THE TIBERIUM BLOG - recent events, threats, and all things cyber

The Farmer In The Dell

Way back in the midsts of time (December 2020), numerous, very severe issues in some Dell Windows drivers were reported proactively by the good people at Sentinel labs and perhaps other parties, so far nameless.

On what is cheesily called ‘Star Wars Day’ (04/05 or May the fourth, be yawningly with you), Sentinel disclosed these issues publicly and, just wow, being like busses coming in threes doesn’t cover it.

Five separate flaws in Dell drivers for Windows PCs, now tracked separately as CVE-2021-21551, were revealed. All of them allow anybody who has accessed your Dell machine or machines to escalate privileges to those of the Almighty Administrator seamlessly, easily, and for the most part invisibly, as in without generating any logs, unless very specific log settings are in place.

Even if you don your panic sensitive sunglasses, reading this will still be disturbing. Millions of Dell machines are vulnerable and have been for years, and years, and years.

DONT PANIC!!!

In order to utilise these vulnerabilities to badge themselves up, all an attacker needs is local access.

As anybody who works in this industry knows, the MO of proficient attackers is to reconnoitre, deploy access malware via phishing, drive-by using a waterhole, a weaponised attachment, a USB stick or indeed many other measures. This of course gives them local access, and they typically use privilege escalation and other techniques to spread laterally until they reach their target. Having infected the target, they often go quiet until exfiltration time and then press the button.

There are many privilege access techniques, but this one is very juicy and has almost certainly been exploited and not noticed, at least in our opinion.

Obviously, locating vulnerable machines and patching them, especially with a system-level driver is an arduous and risky task, what with potentially different Windows versions and other firmware. You will have seen all of the usual MDR (Managed Detection and Response) vendors talking about how their products can be used to remediate this issue. Indeed some of them can actually do this very well.

Many do not know that standard Microsoft tooling (Defender for Endpoint, Microsoft Endpoint Manager) can be used to identify and remediate vulnerable machines. There is a nice write up of how to do this by the Microsoft Endpoint Manager community people here. It even covers non-Microsoft technologies!

Ideally, your environment should be tooled up for automated response, the driving force behind Tiberium’s managed security services FROST and MYTHIC. If you are a managed service customer of ours, we deploy remediation like this into your environment at the speed of a driver call, or very close to, saving you loads of time and effort. We also identify the paw prints and activity of anybody who might be lurking and deal with them automatically. We do this all with standard Microsoft products. Products you may be already licensed for or could obtain for marginal cost.

“OH NO, NOT MICROSOFT DEFENDER” we hear some of you cry, and to be fair 3 years ago you might be right. But, and this is a big but, Microsoft has been investing time, effort, money and some very smart thinking into its end to end security tooling and was announced as leader in the CIO go to product guide.

At Tiberium, we are very far from surprised by this. We have been working with Microsoft for years now and continue to be impressed with the utility, efficiencies and integration of its product set. As the independent press would say, “other products are available” and we will support these, until you see the light!

Not wanting to be accused of using a single incident, albeit impacting meeelions of devices, to justify our support for the Seattle based outfit, we have been involved another Microsoft issue, this time a novel way that hackers are exploiting Office 365 to gain access to systems.

Malicious application permissions request. Source: Krebs on Security

Covered in detail by the esteemed Brian Krebs (we are not worthy), attackers are using Office 365 to deploy malicious code which on the surface looks like a valid application to the recipient of a phishing (oh yes, again) email.

Having logged in, the user is presented with an app permission request which looks something like to the below screenshot shown to the right.

As with many of these opportunistic, numbers game attacks, this relies on default and slightly misconfigured environments with little or no oversight of Azure logs. This is so often the case in environments of mid or small size companies who have perhaps had to hurry to the cloud because of COVID/remote user provision or indeed any other reason.

The good news? This risk can be remediated and blocked with best practice configuration, logging and automated remediation. All using standard Microsoft tooling with Tiberium’s managed Service doing the driving.

Our message is simply this “Please let us show you what you can do with what you already have. You will be pleasantly surprised”.

Share on: