View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Microsoft Just Made Hackers’ Lives a Lot Harder – but Has Anybody Noticed?

These Office 10 security updates stop easy desktop pwning

By CBR Staff Writer

A host of Microsoft security updates released as part of the latest Windows 10 (version 1803) significantly reduce vulnerabilities, security professionals say, with the five new attack surface reduction rules making it much harder for attacks like Petya and other lateral movement offensives to take place on a network.

The “really important” updates have so far gone largely overlooked.

The rules block executable files from running unless they meet a prevalence, age, or trusted list criteria; use advanced protection against ransomware; block credential stealing from the Windows local security authority subsystem (lsass.exe); block process creations originating from PSExec and WMI commands and block unverified, unsigned processes that run from USB.

 Mimikatz Woe?

The update’s ability to block credential stealing from LSASS particularly stands out.

“Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS,” Microsoft said.

“However, some organizations can’t enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority. In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS”, Microsoft said.

Content from our partners
Why email is still the number one threat vector
Why HR must take firm steps to become a more data-driven function
Why enterprises of all sizes must  embrace smart manufacturing solutions

No more Mimikatz-powered pwning?

 

 “Slightly disappointing!”

Etienne Greef, CTO of SecureData, told Computer Business Review: “Frankly these should have happened ages ago; they’re obvious patches to make, but with desktops becoming a much bigger target – as well as features, Microsoft has finally done something. If properly used this will block attacks like Petya and other lateral movement attacks, as well as stopping very common DDE exploits that are used in the wild.”

He added: “It might make Red Team life a little harder – I’m almost a bit disappointed! – but it’s good they’ve finally done it…”

One of the other main changes highlighted by information security professionals is a rule that allows admins to prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards.

No More “Cottonmouth” Ripoffs?

It comes as many security professionals drew lessons from Edward Snowden’s leak of the NSA’s “Ant Catalogue”; a 50-page classified document listing technology available to the agency’s Advanced Network Technology (ANT) Division to aid in cyber surveillance.

This included tools like “Cottonmouth-I”, a USB hardware implant that provides a wireless bridge into a target network, via a “covert channel”; something more than a few hackers rapidly emulated.

Chris Wallis, founder of penetration testing specialists Intruder, told Computer Business Review: “Microsoft are definitely raising the bar with this update, and taking away some firm favourites from the attacker’s bag of tricks. While some of the rules may inconvenience in edge cases, most companies will be able to apply them without much fuss, and genuinely level up their cyber security. Attackers will find new ways around, as always, but it’s definitely one small step closer to Bill Gates’ vision of Trustworthy Computing.”

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU