Windows Serious SAM Bug

On July 20^th, 2021, Microsoft released a security vulnerability known as Serious SAM. According to the Microsoft Vulnerability Database, this is known as CVE-2021-36934. This bug stands for Security Accounts Manager and was known as a Windows 10 Zero Day Vulnerability. This blog will go through all the details of the Windows Serious SAM bug and discuss how prevent attackers from accessing the data, and how to go about creating new accounts on compromised systems. (Microsoft)

What Exactly Is Serious SAM?

Serious SAM stands for Security Accounts Manager, and it refers to how windows control who can access folders such as SAM, SECURITY and SYSTEM (The Record) The reason that Serious SAM is such a serious bug – no pun intended, is because it deals with elevation of privilege. According to Microsoft, an elevation of privilege vulnerability exists because of an overly permissive access control list or ACL on multiple system files, which includes the Security Accounts Manager (SAM) database.

Microsoft states that an attacker who is able to successfully exploit this vulnerability could run arbitrary code with SYSTEM privileges, and then the attacker could install programs, view, change, delete data or create new accounts with full user rights.

Who Discovered Serious SAM?

Serious SAM was discovered by a security researcher who is named Jonas Lykkegaard. Via Twitter, Jonas explained that the vulnerability resides in how Windows 10 grants access to some of the OS (operating system) configuration files. These are important files within windows, because they contain information such as hashed passwords for all the Windows user accounts, security-related settings, data about encryption keys and other core operating system configurations (TheRecord)

How Was This Bug Found?

According to The Record, who published an article on this bug, the bug was found while testing the upcoming Windows 11 release. Lykkegaard stated that while he was testing Windows 11, he discovered that Windows was restricting low-privileged users from accessing these sensitive files, but that copies of these files were being saved in backup files by something known as the Shadow Volume Copy. A Shadow volume copy is a windows feature that creates snapshots of computer files during various file system operations (Techopedia)

How Do We Protect Ourselves?

One of the most important ways to protect yourselves from vulnerabilities like this is to make sure that all of the Windows’s updates have been applied to your computer. There are also steps that can be taken to prevent intrusion and maintain integrity of your system. Some of these are as follows:

Use a firewall: By using a firewall, the traffic is being filtered and there is a barrier between the information on your system and the outside world. A nice feature of firewalls is that it also prevents unauthorized access to your system, and it will alert you of any intrusion attempts. Windows and Mac OS’ have these built into them, but you can also purchase firewalls from companies like Cisco or Fortinet depending on what router you utilize and what your network set up is.
Using Antivirus Software: Antivirus software helps protect against viruses and malware. In addition, certain software protects your system against unauthorized code or software that potentially threatens your operating system. Lastly, antivirus software plays a major role in protecting your system from real time threats to ensure that data is safe.
Using Anti-Spyware Software: Spyware is a type of malicious software that can monitor and collect information. Some forms of spyware can deliver unwanted advertisements or slow your system down. There are major forms of spyware that even track keystrokes and steal financial information and passwords.
Password Security: This is one that is often overlooked. By using secure passwords and changing them regularly, this can help prevent intrusion of your system. More secure often means more complex. Generally speaking, this is a combination of upper case and lower-case letters, numbers and computer symbols.
Use Two Factor Authentication: Two factor is a newer form of security that allows a code to be sent to a device or email before login is approved. This allows passwords and access to accounts to become more secure.
Turn off file sharing or remote access/remote network ports: This is something that is important because in recent events with cyber crimes such as the one that took down the entire Colonial Pipeline in May 2021, hackers can gain access to systems remotely, via file sharing or remote sharing programs, especially if the password has not been changed in quite some time. This was the case with the hackers who took down the Colonial Pipeline. The hackers gained access by logging into a remote network/file sharing port via a user account that had not logged in and changed its password recently (NYTimes)
Back It Up, Shut It Down and Use Encryption When Necessary: Always back up your files because you could never know when you need to restore from them. A safety method that I’ve put in place, is to back data up to an external hard drive, back it up to a cloud, and then back it up again, just in case data is corrupted or something happens where you’re unable to gain access. Shutting it down just means when you’re not at your computer, shut it down. You never know when someone is overlooking your shoulder. Lastly, encryption. Encryption is important to secure certain files. Cybercriminals who manage to break every barrier will not be able to access encrypted files without a password. In Windows, there is a program called BitLocker, or in Mac, a program called File Vault that allows this.

These are some easy steps that can be taken to ensure that you are not vulnerable to cyber criminals who are attempting to gain access to your system, but the most critical is to ensure that all of the Windows’s updates that need to be performed, are done. Often times, Microsoft releases these updates to ensure that there are no vulnerabilities in users systems or they release them to fix an issue that has been discovered. SO BE SURE TO UPDATE YOUR SYSTEM, PATCH THE MICROSOFT UPDATES TO STAY SAFE!!!

Summary

Security Vulnerabilities happen on a regular basis, but what system users decide to do, to take action to prevent intrusion is ultimately up to a user. Microsoft Windows SAM was a serious vulnerability that was found by a security analyst, and Microsoft was quick to release a patch, however, this does not always happen. The US Cybersecurity and Infrastructure Security Agency (CISA) has reported security violations on the regular, and there is always a potential hacker out there who is wanting to take advantage of an unsecure system – be it for fun, or for more serious things such as Cybercrimes. Be sure to make sure that you are taking the actions appropriate to ensure that your system is fully secure, so that hackers cannot take advantage of your system like they potentially could have, if Microsoft Windows SAM was not found, and was exploited.

References

18 ways to secure your SMB’s devices and Network. Business News Daily. (n.d.). Retrieved February 18, 2022, from https://www.businessnewsdaily.com/11213-secure-computer-from-hackers.html

CERT/CC Vulnerability note vu#506989. VU#506989 – Microsoft Windows 10 gives unprivileged user access to system32\config files. (n.d.). Retrieved February 18, 2022, from https://www.kb.cert.org/vuls/id/506989

Condon, C. (2021, August 11). Microsoft SAM file readability CVE-2021-36934: What you need to know: Rapid7 blog. Rapid7. Retrieved February 18, 2022, from https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/

Gatlan, S. (2022, February 10). Microsoft shares workaround for Windows 10 Serioussam Vulnerability. BleepingComputer. Retrieved February 18, 2022, from https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-workaround-for-windows-10-serioussam-vulnerability/

Iddon, W. by G. (2021, September 8). Hivenightmare aka SERIOUSSAM vulnerability : What to do. Sophos News. Retrieved February 18, 2022, from https://news.sophos.com/en-us/2021/07/22/hivenightmare-aka-serioussam-vulnerability-what-to-do/

Security Update Guide – Microsoft Security Response Center. (n.d.). Retrieved February 18, 2022, from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

Serioussam bug impacts all Windows 10 versions released in the past 2.5 years. The Record by Recorded Future. (2021, July 21). Retrieved February 18, 2022, from https://therecord.media/serioussam-bug-impacts-all-windows-10-versions-released-in-the-past-2-5-years/

Sorkin, A. R., Karaian, J., Kessler, S., Merced, M. J. D. L., Hirsch, L., & Livni, E. (2021, May 10). Cybercrime hits the pump. The New York Times. Retrieved February 18, 2022, from https://www.nytimes.com/2021/05/10/business/dealbook/ransomware-pipeline-colonial.html

Spring, A. T., & Spring, T. (n.d.). Microsoft issues Windows 10 workaround fix for ‘Serioussam’ bug. Threatpost English Global threatpostcom. Retrieved February 18, 2022, from https://threatpost.com/win-10-serioussam/168034/

Techopedia. (2012, March 30). What is Volume Shadow Copy Service (VSS)? – definition from Techopedia. Techopedia.com. Retrieved February 18, 2022, from https://www.techopedia.com/definition/27707/volume-shadow-copy-service-vss

Thompson, G. (2022, February 11). CISA urges organizations to patch actively exploited Windows Serioussam Bug. Binary Defense. Retrieved February 18, 2022, from https://www.binarydefense.com/threat_watch/cisa-urges-organizations-to-patch-actively-exploited-windows-serioussam-bug/

Toulas, B. (2022, February 11). Cisa urges orgs to patch actively exploited Windows Serioussam Bug. BleepingComputer. Retrieved February 18, 2022, from https://www.bleepingcomputer.com/news/security/cisa-urges-orgs-to-patch-actively-exploited-windows-serioussam-bug/

Twitter. (n.d.). Twitter. Retrieved February 18, 2022, from https://twitter.com/jonasLyk

Windows Serious SAM Bug