admin

Today Airlock Digital is releasing a free Microsoft Word document to test ‘Chained Trust’ in EDR and Application Whitelisting solutions. is where a product will trust a parent process (such as winword.exe) and automatically place trust in any spawned child processes.

Security products that are configured to use ‘Chained Trust’ may provide a reduced level of security.

This document contains Macro code, which attempts to drop either a .dll or .exe file in the documents working directory and execute it, allowing you to audit product configurations.

You can download the document here: https://www.airlockdigital.com/AirlockApps/Airlock_Application_Whitelisting_Macro_Security_Auditor_v1.0.doc
SHA256Sum: e39b1abff16db7a7f6d3b52e6d01d29dd423da0504358082acd1073e439c5723

Please let us know if you find this useful or have any feedback by contacting [email protected] or @airlockdigital.

The Petya ransomware outbreak represents an evolution in the sophistication of ransomware. Employing a number of different strategies for distribution and infection the Petya ransomware has impacted small and large organisations across the globe.

This outbreak is another reminder that signature based detection is not effective in todays threat landscape.

In this video you will see the execution of Petya on a victim endpoint and discover how application whitelisting with Airlock provides zero-day proactive protection against Peta and other ransomware variants.

 

Remember to click the Full Screen button on the video to get a better view of the product interface. 

Ransomware activity has been rising steadily over the past four years, providing a low cost and successful income stream for criminal organisations. Over the past weekend however, the game was changed with ‘WannaCry’.

Traditional ransomware typically ran on a single end user system, encrypting files that were accessible on local disks and sometimes mapped network shares. The reason WannaCry had such a significant impact is the ability to spread aggressively through network connected computers (be that locally or over the internet) using a recently discovered Microsoft Windows SMB vulnerability. This vulnerability was patched by Microsoft in March 2017.

Even though WannaCry represents a worrying evolution in Ransomware tactics, the software itself isn’t designed with stealth and security evasion in mind. Simply by creating / mutating a new piece of software, the ransomware initially went undetected by nearly all traditional security products. The likely strategy with WannaCry was to hit the world hard and fast, before traditional security technologies like Anti-Virus and Network Intrusion Prevention has time to catch up and write detection signatures. The reactive nature of traditional security technologies are highlighted by the sheer number of hosts infected during this incident.

The Australian Signals Directorate’s (ASD) Strategies to Mitigate Cyber Security Incidents places Application Whitelisting as the number one ‘essential’ strategy to prevent malware delivery and execution. During the execution of WannaCry, five executable files are dropped and executed on the victims system. With the installation process involving the downloading of ‘Tor’ software to facilitate payment. If these executable files were proactively prevented from running, the attack would simply fail.

Incidents such as WannaCry demonstrate the need for proactive security solutions that make it extremely difficult for attackers to run malicious code. Application Whitelisting represents the most effective and proactive strategy to detect and prevent these attacks.