Helping Protect Against Todays Cyber Threats

Month: May 2017

WannaCrypt (WannaCry) Decryption Tool Now Available!

In May 2017, a large cyber attack was launched, infecting over 230,000 computers in 99 countries, demanding ransom payments in 28 languages. The attack has been described by Europol as “unprecedented in scale”. Yeah, whatever. Blah, blah, blah… You just got pwned! Had this site been […]

Third-Party Patching – A Vendor Neutral Framework for Addressing the Other 85% of Vulnerabilities

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti If your organization is like most, you likely have clearly defined processes in place for deploying newly released Microsoft security updates each month. If not, you should. We’ve only had 15 years to hone the process, dating back to […]

HP Audio Driver Exposes Real-time Keystrokes via Local API

HP Audio Driver Exposes Real-time Keystrokes via Local API

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user’s keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look.

Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today, reports BleepingComputer.com.

This one is particularly interesting because its default behavior is to log locally to a file, but if that file doesn’t exist or can’t be written to, then it falls back to the API stream which with a little crafty interception could lead to real-time capturing of a user’s keystrokes including username/passwords, URLs visited, email contents, etc.

Obviously, this presents a huge security risk for enterprise-class HP customers, as the majority of the models impacted by the vulnerability are intended for the corporate environments of the world. Yet, HP has to confirm or comment on the matter.

As for how to mitigate the risk, there are a variety of methods including using an SCCM Security Compliance Baseline w/ remediation, blacklisting the executable (in this case, “MicTray64.exe”), using a software restriction group policy to block it, PowerShell… you get it – the list goes on and on. Right?

So, identifying the 17 different Microsoft operating systems potentially impacted by this vulnerability is the bigger challenge. To that end, I’ve provided a simple SCCM query to build a collection of systems based upon the 28 models called out in modzero’s research. I’m monitoring this vulnerability with multiple alert channels and will update the collection query if new data unfolds.

If you find this post helpful, please consider sharing so others may be able to help protect their organizations as well. Thank you!

{UPDATE} 12-May-2017 22:01
Updated WQL to reflect comments by G. Sweeney. Thank you!

{UPDATE} 11-May-2017 22:01

Due to a formatting error, the collection provided below has been updated for those purposes. No new models have been added. But, there is an option to download the MOF file now.

SCCM Collection Query for Specific (HP) Hardware Models:

Click here to download the MOF.

select
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client 
from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on 
SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 820 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 840 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 828 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 848 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 850 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 640 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 650 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 645 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 655 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 450 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 430 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 440 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 446 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 470 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ProBook 455 G2%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 725 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 745 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 755 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook 1030 G1%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ZBook 15u G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%Elite x2 1012 G1 Tablet%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%Elite x2 1012 G1 with Travel Keyboard%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%Elite x2 1012 G1 Advanced Keyboard%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook Folio 1040 G3%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ZBook 17 G3 Mobile%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ZBook 15 G3 Mobile%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%ZBook Studio G3 Mobile%" or 
SMS_G_System_COMPUTER_SYSTEM.Model like "%EliteBook Folio G1%"

Everything You Need to Know About MSFT Anti-Malware Engine Updating

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti Unless you’ve been completely off the grid for the past week, you’re likely aware of the huge vulnerability in the Microsoft anti-malware engine (mpengine.dll) found in many of the software giant’s security products. However, many are still confused by […]

BitKangaroo Ransomware Decryption Tool

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti We have a new, albeit amateurish, ransomware variant on the loose. This one haphazardly begins deleting files every hour until the ransom is paid. Foolish, since it could take 2-3 days for the victims in question to get setup […]

SCCM DCM Script for vPro Vulnerability

SCCM DCM Script for vPro Vulnerability

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti

(Reposted with permission from Eric Holzhueter. Thank you!)

If someone needs a SCCM DCM script or another method to report on vPro vulnerability, you can use this as a base for your solution. You’ll need to distribute and run the executable as you see fit.

$TestResult = Join-Path $($env:windir) $($env:computername + '_System_Summary.xml')
 if(Test-Path $TestResult){
 $Results = [Xml](Get-Content $TestResult)
 Write-Output "$($Results.System.System_Status.System_Risk) and $($Results.System.System_Status.System_Exposure)"
 }
 else
 {
 Write-Output 'File Not Found'
 }

# Vuln description https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
# Detection guide https://downloadmirror.intel.com/26755/eng/INTEL-SA-00075%20Detection%20Guide%20rev1.2.pdf
# Detection Tool https://downloadcenter.intel.com/download/26755
# Command to run .\Intel-SA-00075-console.exe -c -f -p %WINDIR%

How Your Social Profiles Help Hackers

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti As I sit here looking at my LinkedIn notifications, I’m disappointed to see one of my own co-workers showing up in the list of those celebrating a birthday today. You may be asking why the disappointment. Allow me to […]

VIDEO: The Other 85%: Patching 3rd Party Apps in SCCM

VIDEO: The Other 85%: Patching 3rd Party Apps in SCCM


RSS
Facebook
Facebook
YouTube13
YouTube
LinkedIn500