NewsyList

Microsoft warns companies about Raspberry Robin worm in networks – Computer – News

He is indeed visible in security.Microsoft.com where you can find it under “him” under Threat Analytics. The Security / sysadmin can continue from here to see if it exists in the network / devices and configure detection rules.

Executive summary
In early May 2022, a new worm named Raspberry Robin, was initially reported by Red Canary to have spread to Windows systems through infected USB devices. The USB device contains a disguised Windows shortcut (LNK) file. This worm relies on built-in Windows utilities such as msiexec.exe, fodhelper.exe, rundll32.exe, and odbconf.exe to install itself on the connected device, connect to a command-and-control (C2) server before downloading and launching additional DLL files.

Microsoft has observed this worm in hundreds of organizations spanning multiple industries. As of now, Microsoft security researchers have not attributed this worm to a threat actor group nor observed evidence of further lateral movement and advanced attacker activity upon initial installation of the worm. However, the usage of fodhelper.exe to spawn rundll32.exe, allows any downloaded malware to run with elevated administrative privileges without requiring a User Account Control prompt for consent or credentials, performing a UAC bypass. Due to the ability to achieve elevated permissions as well as the successful connection to an external domain, without proper protections in place, an attacker could easily escalate their attack to move laterally and access sensitive systems and data.

There are several detections that are available to help customers understand if they are impacted by this threat. Detection details for Microsoft 365 Defender are in the Detection details section of this report. Microsoft 365 Defender customers should also apply the security configurations and other prescribed mitigations and use the provided advanced hunting queries to check their network for attacks related to this tool.

See also  GOG is giving away 38 classic games for free

Mitigations
Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Turn on Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of remote access trojans (RATs) and other unwanted applications.
Enable Tamper Protection for Defender Antivirus
Enable Cloud-based protection for Defender Antivirus

Reduce attack surface

Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent several of the infection vectors of this threat. Attack surface reduction rules, which can be configured by any Microsoft Defender Antivirus user, offer significant hardening against the worm. In observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:

Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block untrusted and unsigned processes that run from USB

There is also an Advanced Hunting query (KQL) available with which you can search whether this occurs on your devices (Microsoft also does this automatically with Defender)

Advanced hunting

To locate possible exploitation activity, run the following queries.

Network connection launched from msiexec.exe

Upon execution of msiexec.exe, the malicious .LNK file will create a network connection over port 8080. Run query

DeviceProcessEvents | where FileName == “msiexec.exe” and ProcessCommandLine has_any (‘http:’,’https:’) | where ProcessCommandLine has_any (‘/q’, ‘-q’) | where ProcessCommandLine has “8080”

Detection details

See also  Dinosaur deaths - even before the asteroid impact?

Antivirus

Microsoft Defender Antivirus incorporates next-generation antivirus capabilities, including machine learning and behavioral detection. This can result in overlapping detections, particularly of first-seen components and polymorphic variants.

Trojan:Win32/VintageDynamo.A – This is a generic detection looking for suspicious execution of .LNK files. There could be results from this that are not associated explicitly with the Raspberry Robin worm.

Endpoint detection and response (EDR)

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

Suspicious process launched using cmd.exe
Suspicious behavior by msiexec.exe
USB scanning

You can configure preferences for Windows Defender scans and updates to include scanning of removable drives. The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates. The following command allows you to scan removable drives:

-DisableRemovableDriveScanning

This command indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan. If you specify a value of $False or do not specify a value, Windows Defender scans removable drives during any type of scan. If you specify a value of $True, Windows Defender does not scan removable drives during a full scan. Windows Defender can still scan removable drives during quick scans or custom scans.

[Reactie gewijzigd door HKLM_ op 4 juli 2022 16:45]

Share:

Facebook
Twitter
LinkedIn

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Social Media

Most Popular

On Key

Related Posts