The month of July has literally been a ‘Nightmare’ for Microsoft and the windows eco system, this includes 117 patches that handle four publicly reported and four exploited vulnerabilities.
There is a really serious printer issue dubbed ‘Print Nightmare’ (CVE-2021-34527) that included the released out of bounds (OOB) patch for legacy systems. Mainstream supported versions of windows have been updated at least twice. That means you need to pay immediate attention to the Windows updates that you may apply in that important maintenance window for OT!
If you can’t patch, then the advice is to simply stop the printer spooler service on systems that you do not need to print from until you can patch it.
See how easy this can be exploited, demo shown using automation via Hak5 bashbunny in 30 seconds bypassing Antimalware Scan Interface (AMSI). This tool just requires to be plugged into a USB port.
Re-occurring dream
Today, as of the 21st of July yet another nightmare breaks our restful sleep, if the hot nights from the last few days wasn’t enough to keep us awake.
Dubbed ‘Hive Nightmare’ or SeriousSAM, this vulnerability allows a low-level user to access sensitive system files such as the Security Account Management (SAM) files on windows where Volume Shadow Copy has created a snapshot. Because of the sensitive data they store, only Windows admin accounts are allowed to interact with these configuration files.
Having access to the SAM, SYSTEM and SECURTIY files of a windows device will allow you to expose interesting data like default windows installation password, Data Protection API, keys that allow decryption of sensitive data, HASH dumping of the user accounts and passwords as well as the Computer Machine account AKA silver ticket.
To date, there is no patch available for ‘Hive Nightmare’. A security advisory published by Microsoft formally acknowledged the issue, which the company is currently tracking as CVE-2021-36934.
The Workaround
Restrict access to the contents of %windir%\system32\config
- Open Command Prompt or Windows PowerShell as an administrator.
- Run this command: icacls %windir%\system32\config\*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Create a new System Restore point (if desired).
Impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.
Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
A demo of the vulnerability can be seen care of Heath Adams.
Silver Lining
While both of these issues provide a route for system level access, there are patches underway to address all these vulnerabilities. Where windows is deployed within Operational Technology, there are some simple steps that can be taken mitigate against these issues without the need to patch immediately or reboot the device.
Our Solutions underpin Security and Compliance
If you are a Claroty customer, Continuous Threat Detection can identify if threat actors are attempting to exploit ‘Print Nightmare’ by applying threat bundle 33 update
If you are a Blackberry customer, OPTICS create alerts and playbooks for ‘Hive Nightmare’ to address unauthorised access to volume shadow copy data of SAM, SYSTEM and SECURITY files.
Scanning the horizon
At SolutionsPT we closely monitor the ever-evolving cybersecurity threat landscape and provide solutions and mitigations to risks within OT. The threats identified in this post are new and fresh, however, if you’ve not assessed your installations for some time there may be many more hidden away which you are totally unaware of which are just as risky.
If you would like to know more about how to improve your cyber hygiene and operational resilience get in touch and one of our architects or security consultants will provide advice and guidance on reducing your risk in a very simple and cost-effective manner.
