查看: 17884|回复: 68
收起左侧

[一般话题] 神器WDATP发威可防御STRONTIUM的那个新漏洞

[复制链接]
驭龙
发表于 2016-11-3 13:29:50 | 显示全部楼层 |阅读模式
本帖最后由 驭龙 于 2016-11-3 19:02 编辑

碰到咬文嚼字的兄弟,我也只好认输,我该一下标题吧,唉

MMPC发文,关于谷歌披露的新漏洞,Windows 10周年更新版本使用Edge用户,不需要担心这个攻击,另外该攻击已经完全被WDATP神器捕获行为,不需要担心,不过没有WDATP的咋办?又或者像我这样带不动WDATP的怎么办?看来只能依靠Edge撑到11月8日的补丁日了。

官方原文:
This guest blog post is by Terry Myerson / Executive Vice President, Windows and Devices Group
Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriously.
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.
-Terry
STRONTIUM: A brief historyMicrosoft aggregates the details of threat activity—malware, infrastructure, victim classes, and attacker techniques—into activity groups to improve our readers’ ability to understand the reasons behind cyber attacks. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.
The exploitsSTRONTIUM must accomplish three objectives in order for the attack to succeed:
  • Exploit Flash to gain control of the browser process
  • Elevate privileges in order to escape the browser sandbox
  • Install a backdoor to provide access to the victim’s computer
Microsoft has several threat prevention and exploit mitigation features available to counter these steps.
Adobe Flash exploitation: CVE-2016-7855Based on the analysis performed by the Windows Defender ATP Exploit research team and the Microsoft Security Response Center (MSRC), the vulnerability in Adobe Flash leveraged by STRONTIUM was found to be a use-after-free issue affecting ActionScript runtime code. Adobe has since released an update to fix this vulnerability. Microsoft is actively partnering with Adobe to implement additional mitigations against this class of exploit.
Elevation of privilegesThe Windows kernel vulnerability targeted by STRONTIUM’s EoP exploit is present in Windows Vista through Windows 10 Anniversary Update. However, prior to this attack, Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component. These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.
Backdoor installationFollowing successful elevation of privilege, a backdoor is downloaded, written to the file system, and executed into the browser process. However, the backdoor DLL (along with any other untrusted software) can be blocked by implementing strict Code Integrity policies. Microsoft Edge natively implements Code Integrity to prevent this common post-exploitation step. Users of Internet Explorer and other browsers can also be protected through the use of Device Guard.
Detecting the attack with Windows Defender ATPMultiple behavioral and machine learning detection rules alert on various elements of the kill chain throughout STRONTIUM’s current attack. Windows Defender ATP can generically detect, without any signature, multiple stages of the attack such as the creation of uncommon DLL libraries on disk from the browser process, unexpected changes of process token and integrity levels (EoP), and the loading of recently created DLL libraries under abnormal process conditions (Figure 3).


Figure 3: Windows Defender ATP Detection of Kernel EOP used by STRONTIUM
Additionally, threat intelligence and IOCs specific to this attack unearthed by Microsoft Threat Intelligence have been added to Windows Defender ATP and Office 365 ATP. These alerts work alongside the existing threat summary and in-depth profiles on STRONTIUM available in the Windows Defender ATP customer portal.
For more information, check out the features and capabilities of the Windows Defender ATP service in Windows 10 and read more about why a post-breach detection approach is a key component of any enterprise security stack.

PS:我真的是纠结啊,今天刚换回WD+360卫士,可还是喜欢WDATP,但WDATP让风扇呼呼叫,明明我可以玩神器WDATP,可我却如此纠结,也是够了,说真的WDATP真的好强好强!

评分

参与人数 1人气 +1 收起 理由
ELOHIM + 1 世界最大阵列传感器 > 见48楼。

查看全部评分

ashno
发表于 2016-11-3 13:33:17 | 显示全部楼层
那我也跟大神学,加个360卫士了
ashno
发表于 2016-11-3 13:48:17 | 显示全部楼层
WD+360,360要开启人工智能和红伞本地吗@驭龙
驭龙
 楼主| 发表于 2016-11-3 13:50:22 | 显示全部楼层
ashno 发表于 2016-11-3 13:48
WD+360,360要开启人工智能和红伞本地吗@驭龙

我开了QVM,没有开红伞引擎,你可以自己决定开不开,但QVM还是推荐开启的
ashno
发表于 2016-11-3 13:51:26 | 显示全部楼层
谢谢,我也不开本地,反正听说本地更新慢
ashno
发表于 2016-11-3 13:53:08 | 显示全部楼层
驭龙 发表于 2016-11-3 13:50
我开了QVM,没有开红伞引擎,你可以自己决定开不开,但QVM还是推荐开启的

有个反勒索服务点了没反应
驭龙
 楼主| 发表于 2016-11-3 13:55:14 | 显示全部楼层
ashno 发表于 2016-11-3 13:53
有个反勒索服务点了没反应

不会啊,我这里是可以开启的

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
ELOHIM
发表于 2016-11-3 14:00:19 | 显示全部楼层

@谷歌安全团队 你们把自己家安卓好好研究一下,
把那些边边角角的安卓机的漏洞都升升级。
把自家浏览器的漏洞补补多好。

非要这样卖弄感觉爽?
好像你对待安全多重视。
反将无数用户安全“置身度外”。
啧啧,声嘶力竭的鄙视一次!

60天也是你,10天也是你。
这么任性,你谷歌仙人知道吗?
——————————————
如果使用 IE 的话,不知道禁用 flashplayer 加载项能否阻止 flashplayer 漏洞攻击。


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
ashno
发表于 2016-11-3 14:01:26 | 显示全部楼层
驭龙 发表于 2016-11-3 13:55
不会啊,我这里是可以开启的

好了,刚检测了一遍,打开了
驭龙
 楼主| 发表于 2016-11-3 14:04:30 | 显示全部楼层
ELOHIM 发表于 2016-11-3 14:00
@谷歌安全团队 你们把自己家安卓好好研究一下,
把那些边边角角的安卓机的漏洞都升升级。
把自家 ...

不好说啊,毕竟是利用内核漏洞
Elevation of privilegesThe Windows kernel vulnerability targeted by STRONTIUM’s EoP exploit is present in Windows Vista through Windows 10 Anniversary Update. However, prior to this attack, Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component. These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.
Backdoor installationFollowing successful elevation of privilege, a backdoor is downloaded, written to the file system, and executed into the browser process. However, the backdoor DLL (along with any other untrusted software) can be blocked by implementing strict Code Integrity policies. Microsoft Edge natively implements Code Integrity to prevent this common post-exploitation step. Users of Internet Explorer and other browsers can also be protected through the use of Device Guard.
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-24 01:35 , Processed in 0.129495 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表