RPC Firewall Dubbed ‘Ransomware Kill Switch’ Released to Open Source
Today at Black Hat London, Zero Networks announced the release of its RPC firewall – also dubbed the ‘ransomware kill switch’ – into open source. The tool provides granular control over RPC, capable of blocking the use of lateral movement hacker tools and stopping almost all ransomware in its tracks.
Microsoft’s Remote Procedure Call (MS-RPCE) lies at the heart of Windows. It effectively manages the relationship between clients and servers – if a client requests from a server, it goes through RPC; This happens both locally and between remote devices.
RPC was introduced into Windows back in the days of Windows 2000 and has been ever-present since then. This has two effects. Firstly, RPC was built with little or no security. While there is a documented Event for a remote RPC call, it hasn’t been implemented. Further, the Event Tracing for Windows (ETW) option will likely result in millions of RPC client/server events every hour, but doesn’t tell you where the call came from, nor which user was concerned.
Secondly, RPC use has spread over time into every aspect of Windows computing. “There is almost nothing you can do without RPC — whether to get information or change information. Everything is done via RPC,” explains Benny Lakunishok, co-founder and CEO at Zero Networks, and another product of Israel’s IDF conveyor belt.
Normal attempts to block RPC ports could rapidly cause the network to fail. For example, the most sensitive servers such as Domain Controllers must have RPC services open to any asset in the network for the domain to function properly. “If you try to shut down RPC, you will be shutting down the functionality of Windows itself,” added Lakunishok.
It is there, it is used by the bad guys, and there is nothing you can do about it. Any Windows host which is accessible over the network, offers an attacker hundreds, if not thousands, of RPC functions to choose from for exploitation – either by using stolen credentials or a vulnerability.
Over the last year, a relatively small number of ransomware gangs have been responsible for the majority of big game hunting ransom attacks: Maze, Conti, REvil, Netwalker, DoppelPaymer, DarkSide and Avaddon. In every case–with the exception of Avaddon– RPC has been used for reconnaissance and lateral movement.
The common hacker tools used for lateral movement – such as BloodHound, mimikatz, CobaltStrike, PS-Empire, PsExec and WMIC – all use RPC. But you cannot simply block the use of RPC. And even if you are able to detect something, detection is often too late.
To solve this problem and provide auditing, visibility and control over RPC calls, Zero Networks developed an agent that scans the machine and finds the RPC processes. “The agent hooks into those it finds in a legitimate manner (nothing malicious) so that it sees everything.,” Lakunishok told SecurityWeek.
“We provide full auditing and visibility so we can see, these are calling these RPC functions. Finally, we can map who is calling which RPC function. We can also create a whitelist. Even though RPC supports thousands of functions, only a few are really needed. We allow those and block everything else. We provide granular control over what RPC is doing. We can block the rest. Down the drain goes most of the attack tactics, and tools.”
The RPC Firewall will not stop all attacks. APT attackers will be able to find and use routes other than RPC – something tackled by Zero Networks’ commercial products. But the common lateral movement tools can be blocked, and network takeover stopped for all but the more advanced attackers.
More importantly in today’s threat landscape, something like 86% of ransomware will be stopped in its tracks. “Ransomware is a bit simpler in the way it operates,” continued Lakunishok. “If you block just one of the things it uses, it simply doesn’t move anymore.”
Zero Networks has now open sourced this tool. It can be found on GitHub.