Microsoft’s VSS Fix for SeriosSAM May Facilitate Ransomware Infiltration
Volume Shadow Copy Service (VSS) – SeriousSAM Exploitation Mechanism Primer
Microsoft Windows 11’s maiden voyage was cut short by a recently discovered privilege escalation vulnerability that has yet to receive a fix. Dubbed SeriosSam after the eponymous video game character, this bug extends to most Windows 10 versions, including the pre-production version of Windows 11, set to debut in October. In regards to the impact, Microsoft stated that attackers using the SAM (Security Account Manager) avenue can easily run malicious arbitrary code with SYSTEM-level privileges.
SeriousSAM and Volume Shadow Copy Service
Earmarked CVE-2021-36934, the vulnerability has a “functional” exploit code maturity, meaning that the bug itself can be exploited, regardless of context. Summarizing the vulnerability under the CVE-2021-36934 entry, Microsoft remarked that the defect is endemic to Windows 10 machines with “overly permissive ACLs on multiple file systems”.
If successfully exploited, the attacker can run custom code with SYSTEM-level privileges, install backdoors (i.e. vulnerable software components), and even enact local machine accounts with administrative privileges.
Because SeriousSAM exploits the SAM (Security Account Manager) service chain, Microsoft has advised Win10 users to delete existing Shadow Copies and system restore points, a workaround that could greatly impact backup and data restoration operations. In addition, deleting shadow copies and restoration points could make the affected machines even more vulnerable to ransomware attacks.
Volume Shadow Copy Service (VSS) – SeriousSAM Exploitation Mechanism Primer
Security Account Manager or SAM is a local database whose purpose is to store local groups and user accounts – a treasure trove coveted by anyone seeking to infiltrate a machine, even more so considering that SAM is located in Windows Registry. The Security Account Manager contains hashed credentials and network information that could be leveraged at a later time for lateral movement, persistence, action on object, and data exfiltration.
The ‘royal road’ to SAM and other sensitive databases (e.g., System and Security located in the same System32 folder) is the VSS (Volume Shadow Copy Service), Windows-native backup & restoration service that coordinates the interaction between backup applications, data that needs to be backed-up, and the software and hardware storage management that supports the entire process.
A shadow copy is different from a regular backup since it handles live processes and data in use – this is why they are also called point-in-time copies or snapshots. The best analogy would be the snapshotting system VMware employs to save virtual machine states (e.g. stable settings, infected vs. non-infected, etc.)
VSS snapshotting is a collaborative effort that entails the following components: writers, providers, service, and the requester. The service is the coordination mechanism, the requester is the one that creates the shadow copies, while the writer ensures data homogeneity. As for the provider, this component plays a vital role in shadow copy maintenance and, in some instances, in shadow copy creation, collaborating with the requester.
Despite their importance in system backup and restoration, shadow copies can be leveraged to ‘crack open’ the SAM database via LPE (local privilege escalation). SeriousSAM’s POC is valid if, and only if, shadow copies are enabled on the target machine. Even if the process is manually disabled on a machine, Windows Updates exceeding 100GB will require shadow copies to be enabled for successful .msi deployment.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
A Dire Dilemma for Anti-Ransomware Efforts
With the POC made public and Microsoft moving it to provide fixes for all affected builds, the available workarounds put Windows users in a difficult position – deleting existing shadow copies and shutting off the process will interfere with the backup and restoration, the two aforementioned processes would have to be carried out using alternative means.
Furthermore, many malicious actors would take advantage of the shadow copy service to facilitate infiltration and persistence – a tell-tale sign of ransomware infection is the removal of shadow copy volumes.
At the same time, creating and maintaining shadow copy volumes are vital to most ransomware detection & prevention methodologies and, in cybersecurity as a whole, standard practices. In other words, many anti-ransomware solutions providers have woven shadow copy monitoring into their ransomware detection & prevention practice.
Despite its time-honored effectiveness in predicting malicious data encryption on an infiltrated machine, a defect such as SeriousSAM may force cybersecurity providers into reexamining their detection, prevention, and mitigation strategies. With shadow copies no longer in place, the risk of successful ransomware infection increases at an exponential rate.
More than that, since shadow copies are used as backups in case of ransomware infections, Microsoft’s purging recommendations will make such solutions unusable in any backup and restoration process.
Heimdal™ had acknowledged the shortcomings of such anti-ransomware detection approaches and, in wanting to secure this critical breach, VSS was taken out of the detection equation. The result is a non-depended volume shadow copy solution – Ransomware Encryption Protection – that yields far better results in detecting malicious encryption activity.
However, at the moment, it’s the only available workaround, one that can potentially leave machines vulnerable if confronted with fileless malware.
In waiting for Microsoft to publish a functional fix that doesn’t involve disabling VSS, the most sensible approach is to use anti-ransomware engines that can detect system changes associated with ransomware payload infection (e.g. specific system callbacks, local encryption libraries, illicit communication with one or more command and control servers).
Heimdal™ Security supports Microsoft’s endeavor to fix SeriousSAM and encourages all users to apply the temporary fix as soon as possible. To remind our readers, the solution proposed by Microsoft is two-folded: preventing USERS ACL from reading files in SAM, System, and Security and deleting the existing VSS shadow copies.
To prevent USERS ACL to read files, please follow these steps:
- Open a CMD window with admin privileges.
- Type in the following commands:
icacls %windir%\system32\config\sam /remove “Users”
icacls %windir%\system32\config\security /remove “Users”
icacls %windir%\system32\config\system /remove “Users”
To delete the existing shadow copies, please follow the steps below:
- Open a CMD window with admin privileges
- Type in the following command:
vssadmin delete shadows /for=<Windows disk drive letter>: /Quiet (e.g. vssadmin delete shadows /for=c: /Quiet)
- Verify that shadow copies have been purged. Use the command: vssadmin list shadows.
Outlook and conclusions
CVE-2021-36934 aka SeriousSAM is a yet-to-be-fixed LPE vulnerability that could grant attackers SYSTEM-level privileges by leveraging the VSS mechanism. In addition to the fixes suggested by Microsoft, Heimdal™ encourages all users to create new restoration points after purging the old shadow copies as not to completely disable the backup process.
To counter issues such as shadow copy purging, Heimdal™ Security showcases a non-VSS dependent solution that secures all pathways to sensitive system area – Ransomware Encryption Protection, employs real-time process monitoring in order to determine if any malicious encryption attempt is under way. R.E.P doesn’t leverage shadow copy volumes to detect ransomware-type activity.
Instead, it relies on the Insight Engine, a process-monitoring service that searches for malicious cues associated with RCE or ransomware-specific process callbacks. In conjunction with Threat Prevention – Network and Next-Gen Antivirus, Ransomware Encryption Protection can sever an active C2 connection, delete locally-injected payloads, draft new firewall rules to block attack IPs, and disable RDP ports to prevent alternative infiltration and exfiltration vectors.