Death by Trust – The Dangers of Whitelisting

dangers of ransomware

Introduction

Whitelisting is a cyber security strategy where a user granted administrative rights could take action on their computer. However, rather than attempting to keep one stride in front of threat attackers to recognise and obstruct malicious code, the IT staff would rather order a rundown of supported applications that a computer or a mobile phone can get into. Generally, the user will only have access to a certain number of functionalities that the administrator considers protected.

You could potentially consider whitelisting as a Covid-19 lockdown, if you implement this correctly, you could control cyber security threats. However, this may be inconvenient and frustrating for the end-user, which requires cautious execution.

In this blog, you will discover some dangers that whitelisting could cause. But the question is, is it dangerous or not? Read on.

Why whitelisting came on my radar

In June, my newsfeed brought an interesting Twitter feed to my attention, one Kevin Beaumont of the DoublePulsar news blog had retweeted another researchers Tweet stating that Microsoft had allegedly signed Rootkits. Furthermore, he provides some evidence of his own, including a VirusTotal listing suggesting that this was indeed the case.

On the 23rd of June when IBM X-Force exchange released an advisory stating that Microsoft has signed a Rootkit sample called “Netfilter”. This story is in progress, however, the seriousness of this cannot be stressed enough. Microsoft has signed Malware designed to maintain system-level access and if this is weaponised effectively, it could facilitate cyber-attacks.

Thus, the idea for this article was born where I discuss the dangers of whitelisted applications and their impacts and discuss the best practices to consider when trusting applications on one’s infrastructure.

The dangers of whitelisting trust

Whitelisting refers to the act of explicitly allowing a point of origin or application access, privileges or modification rights to functionality or services. Put simply, it is the act of putting trust in an entity, so access controls do not hinder it. Usually, an application is whitelisted because it is critical to operations. For example, Office 365 is trusted because important utilities such as SharePoint and Outlook are part of the service.

Impacts:

Much like trust between humans, trust in applications can be abused. For example in OneDrive, depending on the configuration settings, an attacker could use it for data exfiltration. However, it will not be flagged by an IDS/IPS or EDR the vast majority of the time as it is a trusted service.

In the case of a malicious binary, which Microsoft signs, it can bypass application and network access controls due to the trust AV and IDS/IPS products put in Microsoft signed binaries. Netfilter, the rootkit, can propagate under the guise of legitimate service – all the while unfettered by defences.

Furthermore, it is also worth noting that whitelisting, although more effective than blacklisting and better practice too, can also hinder business operations if an overzealous whitelisting approach is taken, in the case of email protections as an example, legitimate emails external to an organisation might not get through purely due to their point of origin, this has obvious impacts such as miscommunications.

Mitigations:

Concerning services like Office 365, configuration plays a large part in mitigating potential concerns and ensuring that configurations align with industry best practices, this would be the CIS benchmark for cloud environments.

In terms of applications and binaries, it depends if an organisation such as Microsoft has signed the binary, the best we can do is monitor and respond, the best-case scenario is that there is no indication of compromise, and Yara rules can be fed to IDS/IPS products which can decrease the chances of a breach occurring.

However, if the whitelisting is decided internally, it is important to access the applications that are critical to business operations and those that are not, should be set in the policy to define what is needed and what is not. The least amount of trust should be put into applications and binaries as possible, but not so much as to restrict your operations.

To wrap up, whitelisting is not something to be concerned about in general. Still, we cannot ignore the possibility of trust being abused, especially in the context of Malware cannot be ignored. Therefore, it is better to be prepared and utilise a defence in depth approach because the day may come where Microsoft has trusted a ransomware sample.

 

Risk Crew