Microsoft Researchers Reveal Remote Encryption-Bypassing 'Evil Butler' Exploit

A security researcher demonstrated a way to bypass the full disk encryption in Windows BitLocker last November -- but that attack required physical access. Inserting the PC into a network with a counterfeit domain controller with incorrect time settings "allowed the attacker to poison the credentials cache and set a new password on the targeted device." An anonymous Slashdot reader writes: Microsoft fixed this vulnerability, and then fixed it again when two researchers pointed out in February 2016 that the fix was incomplete. At this year's Black Hat security conference, two Microsoft researchers have discovered a way to carry out the Evil Maid attack from a remote location, even over the Internet.

The two researchers say that an attacker can compromise a PC, configure it to work as a rogue domain controller, and then use Remote Desktop Protocol to access computers (that have open RDP connections) on the same network and carry out the attack from a distance. This particular attack, nicknamed a Remote Evil Butler, can be extremely attractive and valuable for cyber-espionage groups.
The article points out that Microsoft's February fix prevents this exploit, adding "The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."

Why is remote desktop on by default?

[ArtemaOne]

There are so many settings that I turn off on a new Windows installation. I really don't see why every back or front door has to be left open on a fresh install, upgrade, or update.

Re:Why is remote desktop on by default?

[akozakie]

That's one thing. The other one is:

"The reason the two Microsoft researchers disclosed this variation of the original attack is to make companies understand the need to keep their systems up to date at all times."

At least one company I know blocked all updates for two reasons entirely under MS control. 1: Win10 is not cleared for use yet for many reasons, updates pushed GWX. 2: High priority updates containing nothing but telemetry. Not enough resources to test & review everything. That's one company looking for other options. Probable outcome - Win cleared for VM use only, under a different host.

MS's feet are like a sieve from all the self-shooting. Future is not looking all that bright. Surprisingly, it's not due to buggy software - they're doing their best ever in that category. That's the price of allowing marketing&sales to touch the security feed.

Re: Why is remote desktop on by default?

[Billly+Gates]

Then that admin needs to be fired. I hope this company doesn't do any HIPPA or credit card processing.

Re: Why is remote desktop on by default?

[Billly+Gates]

Right because security is never important and ransomware is never an issue. Please do not say just shut the whole business down for half a day while you go get the tape backups.

Not acceptable! It amazes me at the incompetence I see in IT departments these days. If I get my identity stolen buying something because you didn't want to do your job I will sue.

Patches rarely cause issues and Windows XP and 7 from RTM have HUNDREDS of vulnerabilities! How can any IT professional say with a smile he never updates? It drives me crazy.

Re: Why is remote desktop on by default?

Relax honey, you'll get your identity stolen because you clicked on a link in an email from the Honorable Najoree McNamara Punjab, not from an unpatched machine. Patches don't need to be applied immediately, competent IT guys rarely do.

A few weeks/months to test for a screwup by Microsoft isn't the end of the world. And trust me they do indeed screw up often, I get paid the big bucks to be a dick about it.

Re: Why is remote desktop on by default?

[Billly+Gates]

The grandparent stated they do 0 patching and testing and defended it.

Very different than applying only crucial updates and waiting a month to 6 weeks for misc security patches to verify they are not problematic. A competent system administrator checks weekly for security bulletins, does testing and pushes things out within a few weeks or right away if a big scare hits the news like shellshock or code red. Testing of course too.

My credit card data was stolen 3 times due to incompetent IT at Wendy's, Home Depot, and TigerDirect. Probably from the same folks who bash updates here with a smile.

Re:Why is remote desktop on by default?

[antdude]

To make them easy for users to start using them. :(

Re: Why is remote desktop on by default?

[akozakie]

Hey, take back "defended it"! I wasn't defending anything, I was stating a fact and presenting the reasoning behind it. Sure, the more this happens, the more machines go unpatched with serious vulnerabilities due to incompetent or heavily understaffed IT. This was much less of a problem a year ago, when in the same situation such companies just applied all important patches. That trust is now gone and that is entirely MS fault.

Seriously, years of work to get to a situation where either IT has the knowledge and resources to control the patches (a good idea) or the machines autoupdate (worse, but still good)... all wasted in a few months, leading to a situation where IT unable to do the former may actually feel like turning off the latter is better than the alternative. Who cares if they're right or wrong, the point is it used to be very rare and now it really happens. Nightmare.

Which KB fixes this?

[Mister+Transistor]

I read the article and the researcher's PDF and neither really points out which "February Fix" MS released that addresses this particular bug. Anyone know which one, specifically?

I have all Windows Updates turned off normally, so they can't pull a drive-by WinX install on me, but I would sideload this one KB if it was really worthwhile.

Re:Which KB fixes this?

[Mister+Transistor]

Did a little more research; MS-16-014 addresses the fix, and the KB's resulting from it are KB3126587 and KB3126593.

However, oddly, they are not included in the "SP2" roll-up released on 5/12/2016. Weird. I tried to find out if those two KB's were replaced by something newer and I haven't been able to turn up anything.

I did find a couple of articles about the KB's causing some errors and failing to install on some systems, usually caused by a lack of an earlier update that they apparently are dependent upon.

Re:Which KB fixes this?

Actually, all of the files from 3126587 (MS16-004) are updated by 3125574 (the convenience rollup). You can look at the files list from the KB article for 3126587 and download the files list for 3125574, and see the newer versions (in fact, the binaries are also put on the LDR branch when you install 3125574, which you may or may not want).

Re:Which KB fixes this?

[Mister+Transistor]

Thanks! I didn't drill that far down into the KB descriptions. Thanks for taking the time to confirm they are in fact addressed by "SP2".

Re: Which KB fixes this?

It's your own damn fault for not applying updates

if your bitlocker drive is unlocked....

[shione]

If your bitlocker drive is unlocked, wouldn't anything be able to read the drive anyway?

If it can still read your bitlocker drive when you haven't unlocked it yet then can it still read pre-win8 bitlocker drives before microsoft dumbed it down? https://encrypted.google.com/s...