to use these things for ransoms and other shameful purposes.

The only option left is to tell people about the possibility of patching the affected Windows systems. On April 14, 2019, Microsoft released updates to close the vulnerability (see Critical update for Windows XP up to Windows 7 (May 2019)).

Details about CVE-2019-0708

The vulnerability known as CVE-2019-0708 is in the Windows Remote Desktop Services, formerly known as Terminal Services. An unauthenticated attacker can connect to a target system via RDP using special requests. The problem is that the attacker does not need to authenticate to gain access to the system.

An attacker who has successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. This critical vulnerability exists in the following versions of Windows:

• Windows XP
• Windows Server 2003
• Windows Vista
• Windows 7
• Windows Server 2008
• Windows Server 2008 R2

Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. On May 14, 2019, Microsoft released a security update for older versions of Windows, from Windows XP to Windows 7, that closes the critical vulnerability CVE-2019-0708 in Remote Desktop Services (seeCritical update for Windows XP up to Windows 7 (May 2019)).

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)

[German]Microsoft warns of the danger that the critical Remote Desktop Services vulnerability CVE-2019-0708 will soon lead to a major malware outbreak on up to one million Windows computers.

In a Technet blog post titled A Reminder to Update Your Systems to Prevent a Worm Microsoft reminds users to patch their vulnerable Windows systems against the CVE-2019-0708 vulnerability, aka BlueKeep. 

Vulnerability CVE-2019-0708, some background

Remote Desktop Services – formerly known as Terminal Services – has a serious vulnerability called CVE-2019-0708 in older Windows versions. An unauthenticated attacker can connect to a target system via RDP using special requests. The problem is that the attacker does not need to authenticate to gain access to the system.

An attacker who has successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. This critical vulnerability exists in the following versions of Windows:

[German]Apple has recently released updated versions of its iCloud and iTunes applications for Windows. Those who use these clients to access Apple services should update as soon as possible.

iCloud for Windows Version 7.12

The iCloud client for Windows allows you to access various Apple services such as iCloud Drive, email, contacts, calendars, tasks or the photos or bookmarks stored in an Apple account under this operating system. A description of the functionality can be found on this Apple site.

On May 28, 2019, Apple released version 7.12 of this client for Windows. This is an unscheduled security update that closes 25 vulnerabilities. According to this Apple page, the following issues will be resolved:

SQLite:

• CVE-2019-8577: An application may be able to gain elevated privileges.
• CVE-2019-8600: A maliciously crafted SQL query may lead to arbitrary code execution.
• CVE-2019-8598: A malicious application may be able to read restricted memory.
• CVE-2019-8602: A malicious application may be able to elevate privileges.

WebKit

• CVE-2019-8607: Processing maliciously crafted web content may result in the disclosure of process memory
• CVE-2019-6237, VE-2019-8571, CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-861, CVE-2019-8615, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8628: Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling.

The download of the 155 MByte program is possible on this Apple page. The client is available from Windows 7.

iTunes-Version 12.9.5 for Windows

The iTunes client is a universal multimedia management software from Apple, which is included in macOS, but is also available as a separate program for Windows 7 or later. The program allows you to play, convert, burn, organize and buy music, audiobooks, podcasts and movies and can manage content from connected iOS devices (iPod, iPad and iPhone). See this Apple website for an overview of features. dieser Webseite von Apple.

Bloomberg reports, that Apple may want to discontinue iTunes. Under macOS there should be separate apps for the iTunes functions. But it’s all still a rumor.

The update to iTunes version 12.9.5 closes the same vulnerabilities as iCloud (see this Apple document). The download is possible from this Apple site.

[German]Tavis Ormandy of Google’s Zero project has found a bug in the Windows Notepad editor that gives him shell access. This can be used to attempt an attack on a Windows system. Here is some information about this vulnerability.

Tavis Ormandy is one of the security researchers of Google’s Zero project and has found some vulnerabilities in products, including Windows, in the past. In a tweet, he points to a new vulnerability.

Am I the first person to pop a shell in notepad? ….believe it or not, It’s a real bug! pic.twitter.com/t2wTh7E93p

— Tavis Ormandy (@taviso) 28. Mai 2019

At Threadpost.com you can find more information about this vulnerability, which probably exists since 1985 in all versions of the Windows editor. A memory corruption bug (memory overflow) in the Windows Notepad editor can be used to open remote shell access. A shell access in the form of a command prompt is usually a first step for attackers attempting to invade a system.

Disclosure of vulnerability in 90 days

Tavis Ormandy has published nothing but the tweet on this vulnerability. Users then suspected on Twitter that he had right-clicked on cmd.exe in the Open dialog box. He writes about this:

All I can say it’s a serious security bug, and we’ve given Microsoft up to 90 days to address it (as we do with all the vulns we report). That’s all I can share,

So there is some mechanism by which you can abuse the editor. Microsoft has been informed and now has 90 days to patch Notepad. However, Chaouki Bekrar, founder of Zerodium, a company that buys zero-day vulnerabilities, contradicts in the following tweet.

No Tavis, you’re not the first person to pwn notepad with a nice memory corruption BUT you’re probably the first one to report it to MS ;-)https://t.co/udQGduVpKO

— Chaouki Bekrar (@cBekrar) 29. Mai 2019

There have probably been hacks of the notepad in the past, but these exploits were never reported to Microsoft or made public.

Security researchers are amazed

‘It’s impressive to make this attack work at all,’ said Dan Kaminsky, chief scientist and founder of White Ops. “Notepad has such a small attack surface that it is remarkable that it is still sufficient to allow an attacker to execute arbitrary code. That’s not to say that given Notepad’s small attack surface, there’s no room for anything that goes wrong.”

For many security researchers, “popping a shell”, i.e. opening a command prompt, doesn’t seem to be known about Notepad yet – at least nothing is documented. The term “popping a shell” is an abbreviation for an attack in which the opponent exploits a computer and gains remote access via a shell connection. Further details can be found in the threadpost.com article. (via)

[German]It seems as if the developers of the malware GandCrab are retiring and discontinuing the Ransomware. But the first figures have become known about the payments the victims are said to have made.

Ransomware Trojan GandCrab

The trojan GandCrab is a ransomware, that has been widely distributed in email campaigns in recent weeks. Cyber criminals are trying to send the Gandcrab Trojan to their victims via fake application e-mails. If a victim falls for it, the GandCrab Ransomware encrypts all data on the infected computer and replaces the desktop background with a message with the ransom demand. .

(Source: Pexels Markus Spiske CC0 Licence)

Only if the victim pays ransom he get a key to decrypt his data. It was known that the backers of the campaigns are successful and infect many computers.

Income of the cyber criminals

But it was unclear how much the blackmailers could take. There are also decryption tools for older versions of the ransomware. So I was surprised to see the following tweet from Kevin Beaumont.

GandCrab are going into retirement. Says victims have paid $2 billion and they’ve made $150m profit. pic.twitter.com/w3WIzR6ZVV

— Kevin Beaumont (@GossiTheDog) 1. Juni 2019

He posted a text excerpt from a forum. The backers announced there that they would withdraw and publish some figures. They write:

All good things com to an end
…
We are leaving for a well-deserved retirement

Sounds like a final withdrawal from the business. Allegedly, more than 2 billion US $ have been raised by all parties involved. The developers themselves claim to have earned 150 million US dollars a year. The money is now laundered and legalized. This would now be the time to retire.

GandCrab victims should know this

For the victims of the GandCrab Ransomware this announcement still has a special meaning. The aim of the ransom payment is to get a key to get your data back.

As it looks, the infrastructure for GandGrab will be shut down – this is how I interpret the forum entry. The GandCrab backers write that the keys to recovering the files would be deleted when they left the store. Anyone who still pays as a victim will still not be able to access their data.

[German]Since a few days the figures for the operating system and Windows market share are available. This blog post gives a short overview about this topic.

The latest figures from netmarketshare.com (until the end of May 2019), Windows still runs at 88.30 (April 2019: 88.22%) of desktop systems. Mac OS comes to 9.30% (April 2019: 8.38%), while Linux runs on 1.92% (April 1.99%) of the systems. So there is no real change.

(netmarketshare.com OS-Market-Share 5.2019)

In the analysis of the distribution by individual operating system versions, NetMarketShare issues the following distribution for the desktop operating systems at the end of May 2019:

• Windows 10 45.73% (previous month 43.62 %),
• Windows 7 35.44 % (previous month 36.52 %),
• Windows 8.1 3.97 % (previous month 4.13 %),
• macOS 10.13 1.94 % (previous month 2.23 %).

Windows 10 was thus able to grow, but the growth rates are rather modest. I would have expected the Windows 10 share to slowly pick up, as support for Windows 7 expires in January 2020. 

Interesting is also the distribution of the Windows 10 versions according to the picture above. I don’t quote the statistics of AdDuplex every month, because the measurement inaccuracy is too big. But in the figure it is noticeable that Windows 10 Version 1803 is represented with over 60% and Windows 10 Version 1809 with just 31%. The new Windows 10 version 1903 is virtually undetectable, its share is less than 2%. I interpret it in such a way that people don’t really accept the new versions of Windows 10, but stay on the oldest supported version as long as possible. It will be exciting to see what happens in the coming months.

[German]The blog post discusses a How To the question of how end users and administrators can easily check whether their systems with Windows XP to Windows 7 as well as their server counterparts are provided with a patch for the critical vulnerability BlueKeep (CVE-2019-0708) or are vulnerable. In addition, a brief explanation of how a network can be scanned for vulnerable computers is given.

BlueKeep: Some basic information

In Windows XP to Windows 7 and its server counterparts, there is a critical vulnerability called BlueKeep (CVE-2019-0708) that may be used to hijack systems. Windows 8 and later systems are not vulnerable to the BlueKeep vulnerability.

Microsoft has provided security updates for closing this vulnerability for affected Windows systems since May 14, 2019 – even for versions that have long fallen out of support, such as Windows XP (see my blog post Critical update for Windows XP up to Windows 7 (May 2019) and BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor). So the vulnerability seems to be critical, and Microsoft warn against running systems without installed security updates (see BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia). Also US-CERT issued a warning with advices how to secure systems beside patching:

• Block TCP port 3389 on your firewalls, especially on all firewalls exposed to the Internet. This port is used in the RDP protocol and blocks attempts to establish a connection.
• Enable authentication at the network level (see my blog post Assign network level authentication w/o Group Policies). This security enhancement requires that attackers have valid credentials to perform remote code authentication.

  Disable Remote Desktop Services if they are not needed. Disabling unused and unneeded services helps reduce overall vulnerability exposure and is a best practice even without the BlueKeep threat.

Security researchers have nevertheless recently found over 950,000 vulnerable Windows systems without the required security update that can be accessed via the Internet during a scan (see Nearly 1 million Windows machines with BlueKeep vulnerability). I had reported extensively on this here in the blog (see link list at the end of article)

So it’s a grotesque situation: security updates are available, countermeasures and the risk of an attack are known, but people don’t patch or react. However, some users fail to quickly check whether the updates required to close the BlueKeep vulnerability are installed. Microsoft has little to offer – corporate administrators need to know how to check this. Due to questions and discussions here in the blog I decided to provide the following information.

Am I actually in danger?

First question that many users might ask themselves: Do I really have to assume that I am at risk? Microsoft provides updates for Windows XP to Windows 7 and their server counterparts. But the question ‘Are home users also affected?’ came up relatively quickly in the blog, and it was noted that a machine hanging behind a firewall that blocks certain ports for the Remote Desktop Protocol (RDP) is not vulnerable to Internet attacks.

In first approximation one can assume that there should be no endangerment in the area of home users. The most vulnerable are Windows servers, on which a remote desktop server has been set up to handle incoming requests. Talos has also published the security article Using Firepower to defend against encrypted RDP attacks like BlueKeep, which explains that in Windows 7 you probably have to overcome several hurdles to be vulnerable.

In first approximation one can assume that there should be no endangerment in the area of home users. The most vulnerable are Windows servers, on which a remote desktop server has been set up to handle incoming requests. There is also the security article from Talos which explains that in Windows 7 you probably have to overcome several hurdles in order to be vulnerable. But if Microsoft provides a security update, you should also install it.

Is the BlueKeep security update installed?

The easiest way to check if there is a risk regarding BlueKeep is to check if the required security update is installed. To do this, you could view the history of installed Windows updates.

Check your update history

To view the Windows update history, try the following steps, to check whether the required update is is available.

1. Type ‘Updates’ into the search box of the start menu and select the entry to show ‘View update history’. Or invoke the control panel, go to Windows Update an click View update history (see here).

2. Type into the Search Control Panel of the View update history windows the kb number required.

[Search for installed updates (Windows 7)]

If the update is listed there, you don’t need to do anything. If the update is also missing there, simply download the relevant package from Microsoft and install it manually. If the update already exists, the second installation will probably be rejected with a corresponding hint. Below is alist of security updates to mitigate the BlueKeep vulnerability.

Windows XP: KB4500331
Windows Server 2003 SP2: KB4500331
Windows Vista: KB4499149 or KB4499180
Windows Server 2008 SP1: KB4499149 or KB4499180
Windows 7 SP1: KB4499164 or KB4499175
Windows Server 2008 R2: KB4499164 or KB4499175

Use a batch file to check the local system

German blog reader Bernhard M. has send me two small batch files he used to check a local system for required updates (thanks). I’ve modifies on batch file in a way, that it checks, if one of the necessary security updates is installed. It should work for Windows XP up to Windows 7 and the Server pendants.

REM *******************************************************
REM BlueKeep Update Check
REM *******************************************************
ECHO OFF
CLS
ECHO Check for installed BlueKeep security updates
ECHO
ECHO Windows XP: KB4500331
ECHO Windows Server 2003 SP2: KB4500331
ECHO Windows Vista: KB4499149 or KB4499180
ECHO Windows Server 2008 SP1: KB4499149 or KB4499180
ECHO Windows 7 SP1: KB4499164 or KB4499175
ECHO Windows Server 2008 R2: KB4499164 or KB4499175 
ECHO
ECHO Depending on the version of Windows, a security update must
ECHO be installed. Please wait until the audit is completed. If no
ECHO packet is reported, the BlueKeep security update is missing.
SETLOCAL
wmic qfe > %TEMP%\check-updates.txt

REM *** Windows XP: KB4500331
type %TEMP%\check-updates.txt | findstr KB4500331

REM *** Windows Server 2003 SP2:
type %TEMP%\check-updates.txt | findstr KB4500331

REM *** Windows Vista: KB4499149 or KB4499180
type %TEMP%\check-updates.txt | findstr KB4499149
type %TEMP%\check-updates.txt | findstr KB4499180

REM *** Windows Server 2008 SP1: KB4499149 or KB4499180
type %TEMP%\check-updates.txt | findstr KB4499149
type %TEMP%\check-updates.txt | findstr KB4499180

REM *** Windows 7 SP1/Windows Server 2008 R2: KB4499164 or KB4499175
type %TEMP%\check-updates.txt | findstr KB4499164
type %TEMP%\check-updates.txt | findstr KB4499175

del %TEMP%\check-updates.txt
Pause Please press a key to exit

Select the instructions above, copy them to the clipboard using Ctrl+c, open the Windows Editor Notepad.exe and paste the clipboard with the Ctrl+v key combination. Save the document into a file BlueKeep-Check.bat.

If this file is executed by double-clicking, the command wmic qfe determines the installed updates and saves the result in a text file. This text file is then simply searched for the required updates with findstr. The results will be reported afterwards (see following image).

The interpretation of the results is quite simple: If no update is reported during this check, it is missing and the computer is not protected against BlueKeep. If an update is reported (as in the picture above), the patch is installed. It is a quick-and-dirty solution, which I tested only briefly under Windows 7 SP1. But it should also work under Windows XP, Vista and its server counterparts.

Network scan for vulnerable systems

Administrators who maintain larger installations, even with servers running the Remote Desktop Service, need a better testing method. There it is the question: Can a computer be reached from the Internet or via a network by RDP and is it vulnerable due to a missing update?

There is a script-based scanner by Kevin Beaumont in a Docker container. But I simply consider this solution to be too complexto be used quickly and easily. Rather for large corporate environments, where you test the network and have an infrastructure with docker containers anyway.

A second program for scanning networks for the BlueKeep vulnerability is by David Graham and is called rdpscan. David Graham published the source code as a Visual Studio project on GitHub. And I found the GitHub page of Graham, where he offers precompiled binary versions of the program for Windows and macOS. On his blog there is a Linux version for download and a description. Use program is from a command prompt window as:

rdpscan 192.168.1.1-192.168.1.1.255

The IP address should correspond to the network address space to be checked. The IP address of the own system can be determined with the command ipconfig /all in the command prompt.

The tool knows three results which can be displayed as single-line messages in the command prompt window.

• VULNERABLE  if an RDP connection can be established and the update is not available, i.e. the system is vulnerable
• SAFE if an RDP connection can be established and the update is found, so the accesses are probably secure 
• UNKNOWN  if no RDP connection can be established

During my test under Windows 10 and Windows 7, where no Remote Desktop Service is running, I got the message ‘UNKNOWN – no connection – timeout’, because the service did not respond.

Of course, you don’t know if it’s because you entered a wrong IP address or if the computer doesn’t provide a remote desktop service that can be reached via the network. But I think that experienced administrators can rule out other causes or test against a working RDP server. Together with the BlueKeep-Update-Check above you should make some progress. Maybe it will help you. If you have any comments or suggestions, please leave a comment.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor

[German]A security researcher has developed another Metasploit for due BlueKeep vulnerability in Windows Remote Desktop Services. Currently it is not released yet, because the developer considers the whole thing too risky (because of nearly one million unpatched systems).

BlueKeep is a critical vulnerability (CVE-2019-0708 ) that can be used to take over systems. Windows XP to Windows 7 and their server counterparts are at risk. Systems from Windows 8 are not vulnerable to the BlueKeep vulnerability.

Microsoft has been offering security updates to close this vulnerability for affected Windows systems since May 14, 2019 – even for the long-forgotten versions such as Windows XP or Windows Server 2003 (see my blog post Critical update for Windows XP up to Windows 7 (May 2019)).

The vulnerability is considered critical, Microsoft (BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia), and the US CERT have issued warnings. However, there are still a large number of systems that are still unpatched, although the vulnerability has been known since mid-May 2019 and updates are available. I had reported in the blog post Nearly 1 million Windows machines with BlueKeep vulnerability on this issue.

MetaSploit for BlueKeep

Until now, only security companies such as antivirus manufacturers had a proof of concept for exploiting the vulnerability – which was not publicly available. A network scanner for the RDP vulnerability is also available (see my blog post How To: BlueKeep-Check for Windows). What is missing so far is a working metasploit for penetration tests. A metasploit is an approach developed by security researchers for penetration testing to exploit security vulnerabilities and thus prove the vulnerability of a system.

Now a security researcher seems to have finished a metasploit. The module was developed by Zǝɹosum0x0, who announced it on Twitter.

Rough draft MSF module. Still too dangerous to release, lame sorry. Maybe after first mega-worm?

PATCH #BlueKeep CVE-2019-0708

35c2571801b3b6c4297ed362cf901dc4e907ff32a276fb6544a2b9d0f643f207 pic.twitter.com/y0g9R9HNnc

— zǝɹosum0x0 (@zerosum0x0) 4. Juni 2019

The Metasploit is still a draft. However, due to the danger for a large number of systems that are still unpatched, this draft will not be released publicly.  The security researcher has linked a video within the above tweet that shows a successful use of the Metasploit on a Windows 2008 machine. After the Metasploit extracted the credentials for the target system with the Mimikatz tool, full control over the system was achieved.

The security researcher told Bleeping Computer that the same exploit works for both Windows 7 and Server 2008 R2 because the two operating systems are “essentially identical, except for some additional programs on the server. However, I am sceptical about the practical exploitability under Windows 7, as most systems do not run remote desktop services – in my scans within my network, the Windows 7 systems were not reachable for the rdpscan tool.

Although Windows Server 2003 is also vulnerable to BlueKeep, the Metasploit team could not trigger the bug and exploit it on this operating system. BTW: @zerosum0x0 is a security researcher who helped develop this BlueKeep scanner.

Tip: How to check systems for security against BlueKeep is described in my blog post How To: BlueKeep-Check for Windows. Maybe it helps. 

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
How To: BlueKeep-Check for Windows

[German]In a recent article, the CERT Coordination Center warns that Microsoft Windows RDP Network Level Authentication also works with LockScreen locked Windows.

The warning has been published within the CERT document Microsoft Windows RDP Network Level Authentication can bypass the Windows lock screen. Also this article from The Hacker News discusses the issue.

The Vulnerability

Microsoft Windows Remote Desktop supports a feature called Network Level Authentication (NLA) that moves the authentication aspect of a remote session from the RDP layer to the network layer. The use of NLA is recommended to reduce the attack surface of systems exposed to the RDP protocol. Under Windows, a session can be blocked by the user, which causes a LockScreen to appear on the screen. This requires authentication from the user to continue using the session. Session locking can also be done via RDP in the same way that a local session can be locked.

(Quelle: Pexels Markus Spiske CC0 Lizenz)

A change from Windows 10 Version 1803 onwards

Since Windows 10 1803 (released in April 2018) and Windows Server 2019, the handling of NLA-based RDP sessions has changed to the point where unexpected session locking behavior can occur. If a network anomaly triggers a temporary RDP disconnect, the RDP session is put into an unlocked state when the connection is automatically reestablished. Unfortunately, this is independent of how the remote system was left. The CERT describes the scenario in its article linked above with the following steps:

1. The user connects to the remote Windows 10 1803 or Server 2019 or later system via RDP.
2. The user locks the remote desktop session.
3. The user leaves the physical environment of the system used as the RDP client.

At this point, an attacker can interrupt the network connection of the RDP client system. The RDP client software automatically reconnects to the remote system once the Internet connection is restored.

However, this vulnerability causes the restored RDP session to be restored to a logged on desktop instead of the login screen. This means that the remote system is unlocked without having to manually enter credentials.

2FA and login policy will be bypassed

Two-factor authentication systems that integrate with the Windows logon screen, such as Duo Security MFA, can also be bypassed with this mechanism. People at CERT suspect that other MFA solutions that use the Windows logon screen are similarly affected. Any login policies enforced by a company will also be bypassed.

The impact

By disrupting a system’s network connection, an attacker with access to a system used as a Windows RDP client can gain access to a connected remote system, regardless of whether the remote system is locked or not.  CERT/CC does not currently have a practical solution to this problem. The following workarounds are recommended.

• Protect access to RDP client systems: If you have a system that is used as an RDP client, make sure that you lock the local system, not the remote system. Locking the remote system via RDP does not provide protection. .
• Disconnect RDP sessions instead of locking them: Because locking a remote RDP session does not provide effective protection, RDP sessions should be disconnected rather than locked. This will invalidate the current session, preventing the RDP session from automatically reconnecting without credentials.

It seems that companies who are using RDP with Windows are now having a lot of headaches for security reasons.

[German]As of June 11, 2019, Microsoft has released numerous security updates for Windows clients and servers, for Office, etc. Here is a compact overview about these security updates.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. can be found in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001.

Notes on updates

All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday.

Updates can also be downloaded from the Microsoft Update Catalog. Die Updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update. Information about the support period for Windows 10 can be found in the Windows Lifecycle Facts Sheet.

According to the following tweet, Microsoft uses the security updates to close five 0-day vulnerabilities.

Microsoft’s June 2019 Patch Tuesday fixes four of the five zero-days published by SandboxEscaper in the last monthhttps://t.co/dtH9jIK4p4 pic.twitter.com/J97XmYi1sB

— Catalin Cimpanu (@campuscodi) 11. Juni 2019

Critical Security Updates

Internet Explorer 11
ChakraCore
Microsoft Edge
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server
Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 version 1709 for 32-bit Systems
Windows 10 version 1709 for x64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core Installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Adobe Flash Player

Important Security Updates

Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2016 for Mac
Microsoft Office 2019 for Mac
Microsoft Office Online Server
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Project Server 2010 Service Pack 2
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Server 2019
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Microsoft Lync Server 2010
Microsoft Lync Server 2013

Moderate Security Updates

Internet Explorer 9
Internet Explorer 10

Defense-in-Depth Updates

Microsoft Exchange Server 2010 Service Pack 3
Microsoft Exchange Server 2013 Cumulative Update 22
Microsoft Exchange Server 2016 Cumulative Update 11
Microsoft Exchange Server 2016 Cumulative Update 12
Microsoft Exchange Server 2019
Microsoft Exchange Server 2019 Cumulative Update 1

Similar articles:
Adobe security updates for Flash, ColdFusion, Campaign
Microsoft Office Patchday (June 4, 2019)
Microsoft Security Update Summary (June 11, 2019)
Patchday: Updates for Windows 7/8.1/Server (June 11, 2019)
Patchday Windows 10 Updates (June 11, 2019)
Patchday Microsoft Office Updates (June 11, 2019)

[German]Google security expert Tavis Ormandy of Google’s Project Zero security initiative disclosed an unpatched vulnerability in Microsoft’s Symcrypt operating system’s main cryptographic library. The vulnerability can cause a Denial of Service (DoS) condition in Windows 8 servers and higher.

The vulnerability was discovered by Tavis Ormandy of Google’s Project Zero security initiative and reported to Microsoft. After the 90-day deadline for reporting the vulnerability expired, Ormandy now publishes the information and points to Twitter:

I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It’s a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn’t.

— Tavis Ormandy (@taviso) 11. Juni 2019

Ormandy documented the whole thing here and also provided test certificates to trigger the vulnerability. 

Error in SymCrypt

There is a bug in the SymCrypt encryption library that has been used since Windows 8 for symmetric encryption functions. Windows 10 has been using the library for all cryptographic functions since October 2017.

Ormandy has noticed that one can send the multi-precision arithmetic routines with certain data in an infinite loop when calculating the send. This acts as a denial of service attack (DoS). Ormandy was able to create an X.509 certificate that triggers the error.

Tests have shown that embedding the prepared certificate in an S/MIME message, an authentication signature, a channel connection, etc. effectively forces any Windows server (e.g. ipsec, iis, exchange, etc.) to hang. Depending on the context, only a restart of the machine will help to get back to work. Ormandy writes that apparently many programs that process untrusted content (such as antivirus programs), write these routines with untrusted data. This then leads to a machine shutdown. Users can check this and will notice that the following command will never complete:

C:\> certutil.exe testcase.crt

Ormandy classifies the vulnerability as a low threat level. Microsoft has not yet released a patch, so Ormandy has disclosed the information after the 90-day period. On Github you can find the source code of a module to exploit the vulnerability. Bleeping Computer has this article about that topic.

[German]I’ve gone into the bug in the Windows Event Viewer caused by the June 2019 patches. This article shows how to handle workarounds to using both the Event Viewer and ‘Custom Views’ on a machine via PowerShell.

Some Background about the issue

Windows security updates released from Microsoft in June 2019 are closing numerous vulnerabilities, but also causing headache for administrators. As soon as the updates have been installed, the Event Viewer crashes, if custom views are selected..

(Click to zoom)

As soon as the error has occurred once, the event viewer can no longer be used. The reason for this is that the Event viewer snap-in automatically tried to load the last custom view selected during the next start.

I’ve discussed that issue in detail within my German blog post Windows 7-10: Ereignisanzeige hängt nach Juni 2019-Update (KB4503293/KB4503327 etc.) – a shorter English version is Windows 10: Updates KB4503293/KB4503327 kills event viewer. The article explains which Windows versions and updates are affected (virtually all). And I had sketched a workaround how to fix the Event Viewer at least (but no custom views can be used afterward).

Why pick up the subject again?

The problem with the solution I outlined in the above articles was: With the workaround you can used the event viewer again and navigate and search in the events. But you can no longer define your own entries in the Custom views’ branch – because this will immediately lead to a crash again.

Microsoft has published a workaround which is intended to read custom views using PowerShell. My problem with this approach: The support article KB4508640 is very tight.

function get-EventViewer {
                Write-Output "List of custom views on the machine"
                Write-Output ""
                Get-ChildItem "C:\ProgramData\Microsoft\Event Viewer\Views" -Filter *.xml | % { select-xml -Path $_.FullName -xpath "//Name" } | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty InnerXml
 
                Write-Output ""
                $view_name = Read-Host "Enter the name of custom view to execute"
 
 
                # Get the file name of the view
                $ViewFile = Get-ChildItem "C:\ProgramData\Microsoft\Event Viewer\Views" -Filter *.xml | where-object { (Select-Xml -Path $_.FullName -xpath "//Name").Node.InnerXml -eq $view_name }
 
                Get-WinEvent -FilterXml ([xml]((Select-Xml -Path $ViewFile.FullName -XPath "//QueryList").node.OuterXml))
}

Microsoft posted the above PowerShell fragment and a few hints how to use this function:

To work around this issue, copy and paste the following function into a PowerShell window and run it.  You can now use the command get-EventViewer at the PowerShell prompt to view your Custom Views. You will need to re-enter the function each time you open a new PowerShell window. Note The get-EventViewer function will only allow you to view previously defined Custom Views.  To create new Custom Views, see Creating Get-WinEvent queries with FilterHashtable.

Well, I dealt with PowerShell last time 6 or 7 years ago. And the colleagues from the writing guild are obviously not better positioned. I took a quick search and found some articles dealing about the event viewer bug – but the articles contains the sentence: ‘Oh yes, there’s a Microsoft workaround for PowerShell’ – that’s all.

That should work …

When I wrote an article about the Event Viewer bug for German IT magazine heise two nights ago, I thought ‘let’s see how the workaround works’. I opened a browser and the PowerShell console on a Windows 10 machine, copied the above code fragment from Microsoft’s support article into the console window using Copy&Paste and pressed Enter. Then I only saw red – something went terrible wrong – and Microsoft’s workaround wasn’t a Fool-Proof solution. So I decided to get that workaround to work!

And wouldn’t it be cool if you could do both: get custom views, but at the same time work with the Event Viewer and be able to look or filter for events? And it would be cool, if the workaround will be available as a clickable PowerShell module in a .ps1 file. Also a few explanations for dummies wouldn’t be bad either.

Half an hour later, my solution was ready. The solution should bridge the time until a bug fix from Microsoft (announced for the end of June 2019) is available. It’s a kind of helper crutch for annoyed administrators and corporate environments. I don’t know if anyone needs it.

What the Microsoft Workaround Can Do

First a few words about the Microsoft workaround – probably intuitively clear to experienced administrators – but I first had to look at the script code and sort something. You can add the function call to the script and save it in a .ps1 file. The whole coded looks like this:

function get-EventViewer {
                Write-Output "List of custom views on the machine"
                Write-Output ""
                Get-ChildItem "C:\ProgramData\Microsoft\Event Viewer\Views" -Filter *.xml | % { select-xml -Path $_.FullName -xpath "//Name" } | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty InnerXml
 
                Write-Output ""
                $view_name = Read-Host "Enter the name of custom view to execute"
 
 
                # Get the file name of the view
                $ViewFile = Get-ChildItem "C:\ProgramData\Microsoft\Event Viewer\Views" -Filter *.xml | where-object { (Select-Xml -Path $_.FullName -xpath "//Name").Node.InnerXml -eq $view_name }
 
                Get-WinEvent -FilterXml ([xml]((Select-Xml -Path $ViewFile.FullName -XPath "//QueryList").node.OuterXml))
}
 get-EventViewer

Only with the last statement is the PowerShell code working and executing the function get-EventViewer.

What the PowerShell script requires

This PowerShell script assumes that ‘Custom Views’ are defined globally for all user accounts on the machine (which are then stored in ProgramData).

This condition was not met on my test machine with Windows 10, so the PowerShell script would have made little sense. But if you define custom views globally, the event viewer crashes because of the bug. So you have to work completely with PowerShell.

How to use the script

The PowerShell script must be run with administrative privileges (Run as administrator) in the PowerShell console or in the PowerShell ISE. Then there should be no error messages.

(Click to zoom)

The script lists the global custom views it finds and then asks for the name of the custom view to display. If you type the name, the results are listed. The picture above shows the approach in PowerShell ISE – where I already used the modified script from the following approach.

Use Event Viewer and Custom Views

At this point I came up with the idea of whether it would not be possible to use both the Event Viewer and still read events via user-defined custom views. The rough idea was:

• Fixing the Event Viewer with the workaround described in the blog post Windows 10: Updates KB4503293/KB4503327 kills event viewer for global custom views (removing the custom view XML files). 
• Then create local custom views under a default user account (copy the Views-XML files accordingly if necessary) – or use the approaches described in the Microsoft article Creating Get-WinEvent queries with FilterHashtable (I haven’t tried).

The idea is as follows: If we launch the Event Viewer from a default user account via using Run as administrator, the snap-in runs in the context of the administrator account. If there are no global or local entries in ‘Custom Views’, the Event Viewer snap-in works. So a user can search in events, but isn’t able to create user-defined custom views.

To display local custom views with events, use the PowerShell script under the default user account. Should allow a halfway comfortable working – I tested it here briefly, that worked as far as I saw.

Create and use local custom views

To use new entries under ‘Custom Views’ in the Event Viewer, it must be defined for the local default account. If you launch Event Viewer from a default account, the xml files of a new custom view is stored local within the user’s profile. If the Event Viewer has been launched with Run as Administrator, the All Users check box at the bottom right ithin the Custom View dialog box must be unchecked when closing the dialog box.

I had already explained this in the blog post Windows 7-10: Ereignisanzeige hängt nach Juni 2019-Update (KB4503293/KB4503327 etc.). The Microsoft Management Console MMC.exe then stores the Event Viewer snap-in data in AppData sub directory of the local profile folder. Thus, the user-defined views only affect the local account (and only cause the Event Viewer to crash there).

Tip: You could also copy the global XML files such as Views_0.xml etc. into the local profile folder. Then you immediately have the old definitions. Within the Event Viewer you can create a maximum of one user-defined entry, because it crashes immediately afterwards. I have described the paths of the folders in the blog post linked above. 

Modified PowserShell script for local user-defined views

You need a PowerShell module to access (the locally stored) custom views under this user account. Unfortunately, this does not work with the above Microsoft PowerShell fragment. But that’s not a problem, you just have to adjust the paths to the Views-XML files accordingly.

function get-EventViewer {  $account = "MSKonto"
                Write-Output "List of custom views on the machine for: $account"
                Write-Output ""
                Get-ChildItem "C:\Users\$account\appdata\local\Microsoft\Event Viewer\Views" -Filter *.xml | % { select-xml -Path $_.FullName -xpath "//Name" } | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty InnerXml
 
                Write-Output ""
                $view_name = Read-Host "Enter the name of custom view to execute"
 
 
                # Get the file name of the view
                $ViewFile = Get-ChildItem "C:\Users\$account\appdata\local\Microsoft\Event Viewer\Views" -Filter *.xml | where-object { (Select-Xml -Path $_.FullName -xpath "//Name").Node.InnerXml -eq $view_name }
 
                Get-WinEvent -FilterXml ([xml]((Select-Xml -Path $ViewFile.FullName -XPath "//QueryList").node.OuterXml))
}
 get-EventViewer

The PowerShell script code above has been modified for reading views of the local user account. I have defined a $account variable to which I assigned the name of the user profile on my test machine (here MSKonto). The idea behind it: I’m able to specify a fixed account name, that contains the custom views of the Event Viewer, i.e. the PowerShell script works from various user accounts.

Important: The value of the variable (the part in ” “) must be adapted to the profile name of the own computer under which the user-defined custom views were created in order for the script (LocalEventView.ps1) to work.

When the function is executed, it then accesses AppData in the user profile and reads the locally defined ‘Custom Views’. These are listed and the user can then type in a view name to retrieve the custom view (see image below).

(Click to zoom)

I’ve launched the PowerShell ISE by Run as Administrator (with default permissions an errors occur) and then loaded the .ps1 script. Then it is enough to click on the Run Script button of the toolbar or press the function key F5. The inputs/outputs are displayed in the lower console window (see screenshot above). Due to the absolute path specifications in the script, this also works if it runs with administrative rights – the correct profile folder is found.

The two PowerShell variants together with a small Readme.txt (German and English) can be downloaded as PowerShell-EventViewer.zip. Just unzip the archive and read the readme.txt file.

Maybe it helps some administrators. If I’ve overlooked something, you can leave a comment.

Similar articles:
Windows 10: Updates KB4503293/KB4503327 kills event viewer
Windows 7-10: Ereignisanzeige hängt nach Juni 2019-Update (KB4503293/KB4503327 etc.)

[German]With the June 2019 security updates for Windows 8 to Windows 10, Microsoft is also patching the Bluetooth features. Some users recognizes that their Bluetooth devices can no longer pair after installing an update. This is by design and not a bug. Here is some information on this topic.

I was aware of this topic  since the Patchday (June 11, 2019). I’m going to take up the whole thing here in the blog again, because some users were surprised by it and some media make it a big bohei or scandal.

Some reader feedback

German blog reader Huggendubler posted this comment to the article Patchday Windows 10-Updates (11. Juni 2019). He reported Bluetooth issues:

I just bought a new PC AMD Ryzen 2600x with current graphics card and a cheap WIFI-X-Box360 game controller. I spent hours yesterday trying to make it work without success. Everything done a thousand times. Driver installed, deleted, driver new, device removed, PC booted again and again. Adapter checked, driver loaded from side.

From the PC side everything was fine, only under Windows 10 there was no Bluetooth option at all. I’ve been researching the net forever. And all tips and tricks didn’t work. They actually sound logical, but it seemed as if Windows had completely switched off the Bluetooth option. Since simply the button on the surface, in the device manager “Bluetooth” did not exist. Everything checked, services, administration. There was no Bluetooth option in Windows ten. The controller tries to connect for ten minutes, then the round button only flashes every few seconds. As if it would be blocked. And it probably won’t be broken.

I also tried to uninstall the update ten times, but this always resulted in Windows reinstalling the update every time it was restarted, as it seems that you have to force the installation of certain updates. Unless you switch it off completely in Services, but then it is completely impossible to transfer new updates in general. And as soon as you switch services on again, this June update will be installed immediately when booting again.

I will exchange the part today and buy a conventional cable game controller. I wonder what Microsoft was thinking. Probably most alternative game controllers are affected. It is unlikely that the manufacturers will immediately program company updates worldwide, which will somehow have to be installed on the game controllers, if at all possible.

Within my answer I pointed out that the problem described is probably related to the update for Windows 10, where Microsoft deactivates older Bluetooth controllers for security reasons. Later I have seen a tweet from @phantomofmobile, addressing this issue too.

Windows Security Update will block for vulnerable CVE-2019-2102 SECURITY #1Junehttps://t.co/nsYI9ulRBq

— Crysta T. Lacey (@PhantomofMobile) 12. Juni 2019

Microsoft blocks unsecure Bluetooth controller

Microsoft has documented the reason for the deactivated Bluetooth chips. The KB article KB4503293 Cumulative Update for Windows 10 Version 1903 (and KB4503290, Security-only Update for Windows 8.1) contains the following explanation:

Addresses a security vulnerability by intentionally preventing connections between Windows and Bluetooth devices that are not secure and use well-known keys to encrypt connections, including security fobs. If BTHUSB Event 22 in the Event Viewer states, “Your Bluetooth device attempted to establish a debug connection….”, then your system is affected. Contact your Bluetooth device manufacturer to determine if a device update exists. For more information, see CVE-2019-2102 and KB4507623.

So this update fixes a security vulnerability by intentionally preventing connections between Windows and Bluetooth devices that are not secure and use known keys to encrypt connections. This patch of the Bluetooth functionality is contained within all updates for Windows 8.1 to Windows 10 (including the server variants). 

In KB artcicle 4507623 Microsoft provided more information. Also CVE-2019-2102 contains more details.

In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is theoretically possible for a proximate attacker to remotely inject keystrokes on a paired Android host due to improperly used crypto. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-128843052.

Microsoft itself states that any device that uses known keys to encrypt connections may be affected. This also applies to certain security USB keys – but I don’t know whether Google’s Titan Key or the Yubi Key is affected. Microsoft recommends that you contact the manufacturer of your Bluetooth device to determine if there is a device update.

I can’t say for sure whether it applies to the scenario described above as a user case, but the error pattern described fits. The whole thing may be stupid for those affected, but it is a security measure, as nonsense can be made about the attack vector. However, the attacker must be in the vicinity of the Bluetooth device and paired Bluetooth devices are required.

Similar articles:
Patchday: Updates for Windows 7/8.1/Server (June 11, 2019)
Patchday Windows 10 Updates (June 11, 2019)

[German]Antivirus vendor Bitdefender has released an updated version of its decryption tool for the malware GandGrab. Helps to get encrypted data back if necessary.

Ransomware/Trojan GandCrab

I had reported about this Ransomware in my blog. The blackmail Trojan GandCrab was still widely distributed in email campaigns in the last weeks. Cyber criminals try to send the Gandcrab Trojan to their victims via fake application emails. If a victim falls for it, the GandCrab Ransomware encrypts all data on the infected computer and replaces the desktop background with a message with the ransom demand

(Source: Pexels Markus Spiske CC0 Lizenz)

Only if the victim pays ransom does he get a key to get back to his data. It was known that the backers of the campaigns are successful and infect many computers. A few days ago, the developers of this ransomware announced that they would retire. After this exit, victims can no longer return the data after paying a ransom. I had reported in the post GandCrab ransomware: They say, they are retiring about that.

Bitdefender has released an updated Decryptor

Now the antivirus vendor Bitdefender has released a new version of its decryption software for the Ransomware GrandCrab. The free tool was provided in cooperation with Europol, the Romanian police, DIICOT, the FBI, NCA, the Metropolitan Police as well as the police in France, Bulgaria and other law enforcement agencies. It counteracts and neutralizes the latest versions of GandCrab. GandCrab is one of the most productive families of file encryption malware to date.

The new tool enables affected parties to recover encrypted information without having to pay horrendous millions in ransom to hackers. Now data encrypted by versions 1, 4 and 5 of the GandCrab malware can be decoded. The decryption tools for GandCrab released until now by Bitdefender and partner agencies have helped over 30,000 victims to recover encrypted data, saving more than $50 million in no ransom.

GandCrab has been very active since January 2018, reaching a Ransomware “market share” of over 50 percent in just a few months through August 2018. The blackmailer software works according to an “affiliate model”: the developers make the malware available to interested parties as a service and receive part of the profit in return.

The operators of GandCrab stated that they had extorted more than two billion US dollars from their victims. The joint countermeasures taken by Bitdefender and the law enforcement authorities have significantly weakened the operators’ position in the market, for example by criminal partners suspecting the ransomware service and shutting it down.

“Our efforts to provide decryption tools for the victims of GandCrab have weakened the criminal operators into abandoning their funding model,” said Bitdefender representatives. “This has created confidence among new victims, who would rather wait for a decryption update than give in to ransom demands from criminals.

To prevent ransomware infections, users should implement a security solution with multi-layered anti-ransomware defense, back up their data regularly, and never open even a hint of suspicious attachments.

The decryption tool for GandCrab is available free of charge on the websites of Bitdefender Labs or the No More Ransom Project.

Ähnliche Artikel:
GandCrab geht in Rente – fette Beute für den Entwickler
Hacker scannen MySQL-Server und verteilen GandGrab
Vorsicht: Gandcrab-Trojaner kommt in Bewerbungsmails