Category Archives: microsoft

25 vulnerabilities exploited by Chinese state-sponsored hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks. “Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and … More

The post 25 vulnerabilities exploited by Chinese state-sponsored hackers appeared first on Help Net Security.

Preventing cybersecurity’s perfect storm

Zerologon might have been cybersecurity’s perfect storm: that moment when multiple conditions collide to create a devastating disaster. Thanks to Secura and Microsoft’s rapid response, it wasn’t. Zerologon scored a perfect 10 CVSS score. Threats rating a perfect 10 are easy to execute and have deep-reaching impact. Fortunately, they aren’t frequent, especially in prominent software brands such as Windows. Still, organizations that perpetually lag when it comes to patching become prime targets for cybercriminals. Flaws … More

The post Preventing cybersecurity’s perfect storm appeared first on Help Net Security.

eSentire launches automated detection and response solution for Microsoft Security products

eSentire unveiled eSentire Cloud Automation Security Assistant (CASA), the company’s automated detection and response solution for Microsoft Security products. With CASA, eSentire brings its MDR leadership and expertise from over 10 years of threat hunting to Microsoft users. CASA offers customers a single place within Microsoft Teams to actively manage alerts, engage eSentire experts on demand, and launch automated threat configurations for Microsoft Cloud Application Security, Microsoft 365, Microsoft Defender for Endpoint, Microsoft Azure, and … More

The post eSentire launches automated detection and response solution for Microsoft Security products appeared first on Help Net Security.

Microsoft Exchange, Outlook Under Siege By APTs

A new threat report shows that APTs are switching up their tactics when exploiting Microsoft services like Exchange and OWA, in order to avoid detection.

Critical infrastructure and industrial orgs can test Azure Defender for IoT for free

Azure Defender for IoT – Microsoft’s new security solution for discovering unmanaged IoT/OT assets and IoT/OT vulnerabilities – is now in public preview and can be put to the test free of charge. The solution can alert administrators about unauthorized devices connected to the network and unauthorized connections to the internet, changes to firmware versions, potentially malicious commands, illegal DNP3 operations, known malware, unauthorized SMB logins, and more. About Azure Defender for IoT “As industrial … More

The post Critical infrastructure and industrial orgs can test Azure Defender for IoT for free appeared first on Help Net Security.

Microsoft released out-of-band Windows fixes for 2 RCE issues

Microsoft released two out-of-band security updates to address remote code execution (RCE) bugs in the Microsoft Windows Codecs Library and Visual Studio Code.

Microsoft has released two out-of-band security updates to address two remote code execution (RCE) vulnerabilities that affect the Microsoft Windows Codecs Library and Visual Studio Code.

The two vulnerabilities, tracked as CVE-2020-17022 and CVE-2020-17023, have been rated as important severity.

The CVE-2020-17022 is a remote code execution vulnerability that exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker can exploit the vulnerability to execute arbitrary code.

“Exploitation of the vulnerability requires that a program process a specially crafted image file.” reads the advisory. “The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.”

The CVE-2020-17022 vulnerability affects all devices running Windows 10, version 1709 or later, and a vulnerable library version.

Windows 10 devices are not affected in their default configuration and that “only customers who have installed the optional HEVC or ‘HEVC from Device Manufacturer’ media codecs from Microsoft Store may be vulnerable.”

The CVE-2020-17022 flaw was reported to Microsoft by Dhanesh Kizhakkinan from FireEye.

The CVE-2020-17023 vulnerability is a remote code execution vulnerability that exists in Visual Studio Code. An attacker can trigger the flaw by tricking a user into opening a malicious ‘package.json’ file, then he could run arbitrary code in the context of the current user.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the advisory.

“To exploit this vulnerability, an attacker would need to convince a target to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute when the target opens the malicious ‘package.json’ file. The update address the vulnerability by modifying the way Visual Studio Code handles JSON files.”

The CVE-2020-17023 vulnerability was reported by Justin Steven.

The IT giant did not provide any mitigating measures or workarounds for the two vulnerabilities.

According to Microsoft, both vulnerabilities are not being exploited in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Windows)

The post Microsoft released out-of-band Windows fixes for 2 RCE issues appeared first on Security Affairs.

US Cyber Command and Microsoft Are Both Disrupting TrickBot

Earlier this month, we learned that someone is disrupting the TrickBot botnet network.

Over the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot, an enormous collection of more than two million malware-infected Windows PCs that are constantly being harvested for financial data and are often used as the entry point for deploying ransomware within compromised organizations.

On Sept. 22, someone pushed out a new configuration file to Windows computers currently infected with Trickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their fleet of infected PCs, such as the Internet address where hacked systems should download new updates to the malware.

But the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware control server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public Internet, according to an analysis by cyber intelligence firm Intel 471.

A few days ago, the Washington Post reported that it’s the work of US Cyber Command:

U.S. Cyber Command’s campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter’s sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.

The network is controlled by “Russian speaking criminals,” and the fear is that it will be used to disrupt the US election next month.

The effort is part of what Gen. Paul Nakasone, the head of Cyber Command, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged. And that is a key feature of CyberCom’s activities to help protect the election against foreign threats, officials said.

Here’s General Nakasone talking about persistent engagement.

Microsoft is also disrupting Trickbot:

We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.

[…]

We took today’s action after the United States District Court for the Eastern District of Virginia granted our request for a court order to halt Trickbot’s operations.

During the investigation that underpinned our case, we were able to identify operational details including the infrastructure Trickbot used to communicate with and control victim computers, the way infected computers talk with each other, and Trickbot’s mechanisms to evade detection and attempts to disrupt its operation. As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.

To execute this action, Microsoft formed an international group of industry and telecommunications providers. Our Digital Crimes Unit (DCU) led investigation efforts including detection, analysis, telemetry, and reverse engineering, with additional data and insights to strengthen our legal case from a global network of partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec, a division of Broadcom, in addition to our Microsoft Defender team. Further action to remediate victims will be supported by internet service providers (ISPs) and computer emergency readiness teams (CERTs) around the world.

This action also represents a new legal approach that our DCU is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.

Brian Krebs comments:

In legal filings, Microsoft argued that Trickbot irreparably harms the company “by damaging its reputation, brands, and customer goodwill. Defendants physically alter and corrupt Microsoft products such as the Microsoft Windows products. Once infected, altered and controlled by Trickbot, the Windows operating system ceases to operate normally and becomes tools for Defendants to conduct their theft.”

This is a novel use of trademark law.

Trickbot botnet disrupted by Microsoft and alliance of tech companies

Microsoft says it, and several tech companies, have at least temporarily taken down the Trickbot botnet, a Russian-based network of devices that has infected more than a million computers since 2016 and is behind scores of ransomware attacks.

“We disrupted Trickbot through a [U.S.] court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” Microsoft said in a statement Monday. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”

Other tech companies involved in the effort included ESETLumen’s Black Lotus LabsNTT and Symantec. Also involved was the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Microsoft says these moves represent a legal approach that its Digital Crimes Unit is using for the first time to get the court order: Copyright claims against Trickbot’s malicious use of its software code. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”

Criminals being well-funded and with the ability to find other systems to host their malware, it isn’t clear how long Trickbot will be out of commission. In fact, Microsoft took care to say it has “disrupted” the botnet. “We fully anticipate Trickbot’s operators will make efforts to revive their operations,” Microsoft acknowledged, adding, “we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.”

Cyber criminals are tenacious. The re-birth of the Emotet botnet in 2019 is a recent example. It was down for four months after its command and control (C&C) servers had been shut down — either by law enforcement or a security researcher. But operators may have shut it down to rebuild the infrastructure.

UPDATE: ZDNet reports that the Trickbot operators have replaced the seized domains and command and control servers with new infrastructure.

In a statement, ESET said that over the years Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets. “Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally,” said Jean-Ian Boutin, the company’s head of threat research.

“Throughout its existence, this malware has been distributed in a number of ways. Recently, a chain we observed frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet. In the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from online bank accounts and trying to perform fraudulent transfers.”

What makes Trickbot so dangerous, says Microsoft, is its modular capabilities that constantly evolve, infecting victims through a “malware-as-a-service” model. “Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end-user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.”

Trickbot’s operators can also quickly tailor its spam and spear-phishing campaigns. Recent messaging topics have included Black Lives Matter and COVID-19. Microsoft believes Trickbot has been the most prolific malware operation using COVID-19 themed lures.

Trickbot is also known to deliver the Ryuk crypto-ransomware.

The post Trickbot botnet disrupted by Microsoft and alliance of tech companies first appeared on IT World Canada.

IBM spin-off to handle managed infrastructure services starting end of 2021

IBM is saying goodbye to its legacy business by spinning off its managed infrastructure services into a new company and embracing a "$1 trillion hybrid cloud opportunity," according to chief executive officer Arvind Krishna.

The post IBM spin-off to handle managed infrastructure services starting end of 2021 first appeared on IT World Canada.

Cyber Security Roundup for October 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.

COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

Doppelpaymer Ransom notice

On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks is available here.

Across the pond, healthcare giant Universal Heather Services (UHS), which operates nearly 400 hospitals and clinics, was said to be severely disrupted by the Ryuk ransomware. According to Bleeping Computer, a UHS employee said encrypted files had the telltale .ryk extension, while another employee described a ransom note fitted the Ryuk ransomware demand note. A Reddit thread claimed “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center. Ambulances are being rerouted to other hospitals, the information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment. Four people died tonight alone due to the waiting on results from the lab to see what was going on”. In response, UHS released a statement which said, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods".

'Dark Overlord', the handle of a British hacker involved in the theft of information as part of "The Overlord" hacking group was jailed for five years in the United States and ordered to pay $1.5 million in restitution, after pleading guilty to conspiring to commit aggravated identity theft and computer fraud, in other words, orchestrating cyber exportation attacks against US firms.


ZeroLogon:  IT Support Staff must Patch Now!
A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled. 

Stay safe and secure.

BLOG

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Who’s Behind Monday’s 14-State 911 Outage?

        Emergency 911 systems were down for more than an hour on Monday in towns and cities across 14 U.S. states. The outages led many news outlets to speculate the problem was related to Microsoft‘s Azure web services platform, which also was struggling with a widespread outage at the time. However, multiple sources tell KrebsOnSecurity the 911 issues stemmed from some kind of technical snafu involving Intrado and Lumen, two companies that together handle 911 calls for a broad swath of the United States.

        Image: West.com

        On the afternoon of Monday, Sept. 28, several states including Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania and Washington reported 911 outages in various cities and localities.

        Multiple news reports suggested the outages might have been related to an ongoing service disruption at Microsoft. But a spokesperson for the software giant told KrebsOnSecurity, “we’ve seen no indication that the multi-state 911 outage was a result of yesterday’s Azure service disruption.”

        Inquiries made with emergency dispatch centers at several of the towns and cities hit by the 911 outage pointed to a different source: Omaha, Neb.-based Intrado — until last year known as West Safety Communications — a provider of 911 and emergency communications infrastructure, systems and services to telecommunications companies and public safety agencies throughout the country.

        Intrado did not respond to multiple requests for comment. But according to officials in Henderson County, NC, which experienced its own 911 failures yesterday, Intrado said the outage was the result of a problem with an unspecified service provider.

        “On September 28, 2020, at 4:30pm MT, our 911 Service Provider observed conditions internal to their network that resulted in impacts to 911 call delivery,” reads a statement Intrado provided to county officials. “The impact was mitigated, and service was restored and confirmed to be functional by 5:47PM MT.  Our service provider is currently working to determine root cause.”

        The service provider referenced in Intrado’s statement appears to be Lumen, a communications firm and 911 provider that until very recently was known as CenturyLink Inc. A look at the company’s status page indicates multiple Lumen systems experienced total or partial service disruptions on Monday, including its private and internal cloud networks and its control systems network.

        Lumen’s status page indicates the company’s private and internal cloud and control system networks had outages or service disruptions on Monday.

        In a statement provided to KrebsOnSecurity, Lumen blamed the issue on Intrado.

        “At approximately 4:30 p.m. MT, some Lumen customers were affected by a vendor partner event that impacted 911 services in AZ, CO, NC, ND, MN, SD, and UT,” the statement reads. “Service was restored in less than an hour and all 911 traffic is routing properly at this time. The vendor partner is in the process of investigating the event.”

        It may be no accident that both of these companies are now operating under new names, as this would hardly be the first time a problem between the two of them has disrupted 911 access for a large number of Americans.

        In 2019, Intrado/West and CenturyLink agreed to pay $575,000 to settle an investigation by the Federal Communications Commission (FCC) into an Aug. 2018 outage that lasted 65 minutes. The FCC found that incident was the result of a West Safety technician bungling a configuration change to the company’s 911 routing network.

        On April 6, 2014, some 11 million people across the United States were disconnected from 911 services for eight hours thanks to an “entirely preventable” software error tied to Intrado’s systems. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida.

        According to a 2014 Washington Post story about a subsequent investigation and report released by the FCC, that issue involved a problem with the way Intrado’s automated system assigns a unique identifying code to each incoming call before passing it on to the appropriate “public safety answering point,” or PSAP.

        “On April 9, the software responsible for assigning the codes maxed out at a pre-set limit,” The Post explained. “The counter literally stopped counting at 40 million calls. As a result, the routing system stopped accepting new calls, leading to a bottleneck and a series of cascading failures elsewhere in the 911 infrastructure.”

        Compounding the length of the 2014 outage, the FCC found, was that the Intrado server responsible for categorizing and keeping track of service interruptions classified them as “low level” incidents that were never flagged for manual review by human beings.

        The FCC ultimately fined Intrado and CenturyLink $17.4 million for the multi-state 2014 outage. An FCC spokesperson declined to comment on Monday’s outage, but said the agency was investigating the incident.

        Cyber Security Roundup for September 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, August 2020.

        Taking security training courses and passing certification exams are common ingredients in the makeup of the vast majority of accomplished cybersecurity and information security professionals. As such, two security incidents last month raised more than just a surprising eyebrow or two within the UK security industry. 

        The first involved the renown and well respected United States security training company, The SANS Institue, announcing that a successful email phishing attack against one of its employees resulted in 28,000 personal records being stolenSANS classified this compromise as "consent phishing", namely where an employee is tricked into providing malicious Microsoft Office 365 OAuth applications access to their O365 accounts. In June 2020, Microsoft warned 'consent phishing' scams were targeting remote workers and their cloud services.

        The second incident involved British cybersecurity firm NCC Group, after The Register reported NCC marked CREST penetration testing certification exam 'cheat cheats' were posted on Github. El Reg stated the leaked NCC marked document "offered step-by-step guides and walkthroughs of information about the Crest exams.  With those who posted the documents claiming that the documents contained a clone of the Crest CRT exam app that helped users to pass the CRT exam in the first attempt. CREST, a globally recognised provider of penetration testing accreditations, conducted their own investigation into the Github post and then suspended their Certified Infrastructure Tester (CCF Inf) and Certified Web Application Tester (CCT App) exams.

        Reuters reported British trade minister Liam Fox email account was compromised by Russian hackers through a spear-phishing attack. This led to leaks of sensitive US-UK  trade documents in a disinformation campaign designed to influence the outcome of the UK general election in late 2019.

        UK foreign exchange firm Travelex is still revelling from the double 2020 whammy of major ransomware outbreak followed by the impact COVID-19, and has managed to stay in business thanks a bailout arranged by their business administrators PWC. 

        Uber's former Cheif Security Officer has been charged with obstruction of justice in the United States, accused of covering up a massive 57 million record data breach in 2016. Uber eventually admitted paying a hacking group $100,000 (£75,000) ransom to delete the data they had stolen.

        The British Dental Association advised its dentist members that their bank account details and correspondence with them were stolen by hackers.  A BDA spokeswoman told BBC News it was possible that information about patients was also exposed, but remained vague about the potential context. The cyber breach was likely caused by a hack of the BDA website given it was taken offline for a considerable amount of time after reporting the breach.

        Its seems that every month I report a huge cloud misconfiguration data beach, typically found by researchers looking for publicity, and caused by businesses not adequately securing their cloud services.  This month it was the turn of cosmetics giant Avon after researchers 'SafetyDetectives" found 19 million records were accessible online due to the misconfiguration of a cloud server.  Accurics separately reported misconfigured cloud services accounted for 93% of 200 breaches it has seen in the past two years, exposing more than 30 billion records. Also predicting cloud services data breaches are likely to increase in both velocity and scale, I am inclined to agree.
        Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
        Finally, I was invited to review a pre-release of Geoff White’s new book, Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”. I posted a book review upon its release in August, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises. While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.

        Stay safe and secure.

        BLOG
        NEWS
        VULNERABILITIES AND SECURITY UPDATES
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Cyber Security Roundup for August 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

        The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
        Twitter confirms internal tools used in bitcoin-promoting attack ...
        Scam Tweet
        The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

        While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

        There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

        Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

        At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

        As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
        In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

        Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

        UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

        Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

        Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

        BLOG

        NEWS
        VULNERABILITIES AND SECURITY UPDATES
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Cyber Security Roundup for July 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2020.

        Australian Prime Minister Scott Morrison announced a sophisticated nation-state actor is causing increasing havoc by attacking the country’s government, corporate institutions, and his country's critical infrastructure operators. He said, “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used". While Morrison didn't actually name the specific country responsible in his statement, Reuters said its sources confirmed China was the culprit.  Political t
        ensions have ramped up between Australia and China in recent months after Australia called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.

        Why am I leading a UK cybersecurity blog with an Australian cyberattacks story? Well, it is because the UK might well be next in the cross-hairs of China's sophisticated cyber army, after the UK Governance stance on using Huawei in 5G infrastructure significantly soured last month. And also due to the increasing political pressure applied by the UK government on the Chinese government following their introduction of a controversial new security law in Hong Kong.

        Increased UK Huawei Tensions in June 2020
        While the Australian PM righty suggested their nation-state threat actor was sophisticated, the cyberattacks they described aren't so sophisticated. Their attackers engaged in spear-phishing campaigns designed to trick email recipients into clicking a link leading to a malicious files or credential harvesting page, opening malicious attachments or granting Office 365 OAuth tokens to the actors.  This is the same MO of cyber attacks orchestrated by the cybercriminals fraternity on a daily basis. The Australian government statement advises organisations to patch their internet-facing devices, including web and email servers and to use multifactor authentication. All good advise, in fact, all essential good practice for all organisations to adopt no matter their threat actor landscape.

        Away from the international cyber warfare scene, a coalition led by security companies is urging the UK government to revamp the much-dated Computer Misuse Act. The UK's 'anti-hacking' law is 30 years old, so written well before the internet took root in our digital society, so is not really suitable for prosecuting for modern cybercriminals, they tend to be prosecuted under financial crime and fraud laws. The coalition is calling for a change in the law includes the NCC Group, F-Secure, techUK, McAfee and Trend Micro. They argue section 1 of the Act prohibits the unauthorised access to any programme or data held in any computer and has not kept pace with advances in technology. In their letter to PM they said "With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims and criminals systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."

        Since launching a 'Suspicious Email Reporting Service' in April 2020, the UK National Cyber Security Centre (NCSC) announced it has now received one million reports, receiving around 16,500 emails a day. NCSC Chief Executive Officer Ciaran Martin called the number of reports a “milestone” and “a testament to the vigilance of the British public". I think the email reporting service is another fantastic free service provided by NCSC (i.e. UK Gov) to UK citizens, so one thing the UK government is definitely getting right in the cybersecurity space at the moment.

        Zoom announced it will extend 'optional' end-to-end encryption (E2EE) to free users. It is not certain when exactly Zoom's free E2EE will commence or whether it will be defaulted as on, given the Zoom CEO said, “We plan to begin early beta of the E2EE feature in July 2020.” Still good to see the much security criticised Zoom is continuing to bolstering its security, and also by appointing a seasoned Chief Information Security Officer from Salesforce.

        Some men just want to watch the world burn...
        With the recent uptick in ransomware, phishing, unsecured cloud buckets and massive data breaches dominating the media headlines over the past couple of years, you could be forgiven for forgetting about the threat posed by Distributed-Denial-of-Service (DDoS) attacks. So then, a timely reminder that some threat actors have vast botnets as their disposal for orchestrating huge DDoS attacks after Amazon reported thwarting the biggest ever DDoS attack, and a European bank suffered the biggest ever PPS DDoS attack. The motives of these colossal DDoS attacks are unclear, I guess some men just want to watch the world burn.
        Quote from Batman butler Alfred (Michael Caine), The Dark Knight
        BLOG
        NEWS
        VULNERABILITIES AND SECURITY UPDATES
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

          Cyber Security Roundup for June 2020

          A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, May 2020.

          EasyJet's disclosure of a "highly sophisticated cyber-attack", which occurred in January 2020, impacting 9 million of their customers was the biggest cybersecurity story of May 2020 in the UK. Although no details about this 'cyber-attack' were disclosed, other than 2,208 customers had their credit card details accessed.  


          Using terms like "highly sophisticated" without providing any actual details of the cyberattack makes one think back to when TalkTalk CEO Dido Harding described a cyber-attack as "significant and sustained cyber-attack" in 2015. In TalkTalk's case, that cyber attack turned out to be a bunch of teenage kids taking advantage of a then 10-year-old SQL injection vulnerability.  City A.M. described Dido's responses as "naive", noting when asked if the affected customer data was encrypted or not, she replied: "The awful truth is that I don’t know". Today Dido is responsible for the UK governments Track, Test and Trace application, which no doubt will ring privacy alarms bells with some. 

          Back to the EasyJet breach, all we know is the ICO and the NCSC are supporting UK budget airline, EasyJet said "We take issues of security extremely seriously and continue to invest to further enhance our security environment. There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing. We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays." 

          It will be interesting to see the DPA enforcement line Information Commission's Office (ICO) adopts with EasyJet, especially considering the current COVID-19 impact on the UK aviation industry.  Some security commentators have called ICO a "Toothless Tiger" in regards to their supportive response, an ICO label I've not heard since long before the GDPR came into force. But the GDPR still has a sting its tail beyond ICO enforcement action in the UK, in that individuals impacted by personal data breaches can undertake a class-action lawsuit. So then, it can be no real surprise to law firm PGMBM announce it has issued a class-action claim in the High Court of London, with a potential liability of an eye-watering £18 billion!. If successful, each customer impacted by the breach could receive a payout of £2,000.

          The 2020 Verizon Data Breach Investigations Report (DBIR) was released, the most valuable annual report in the cybersecurity industry in my humble opinion. The 2020 DBIR used data compiled before COVID-19 pandemic.  The report analyses 32,002 security incidents and 3,950 confirmed breaches from 81 global contributors from 81 countries.
          • 86% of data breaches for financial gain - up from 71% in 2019 
          • 43% web application (cloud-based) - these attacks have doubled, reflecting the growth in the use of cloud-based services.
          • 67% of data breaches resulted from credential theft, human error or social attacks. 
          • Clearly identified cyber-breach pathways enable a “Defender Advantage” in the fight against cyber-crime 
          • On-going patching successful - fewer than 1 in 20 breaches exploit vulnerabilities
          The vast majority of breaches continue to be caused by external actors.
          • 70% with organised crime accounting for 55% of these. 
          • Credential theft and social attacks such as phishing and business email compromises cause the majority of breaches (over 67%), specifically:
            • 37% of credential theft breaches used stolen or weak credentials,
            • 25% involved phishing
            • Human error accounted for 22%
          The 2020 DBIR highlighted a two-fold increase in web application breaches, to 43%, and stolen credentials were used in over 80% of these cases. Ransomware had a slight increase, found in 27% of malware incidents compared to 24% in the 2019 DBIR with 18% of organisations reported blocking at least one piece of ransomware last year.

          REvil (aka Sodinokibi) hackers are said to have stolen celebrity data from a law firm 'Grubman Shire Meiselas & Sacks'. With 756 gigabytes of personal data, emails, and contract details were taken, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen and Mariah Carey to name a few. 

          Pitney Bowes was hit with ransomware for the second time in 7 monthsPitney Bowes said attackers breached company systems and accessed “a limited set of corporate file shares” that “contained information used by our business teams and functional groups to conduct business-related activities.” News reports state the Maze ransomware group is behind the attack, threatening to post confidential if Pitney Bowes does not pay up.

          Amazon's UK website was defaced with racist abuse,  which appeared on multiple listings on its UK website. Amazon has not disclosed how long the racist language remained on the site, but it sparked outrage on Twitter, Amazon said: "We investigated, removed the images in question and took action against the bad actor".

          LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

          BLOG
          NEWS
          VULNERABILITIES AND SECURITY UPDATES
          AWARENESS, EDUCATION AND THREAT INTELLIGENCE

            Cyber Security Roundup for May 2020

            A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

            As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
             REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

            Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

            Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

            Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

            Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

            April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

            Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

            There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

            Stay safe, safe home and watch for the scams.

            BLOG
            NEWS

            AWARENESS, EDUCATION AND THREAT INTELLIGENCE

              Cyber Security Roundup for April 2020

              A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

              The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
              businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
              Convincing COVID-19 Scam Text Message (Smishing)

              I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the gov.uk domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

              I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

              March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

              Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

              International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

              Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

              March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

              Stay safe, safe home and watch for the scams.

              BLOG
              NEWS
                VULNERABILITIES AND SECURITY UPDATES
                  AWARENESS, EDUCATION AND THREAT INTELLIGENCE

                  The ONE Question NO ONE knows the Answer to at RSA Conference 2020

                  Hello,

                  On Monday, the RSA Conference 2020 will begin, where almost a thousand cyber security companies will showcase their greatest cyber security solutions to thousands of attendees, and where supposedly "The World Talks Security!"

                  If that's the case, let's talk security -  I'd like to ask the entire RSA Conference just 1 simple cyber security question -

                  Question: Do the companies whose CISOs and cyber security personnel are attending the RSA Conference '20 have any idea exactly who has what privileged access in their foundational Active Directory deployments today?


                  If they don't, then perhaps instead of making the time to attend cyber security conferences, they should first focus on making this paramount determination, because without it, not ONE thing, let alone their entire organization, can be adequately secured.



                  Unequivocal Clarity

                  If this one simple question posed above isn't clear, here are 5 simple specific cyber security 101 questions to help gain clarity:

                      Does our organization know exactly -
                  • Q 1.  Who can run Mimikatz DCSync against our Active Directory to instantly compromise everyone's credentials?
                  • Q 2.  Who can change the Domain Admins group's membership to instantly gain privileged access company wide?
                  • Q 3.  Who can reset passwords of /disable use of Smartcards on all Domain Admin equivalent privileged accounts?
                  • Q 4.  Who can link a malicious GPO to an(y) OU in Active Directory to instantly unleash ransomware system-wide?
                  • Q 5.  Who can change or control who has what privileged access in our Active Directory?

                  If an organization does not have exact answers to these 5 simple questions today, it has absolutely no idea as to exactly who has what privileged access in its foundational Active Directory, and thus, it has absolutely no control over cyber security.




                  This is Paramount

                  If you don't think that having exact answers to these questions is paramount, then you don't know a thing about cyber security.


                  Just ask the world famous and globally trusted $10 Billion cyber security company CrowdStrike, and here's a quote from them - "A secure Active Directory environment can mitigate most attacks."




                  Zero out of 1000

                  There are almost 1000 cyber security companies exhibiting at the RSA Conference 2020, but guess how many of those 1000 companies could help you accurately determine the answers to 5 simple questions asked above? The answer is 0.


                  Not Microsoft, not EMC, not CrowdStrike, not FireEye, not Cisco, not IBM, not Symantec, not McAfee, not Palantir, not Tanium, not CyberArk, not Centrify, not Quest, not ZScaler, not BeyondTrust, not Thycotic, not Varonis, not Netwrix, not even HP, in fact no company exhibiting at RSA Conference 2020 has any solution that could help accurately answer these simple questions.

                  That's right - not a single cyber security company in the world (barring one), let alone the entirety of all cyber security companies exhibiting at or sponsoring the RSA Conference 2020 can help organizations accurately answer these simple questions.




                  The Key

                  The key to being able to answer the leading question above, as well as the five simple cyber security questions posed above lies in having just 1 simple, fundamental cyber security capability - Active Directory Effective Permissions.


                  There's only 1 company on planet Earth that possesses this key, and its not going to be at the RSA Conference 2020 - this one.



                  Thanks,
                  Sanjay.

                  Who Needs WMDs (Weapons of Mass Destruction) Today ?

                  Folks,

                  Today, yet again, I'd like to share with you a simple Trillion $ question, one that I had originally asked more that 10 years ago, and recently asked again just about two years ago. Today it continues to be exponentially more relevant to the whole world.

                  In fact, it is more relevant today than ever given the paramount role that cyber security plays in business and national security.


                  So without further adieu, here it is - Who needs WMDs (Weapons of Mass Destruction) Today?


                  Ans: Only those who don't know that we live in a digital world, one wherein virtually everything runs on (networked) computers.


                  Why would an entity bother trying to acquire or use a WMD (or for that matter even a conventional weapon) when (if you're smart) you could metaphorically stop the motor of entire organizations (or nations) with just a few lines of code designed to exploit arcane but highly potent misconfigured security settings (ACLs) in the underlying systems on which governments, militaries and thousands of business organizations of the world operate?

                  Today, all you need is two WDs in the same (pl)ACE and its Game Over.


                  Puzzled? Allow me to give you a HINT:.

                  Here’s a simple question: What does the following non-default string represent and why should it be a great cause of concern?
                  (A;;RP;;;WD)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(A;;RPLCLORC;;;AU)(A;;RPWPCRLCLOCCRCWDWOSW;;;DA)(A;CI;RPWPCRLCLOCCRCWDWOSDSW;;;BA)(A;;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;SY)(A;CI;RPWPCRLCLOCCDCRCWDWOSDDTSW;;;EA)(A;CI;LC;;;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (A;CI;RPWDLCLO;;;WD)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU) (OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(A;;RC;;;RU)(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)

                  Today, this one little question and the technicality I have shared above directly impacts the cyber security of the entire world.


                  If you read my words very carefully, as you always should, then you'll find that it shouldn't take an astute cyber security professional more than a minute to figure it out, given that I’ve actually already provided the answer above.


                  Today, the CISO of every organization in the world, whether it be a government, a military or a billion dollar company (of which there are dime a dozen, and in fact thousands worldwide) or a trillion dollar company MUST know the answer to this question.


                  They must know the answer because it directly impacts and threatens the foundational cyber security of their organizations.

                  If they don't, (in my opinion) they likely shouldn't be the organization's CISO because what I have shared above could possibly be the single biggest threat to 85% of organizations worldwide, and it could be used to completely compromise them within minutes (and any organization that would like a demo in their real-world environment may feel free to request one.)

                  Some of you will have figured it out. For the others, I'll finally shed light on the answer soon.

                  Best wishes,
                  Sanjay


                  PS: If you need to know right away, perhaps you should give your Microsoft contact a call and ask them. If they too need some help (they likely will ;-)), tell them it has to do with a certain security descriptor in Active Directory. (There, now that's a HINT the size of a domain, and it could get an intruder who's been able to breach an organization's network perimeter to root in seconds.)

                  PS2: If this intrigues you, and you wish to learn more, you may want to read this - Hello World :-)

                  What is Active Directory? (Cyber Security 101 for the Entire World)

                  Folks,

                  Today is January 06, 2020, and as promised, here I am getting back to sharing perspectives on cyber security.


                  Cyber Security 101

                  Perhaps a good topic to kick off the year is by seeking to ask and answer a simple yet vital question - What is Active Directory?

                  You see, while this question may seem simple to some (and it is,) its one of the most important questions to answer adequately, because in an adequate answer to this most simple question lies the key to organizational cyber security worldwide.

                  The simple reason for this is that if you were to ask most CISOs or IT professionals, they'll likely tell you that Active Directory is the "phone book" of an organization's IT infrastructure, and while its true that at its simplest, it is a directory of all organizational accounts and computers, it is this shallow view that leads organizations to greatly diminish the real value of Active Directory to the point of sheer irresponsible cyber negligence because  "Who really cares about just a phone book?"

                  In fact, for two decades now, this has been the predominant view held by most CISOs and IT personnel worldwide, and sadly it is the negligence resulting from such a simplistic view of Active Directory that are likely the reason that the Active Directory deployments of most organizations remain substantially insecure and vastly vulnerable to compromise today.

                  Again, after all, who cares about a phone book?!




                  Active Directory - The Very Foundation of Organizational Cyber Security Worldwide

                  If as they say, a "A Picture is Worth a Thousand Words", perhaps I should paint you a very simple Trillion $ picture -


                  An organization's Active Directory deployment is its single most valuable IT and corporate asset, worthy of the highest protection at all times, because it is the very foundation of an organization's cyber security.

                  The entirety of an organization's very building blocks of cyber security i.e. all the organizational user accounts and passwords used to authenticate their people, all the security groups used to aggregate and authorize access to all their IT resources, all their privileged user accounts, all the accounts of all their computers, including all laptops, desktops and servers are all stored, managed and secured in (i.e. inside) the organization's foundational Active Directory, and all actions on them audited in it.

                  In other words, should an organization's foundational Active Directory, or a single Active Directory privileged user account, be compromised, the entirety of the organization could be exposed to the  risk of complete, swift and colossal compromise.



                  Active Directory Security Must Be Organizational Cyber Security Priority #1

                  Today, ensuring the highest protection of an organization's foundational Active Directory deployment must undoubtedly be the #1 priority of every organization that cares about cyber security, protecting shareholder value and business continuity.


                  Here's why - A deeper, detailed look into What is Active Directory ?


                  For anyone to whom this may still not be clear, I'll spell it out - just about everything in organizational Cyber Security, whether it be Identity and Access Management, Privileged Access Management, Network Security, Endpoint Security, Data Security, Intrusion Detection, Cloud Security, Zero Trust etc. ultimately relies and depends on Active Directory (and its security.)



                  In essence, today every organization in the world is only as secure as is its foundational Active Directory deployment, and from the CEO to the CISO to an organization's shareholders, employees and customers, everyone should know this cardinal fact.

                  Best wishes,
                  Sanjay.

                  A Simple Trillion$ Cyber Security Question for the Entire RSA Conference

                  Folks,

                  This week, the famous RSA Conference 2019 is underway, where supposedly "The World Talks Security" -



                  If that's the case, let's talk -  I'd like to respectfully ask the entire RSA Conference just 1 simple cyber security question -

                  Question: What lies at the very foundation of cyber security and privileged access of not just the RSAs, EMCs, Dells, CyberArks, Gartners, Googles, Amazons, Facebooks and Microsofts of the world, but also at the foundation of virtually all cyber security and cloud companies and at the foundation of over 85% of organizations worldwide?

                  For those who may not know the answer to this ONE simple cyber security question, the answer's in line 1 here.



                  For those who may know the answer, and I sincerely hope that most of the world's CIOs, CISOs, Domain Admins, Cyber Security Analysts, Penetration Testers and Ethical Hackers know the answer, here are 4 simple follow-up questions -


                  • Q 1.  Should your organization's foundational Active Directory be compromised, what could be its impact?
                  • Q 2.  Would you agree that the (unintentional, intentional or coerced) compromise of a single Active Directory privileged user could result in the compromise of your organization's entire foundational Active Directory?
                  • Q 3.  If so, then do you know that there is only one correct way to accurately identify/audit privileged users in your organization's foundational Active Directory, and do you possess the capability to correctly be able to do so?
                  • Q 4.  If you don't, then how could you possibly know exactly how many privileged users there are in your organization's foundational Active Directory deployment today, and if you don't know so, ...OMG... ?!

                  You see, if even the world's top cyber security and cloud computing companies themselves don't know the answers to such simple, fundamental Kindergarten-level cyber security questions, how can we expect 85% of the world's organizations to know the answer, AND MORE IMPORTANTLY, what's the point of all this fancy peripheral cyber security talk at such conferences when organizations don't even know how many (hundreds if not thousands of) people have the Keys to their Kingdom(s) ?!


                  Today Active Directory is at the very heart of Cyber Security and Privileged Access at over 85% of organizations worldwide, and if you can find me even ONE company at the prestigious RSA Conference 2019 that can help organizations accurately identify privileged users/access in 1000s of foundational Active Directory deployments worldwide, you'll have impressed me.


                  Those who truly understand Windows Security know that organizations can neither adequately secure their foundational Active Directory deployments nor accomplish any of these recent buzzword initiatives like Privileged Access Management, Privileged Account Discovery, Zero-Trust etc. without first being able to accurately identify privileged users in Active Directory.

                  Best wishes,
                  Sanjay


                  PS: Pardon the delay. I've been busy and haven't much time to blog since my last post on Cyber Security 101 for the C-Suite.

                  PS2: Microsoft, when were you planning to start educating the world about what's actually paramount to their cyber security?

                  A Trillion $ Cyber Security Question for Microsoft and CISOs Worldwide

                  Folks,

                  Today, to give a hint for the answer to this 1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -


                  What's the World's Most Important Active Directory Security Capability?




                  Those who don't know why this is the world's most important cyber security question may want to connect one, two and three

                  I sincerely hope that someone (anyone) at Microsoft, or that some CISO (any ONE) out there, will answer this ONE question.

                  Best wishes,
                  Sanjay.

                  Mimikatz DCSync Mitigation

                  Folks,

                  A few days ago I asked a (seemingly) very simple question ; no I'm not referring to this one, I'm referring to this one here  -

                  Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?

                  Here's why I did so - While there's a lot of info out there on the WWW about how to use Mimikatz DCSync, and/or how to detect its use, there isn't one other* single correct piece of guidance out there on how to mitigate the risk posed by Mimkatz DCSync.

                  So, as promised, today I am (literally) going to show you exactly how thousands of organizations worldwide can now easily and demonstrably actually mitigate the very serious cyber security risk posed to their foundational security by Mimikatz DCSync.


                  In light of what I've shared below, organizations worldwide can now easily mitigate the serious risk posed by Mimikatz DCSync.




                  First, A Quick Overview

                  For those who may not know, and there are millions who don't, there are three quick things to know about Mimikatz DCSync.


                  Mimikatz DCSync, a Windows security tool, is the creation of the brilliant technical expertise of Mr. Benjamin Delpy, whose work over the years has very likely (caused Microsoft a lot of pain ;-) but/and) helped substantially enhance Windows Security.

                  Mimikatz DCSync targets an organization's foundational Active Directory domains, and instantly gives any attacker who has sufficient privileges to be able to replicate sensitive content from Active Directory, access to literally everyone's credentials!

                  Thus far, the only guidance out there is on how to DETECT its use, but this is one of those situations wherein if you're having to rely on detection as a security measure, then its unfortunately already TOO late, because the damage has already been done.



                  Detection Is Hardly Sufficient

                  They say a picture's worth a thousand words, so perhaps I'll paint a picture for you. Relying on detection as a security measure against Mimikatz DCSync is akin to this -

                  Castle romeo2

                  Lets say a nuclear weapon just detonated in a city, and the moment it did, detection sensors alerted the city officials about the detonation. Well, within the few seconds in which they received the alert, the whole city would've already been obliterated i.e. by the time you get the alert, literally everyone's credentials (including of all privileged users) would've already been compromised!

                  Make not mistake about it - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory domain is tantamount to a complete forest-wide compromise, and should be considered a massive organizational cyber security breach, the only way to recover from which is to completely rebuild the entire Active Directory forest from the ground up!

                  This is why detection is grossly insufficient as a security measure, and what organizations need is the ability to prevent the use of Mimikatz DCSync's against their foundational Active Directory domains & thus the ability to mitigate this risk is paramount.



                  How to Mitigate Mimikatz DCSync

                  The key to mitigating this risk lies in identifying what it technically takes to be able to successfully use Mimikatz DCSync.

                  Specifically, if you know exactly what privileges an attacker needs to be able to successfully use Mimikatz DCSync against your Active Directory domain, then by ensuring that only highly-trustworthy, authorized individuals (and not a single other individual) actually currently possess those required privileges in your IT infrastructure, you can easily mitigate this risk.


                  Technically speaking, all that an attacker needs to successfully use Mimikatz DCSync is sufficient Get Replication Changes All effective permissions on the domain root object of an Active Directory domain, so all that organizations need to do is accurately identify exactly who has these effective permissions on the domain root object of each of their Active Directory domains.

                  While by default only the default administrative Active Directory security groups are granted this permission, since most Active Directory deployments have been around for years, and have likely gone through a substantial amount of access provisioning, in most Active Directory, a lot many more individuals than merely the members of the default AD admin groups may likely have this highly sensitive effective permission granted to them, either directly or via group membership, some of which may be direct, whilst others may be via nested group memberships, resulting in a potentially large and unknown attack surface today.

                  Now, it is paramount to understand ONE subtle but profound difference here - it is NOT who has what permissions on the domain root that matters, but who has what effective permissions on the domain root that matters, and this difference could be the difference between a $100 B organization being completely compromised or being completely protected from compromise.



                  The Key - Active Directory Effective Permissions

                  If you've followed what I've shared above, then you'll agree and understand that the key to being able to successfully mitigate the serious risk posed by Mimikatz DCSync lies in being able to accurately determine effective permissions in Active Directory.



                  In fact Effective Permissions are so important, essential and fundamental to Windows and Active Directory Security, that of the four tabs in all of Microsoft's Active Directory Management Tooling, one entire tab is dedicated to Effective Permissions.

                  Unfortunately, it turns out that not only is Microsoft's native Effective Permissions Tab not always accurate, it is substantially inadequate, and while I could elaborate on that, I'd rather let you come to the same conclusion yourself, and this ONE glaring inadequacy will be self-evident the moment you attempt to use it to try and find out exactly whom amongst the thousands of domain user account holders in your Active Directory domain(s), actually has the required effective permissions. In fact, the same is true of all tools/scripts that involve the use of Microsoft's APIs to do so, such as this dangerously inaccurate free tool.

                  Fortunately, in a world whose population is 7,000,000,000+ today, thanks to one (1) inconsequential individual, there's hope...



                  Finally, How to Easily and Reliably Mitigate the Risk Posed by Mimikatz DCSync

                  Here's a very short (and perhaps boring but insightful) video on how organizations worldwide can reliably mitigate this risk -


                  Note: This is NOT intended to demonstrate our unique tooling. It is solely intended to show what it takes to mitigate this serious risk. We have no particular interest in licensing our unique tooling to anyone. As such, over the years, we have NEVER, not once pitched our tooling to anyone; we've had almost 10,000 organizations worldwide knock at our doors completely unsolicited, so I hope that makes this point unequivocally.

                  Thus, as seen in the short video above, with the right guidance (knowledge) and capability (tooling), organizations worldwide can now easily and reliably mitigate the serious cyber security risk posed by Mimikatz DCSync to their foundational security.

                  Complete, illustrated, step-by-step details on how to easily and correctly mitigate Mimikatz DCSync can now be found here.


                  I'll say this one last time - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory is tantamount to a forest-wide compromise and constitutes a massive cyber security breach, which is why mitigation is paramount.

                  Best wishes,
                  Sanjay


                  PS: *Here are 4 posts I've previously penned on Mimikatz DCSync - a summary, technical details, a scenario and the question.

                  PS2: In days to come, I'll answer this question too.

                  WHAT is the ONE Essential Cyber Security Capability WITHOUT which NOT a single Active Directory object or domain can be adequately secured?


                  Folks,

                  Hello again. Today onwards, as I had promised, it is finally TIME for us to help SAFEGUARD Microsoft's Global Ecosystem.


                  Before I share how we uniquely do so, or answer this paramount question, or ask more such ones, I thought I'd ask likely the most important question that today DIRECTLY impacts the foundational cyber security of 1000s of organizations worldwide.



                  Here It Is -
                  What Is the 1 Essential Cyber Security Capability Without Which NOT a single Active Directory object, domain, forest or deployment can be adequately secured?



                  A Hint

                  I'll give you a hint. It controls exactly who is denied and who is granted access to literally everything within Active Directory.


                  In fact, it comes into play every time anyone accesses anything in any Active Directory domain in any organization worldwide.




                  Make No Mistake

                  Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.



                  Only 2 Kinds of Organizations

                  Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, and those that don't. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are provably and demonstrably insecure.


                  If you know the answer, feel free to leave a comment below.
                  I'll answer this question right here, likely on July 04, 2018.

                  Best,
                  Sanjay

                  Alarming! : Windows Update Automatically Downloaded and Installed an Untrusted Self-Signed Kernel-mode Lenovo Driver on New Surface Device

                  Folks,

                  Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.


                  Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.

                  Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.


                  As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.

                  Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.

                  Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.

                  In particular, regardless of its respected heritage, for us, Lenovo wasn't  an option, since it is partly owned by the Chinese Govt.

                  So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -

                  Microsoft Surface



                  The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.

                  I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.


                  Now, you're not going to believe what happened within minutes of having clicked the Check for Updates button!



                  Windows Update
                  Downloaded and Installed an Untrusted
                  Self-Signed Lenovo Device Driver on Microsoft Surface! -

                  Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!

                  Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -


                  We couldn't quite believe this.

                  How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft  Surface device?

                  So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -


                  We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)

                  Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -



                  Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -


                  It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!

                  As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.

                  Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -



                  When we opened that location, we found thirteen items, including six drivers -


                  Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -


                  Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -


                  Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!

                  Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.

                  If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.

                  It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!

                  How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?

                  Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.



                  Unacceptable and Deeply Concerning

                  To us, this is unacceptable, alarming and deeply concerning, and here's why.


                  We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!

                  We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.

                  How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)

                  In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!

                  This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?

                  This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?

                  In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.

                  Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?

                  I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!

                  Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!

                  Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.

                  With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.

                  In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.



                  If I Were Microsoft, I'd Send a Plane

                  Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.


                  If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.)

                  Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
                  1. I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
                  2. I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
                  3. I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
                  4. I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
                  5. I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package 

                  Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.


                  In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -



                  Also, speaking of Microsoft's ecosystem, it indeed is time to help safeguard Microsoft's global ecosystem. (But I digress,)



                  In Conclusion

                  Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.


                  Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that. 

                  All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."


                  By the way, I happen to be former Microsoft Program Manager for Active Directory Security, and I care deeply for Microsoft.

                  For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.

                  Most respectfully,
                  Sanjay


                  PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.

                  PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?

                  2017 – The Year The World Realized the Value of Active Directory Security

                  Folks,

                  As we get ready to bid farewell to 2017, it may be fitting to recap notable happenings in Active Directory Security this year.

                  This appears to have been the year in which the mainstream Cyber Security community finally seems to have realized just how important and in fact paramount Active Directory Security is to cyber security worldwide, in that it appears that they may have finally realized that Active Directory is the very heart and foundation of privileged access at 85% of organizations worldwide!


                  I say so only because it appears to have been in this year that the following terms seem to have become mainstream cyber security buzzwords worldwide - Privileged User, Privileged Access, Domain Admins, Enterprise Admins, Mimikatz DCSync, AdminSDHolder, Active Directory ACLs, Active Directory Privilege Escalation, Sneaky Persistence in Active Directory, Stealthy Admins in Active Directory, Shadow Admins in Active Directory, Domain Controllers, Active Directory Botnets, etc. etc.



                  Active Directory Security Goes Mainstream Cyber Security

                  Here are the 10 notable events in Active Directory Security that helped it get mainstream cyber security attention this year -


                  1. Since the beginning on the year, i.e. January 01, 2017, Mimikatz DCSync, an incredibly and dangerously powerful tool built by Benjamin Delpy, that can be used to instantly compromise the credentials of all Active Directory domain user accounts in an organization, including those of all privileged user accounts, has been gaining immense popularity, and appears to have become a must-have tool in every hacker, perpetrator and cyber security penetration-tester's arsenal.

                  2. On May 15, 2017, the developers of BloodHound introduced version 1.3, with the objective of enhancing its ability to find privilege escalation paths in Active Directory that could help find out "Who can become Domain Admin?"  From that point on, Bloodhound, which is massively inaccurate, seems to have started becoming very popular in the hacking community.

                  3. On June 08, 2017, CyberArk a Billion+ $ cyber-security company, and the self-proclaimed leader in Privileged Account Security, introduced the concept of Shadow Admins in Active Directory, as well as released a (massively inaccurate) tool called ACLight to help organizations identify all such Shadow Admins in Active Directory deployments worldwide.

                  4. On June 14, 2017, Sean Metcalf, an Active Directory security enthusiast penned an entry-level post "Scanning for Active Directory Privileges and Privileged Accounts" citing that Active Directory Recon is the new hotness since attackers, Red Teamers and penetration testers have realized that control of Active Directory provides power over the organization!

                  5. On July 11, 2017, Preempt, a Cyber Security announced that they had found a vulnerability in Microsoft's implementation of LDAP-S that permits the enactment of an NTLM relay attack, and in effect could allow an individual to effectively impersonate a(n already) privileged user and enact certain LDAP operations to gain privileged access. 

                  6. On July 26, 2017, the developers of (massively inaccurate) BloodHound gave a presentation titled An ACE Up the Sleeve - Designing Active Directory DACL Backdoors at the famed Black Hat Conference USA 2017. This presentation at Black Hat likely played a big role in bringing Active Directory Security to the forefront of mainstream Cyber Security.

                  7. Also on July 26, 2017, a second presentation on Active Directory Security at the Black Hat Conference titled The Active Directory Botnet introduced the world to a new attack technique that exploits the default access granted to all Active Directory users, to setup command and control servers within organizations worldwide. This too made waves.

                  8. On September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team penned a detailed and insightful blog post titled Active Directory Access Control List - Attacks and Defense, citing that recently there has been a lot of attention regarding the use of Active Directory ACLs for privilege escalation in Active Directory environments. Unfortunately, in doing so Microsoft inadvertently ended up revealing just how little its ATA team seems to know about the subject.

                  9. On December 12, 2017, Preempt, a Cyber Security announced that they had found a flaw in Microsoft's Azure Active Directory Connect software that could allow Stealthy Admins to gain full domain control. They also suggested that organizations worldwide use their (massively inaccurate) tooling to find these Stealthy Admins in Active Directory.

                  10. From January 26, 2017 through December 27, 2017, Paramount Defenses' CEO conducted Active Directory Security School for Microsoft, so that in turn Microsoft could help not just every entity mentioned in points 1- 9 above, but the whole world realize that in fact the key and the only correct way to mitigate each one of the security risks and challenges identified in points 1 - 9  above, lies in Active Directory Effective Permissions and Active Directory Effective Access.





                  Helping Defend Microsoft's Global Customer Base
                  ( i.e. 85% of  Organizations Worldwide )

                  Folks, since January 01, 2017, both, as former Microsoft Program Manager for Active Directory Security and as the CEO of Paramount Defenses, I've penned 50+ insightful blog posts to help educate thousands of organizations worldwide about...


                  ...not just the paramount importance of Active Directory Security to their foundational security, but also about how to correctly secure and defend their foundational Active Directory from every cyber security risk/challenge covered in points 1- 9 above.

                  This year, I ( / we) ...

                  1. conducted 30-days of advanced Active Directory Security School for the $ 650+ Billion Microsoft Corporation

                  2. showed thousands of organizations worldwide How to Render Mimikatz DCSync Useless in their Active Directory

                  3. helped millions of pros (like Mr. Metcalf) worldwide learn How to Correctly Identify Privileged Users in Active Directory

                  4. helped the developers of BloodHound understand How to Easily Identify Sneaky Persistence in Active Directory

                  5. helped Microsoft's ATA Team learn advanced stuff About Active Directory ACLs - Actual Attack and Defense

                  6. showed CyberArk, trusted by 50% of Fortune 100 CISOs, How to Correctly Identify Shadow Admins in Active Directory

                  7. helped cyber security startup Preempt's experts learn How to Correctly Identify Stealthy Admins in Active Directory

                  8. helped the presenters of The Active Directory Botnet learn How to Easily Solve the Problem of Active Directory Botnets

                  9. helped millions of cyber security folks worldwide understand and illustrate Active Directory Privilege Escalation

                  10. Most importantly, I helped thousands of organizations worldwide, including Microsoft, understand the paramount importance of Active Directory Effective Permissions and Active Directory Effective Access to Active Directory Security


                  In fact, we're not just providing guidance, we're uniquely empowering organizations worldwide to easily solve these challenges.





                  Summary

                  All in all, its been quite an eventful year for Active Directory Security (, and one that I saw coming over ten years ago.)

                  In 2017, the mainstream cyber security community finally seem to have realized the importance of Active Directory Security.


                  Perhaps, in 2018, they'll realize that the key to Active Directory Security lies in being able to accurately determine this.

                  Best wishes,
                  Sanjay.

                  PS: Why I do, What I Do.

                  Why I Do, What I Do

                  Folks,

                  I trust you're well. Today, I just wanted to take a few minutes to answer a few questions that I've been asked so many times.


                  Here are the answers to the Top-5 questions I am frequently asked -

                  1. You're the CEO of a company (Paramount Defenses), so why do you blog so often, and how do you have time to do so?

                    Good question. This is a bit of a unique situation, in that whilst I am the CEO of a company, I am also a subject matter expert in Active Directory Security (simply by virtue of my background) and thus I feel that it is my civic duty to help organizations understand the paramount importance of securing their foundational Active Directory deployments.

                    In fact, over the last 7+ years, I've penned 150+ blog posts on Active Directory Security (here) and Cyber Security (here) on various topics such as Active Directory Privilege Escalation, the OPM Breach, Kerberos Token Bloat, Eff Perms, AdminSDHolder, Mimikatz DCSync, Sneaky Persistence, How to Correctly Identify Stealthy Admins in Active Directory, How to Correctly Identify Shadow Admins in Active Directory etc. and most recently on Active Directory Botnets.

                    As to how I have the time to do so, that's actually not that difficult. We have a world-class team at Paramount Defenses, and I've been able to delegate a substantial amount of my CEO-related work amongst our executive leadership team.




                  2. Speaking of which, how big is Paramount Defenses?

                    At Paramount Defenses, we believe that less is more, so our entire global team is less than a 100 people. For security reasons, 100% of our staff are U.S. Citizens, and to-date, the entirety of our R&D team are former Microsoft employees.

                    If by how big we are, you meant how many organizations we impact, today our unique high-value cyber security solutions and insights help adequately secure and defend thousands of prominent organizations across six continents worldwide.




                  3. Why is it just you (and why aren't your employees) on Social Media (e.g. LinkedIn, Facebook, Twitter etc.)?

                    The simple answer to this question - For Security Reasons.

                    At Paramount Defenses, we care deeply about cyber security, so we also strive to lead by example in every way.

                    As it pertains to cyber security, we have found that the presence of an organization's employees on social-media almost always results in excessive information disclosure that could be very valuable for hackers and various other entities who may have malicious intent, so our corporate policies do not permit a social media presence.

                    Also, we're not huge fans of Twitter, and we certainly don't care about being on Facebook. We do like and appreciate LinkedIn, and in fact, we lead the world's largest community of Active Directory Security Professionals on LinkedIn.




                  4. What do you intend to accomplish by blogging?

                    The intention is to help organizations worldwide understand just how profoundly important Active Directory Security is to organizational cyber security, and how paramount Active Directory Effective Permissions are to Active Directory Security.

                    That's because this impacts global security today, and here's why -




                    You see, the Crown Jewels of cyber security reside in Active Directory, and if they're compromised, its Game Over. By Crown Jewels, I'm referring to privileged access, or as commonly known, Domain Admin equivalent accounts.

                    It is a fact that 100% of all major recent cyber security breaches (except Equifax) involved the compromise of a single Active Directory privileged user account. Such accounts are Target #1 for hackers, which is why it is so very important that organizations be able to exactly identify and minimize the number of such privileged accounts in Active Directory.

                    Now, when it comes to identifying privileged user accounts in Active Directory, most organizations focus on enumerating the memberships of their default administrative groups in Active Directory, and that's it. Unfortunately, that's just the Tip of the Iceberg, and we have found that most of them do not even seem to know that in fact there are FAR many more accounts with varying levels of elevated admin/privileged access in Active Directory than they seem to know about.

                    This isn't a secret; its something you know if you've ever heard about Active Directory's most powerful and capable cyber security feature - Delegation of Administration. The truth is that at most organizations, a substantial amount of delegation has been done over the years, yet no one seems to have a clue as to who has what privileged access. Here's why.

                    In fact, Active Directory privileged access accounts have been getting a lot of attention lately, because so many cyber security experts and companies are starting to realize that there exists a treasure-trove of privileged access in Active Directory. Thus, recently many such cyber security expert and companies have started shedding light on them (for example, one, two, three etc.), and some have even started developing amateur tools to identify such accounts.

                    What these experts and companies may not know is that their amateur tools are substantially inaccurate since they rely on finding out "Who has what Permissions in Active Directory" WHEREAS the ONLY way to correctly identify privileged user accounts in Active Directory is by accurately finding out "Who has what Effective Permissions in Active Directory?"

                    On a lighter note, I find it rather amusing that for lack of knowing better, most cyber security experts and vendors that may be new to Active Directory Security have been referring to such accounts as Stealthy Admins, Shadow Admins etc.

                    To make matters worse, there are many prominent vendors in the Active Directory space that merely offer basic Active Directory Permissions Analysis/Audit Tooling, yet they mislead organizations by claiming to help them "Find out who has what privileged access in Active Directory," and since so many IT personnel don't seem to know better, they get misled.

                    Thus, there's an imperative need to help organizations learn how to correctly audit privileged users in Active Directory.

                    Consequently, the intention of my blogging is to HELP thousands of organizations and cyber security experts worldwide UNDERSTAND that the ONLY correct way to identify privileged users in Active Directory is by accurately determining effective permissions / effective access in Active Directory. There is only ONE correct way to accomplish this objective.




                  5. Why have you been a little hard on Microsoft lately?

                    Let me begin by saying that I deeply love and care for Microsoft. It may appear that I may have been a tad hard on them, but that is all well-intentioned and only meant to help them realize that they have an obligation to their global customer base to adequately educate them about various aspects of cyber security in Windows, particularly the most vital aspects.

                    In that regard, if you truly understand cyber security in Windows environments, you know that Active Directory Effective Permissions and Active Directory Effective Access play an absolutely paramount role in securing Windows deployments worldwide, and since Active Directory has been around for almost two decades by now, one would expect the world to unequivocally understand this by now. Unfortunately, we found that (as evidenced above) no one seems to have a clue.

                    You may be surprised if I were to share with you that at most organizations worldwide, hardly anyone seems to even know about what Active Directory Effective Permissions are, let alone why they're paramount to their security, and this a highly concerning fact, because this means that most organizations worldwide are operating in the proverbial dark today.

                    It is upon looking into the reason for this that we realized that in the last decade, it appears that (for whatever reason) Microsoft may not have educated its global customer based about Active Directory Effective Permissions at all - Proof.

                    Thus, it is in the best interest of organizations worldwide that we felt a need to substantially raise awareness.

                    As to how on earth Microsoft may have completely forgotten to educate the world about this, I can only guess that perhaps they must've gotten so involved in building their Cloud offering and dealing with the menace of local-machine credential-theft attack vectors that they completely seem to have missed this one paramount aspect of Windows security.

                    Fortunately for them and the world, we've had our eye on this problem for a decade know and we've been laser-focused. Besides, actions speak louder than words, so once you understand what it is we do at Paramount Defenses, you'll see that we've done more to help secure Microsoft's global customer base than possibly any other company on the planet.

                    Those who understand what we've built, know that we may be Microsoft's most strategic ally in the cyber security space.


                  Finally, the most important reason as to why I do, what I do is because I care deeply and passionately about cyber security.

                  Best wishes,

                  A Massive Cyber Breach at a Company Whilst it was Considering the ‘Cloud’

                  (A Must-Read for all CEOs, CFOs, CIOs, CISOs, Board Members & Shareholders Today)


                  Folks,

                  Today was supposed to be an exciting Friday morning at a Multi-Billion $ organization since the world's top Cloud Computing companies were going to make their final pitches to the company's C-Suite today, as it was considering moving to the "Cloud."

                  With Cloud Computing companies spending billions to market their latest Kool-Aid to organizations worldwide (even though much of this may actually not be ready for mission-critical stuff), how could this company too NOT be considering the Cloud?



                  The C-Suite Meeting

                  Today was a HUGE day for this multi-billion dollar company, for today after several months of researching and evaluating their choices and options, the company's leadership would finally be deciding as to which Cloud Computing provider to go with.


                  This meeting is being chaired by the Chairman of the Board and attended by the following organizational employees -

                  1. Chief Executive Officer (CEO)

                  2. Chief Financial Officer (CFO)
                  1. Chief Information Officer (CIO)

                  2. Chief Information Security Officer (CISO)

                   Also in attendance are about a dozen Vice Presidents, representing Sales, Marketing, Research and Development etc.




                  Meeting In-Progress

                  After breakfast, the presentations began at 9:00 am. The organization's CIO kicked off the meeting, rattling off the numerous benefits that the company could enjoy by moving to the Cloud, and minutes later the Vice President of Cloud Computing from the first Cloud Computing company vying for their business started his presentation. His presentation lasted two hours.

                  The C-Suite then took a break for lunch.

                  The next presentation began at 1:00 pm and was expected to last till about 4:00 pm. The Vice President of Cloud Computing from the second Cloud Computing company had started her presentation and was almost an hour into it, when all of a sudden this happened...

                  ... the CISO's assistant unexpectedly entered the room, went straight to the CISO and whispered something into his ear.

                  Everyone was surprised, and all eyes were on the CISO, who grimly asked his assistant - "Are you 100% sure?"  He said "Yes."





                  Houston, We Have a Problem

                  The CISO walked up to the CIO and whispered something into his ear. The CIO sat there in complete shock for a moment!


                  He then gathered himself and proceeded to request everyone except the C-Suite to immediately leave the conference room.

                  He told the Vice President of this Cloud Computing company - "Hopefully, we'll get back to you in a few weeks."

                  He then looked at the CEO and the Chairman of the Board, and he said - "Sir, we have a problem!"




                  Its Over

                  The CEO asked the CIO - "What's wrong? What happened?"

                  The CIO replied - "Sir, about 30 minutes ago, an intruder compromised the credentials of each one of our 20,000 employees!"


                  The CEO was almost in shock, and just couldn't believe what he had just heard, so he asked - "Everyone's credentials?!"

                  The CIO replied - "I'm afraid yes Sir, yours, mine, literally everyone's, including that of all our privileged users!"

                  The CEO could sense that there was more bad news, so he asked - "Is there something else I should know?"

                  The CIO replied - "Sir, 15 minutes ago, the intruder logged on as an Enterprise Admin, disabled the accounts of each one of our privileged users, and used Group Policy to deploy malicious software to each one of our 30,000 domain-joined computers! By now, he could have stolen, exfiltrated and destroyed the entirety of our digital assets! We may have lost literally everything!"

                  The CEO was shocked! They'd just been breached, and what a massive breach it was - "How could this have happened?"




                  Mimikatz DCSync 

                  The CIO turned to the CISO, who stepped in, and answered the question - "Sir, an intruder used a tool called Mimikatz DCSync to basically request and instantly obtain the credentials of every single user from our foundational Active Directory deployment."


                  The CEO asked - "What is Active Directory?"

                  The CISO replied - "Sir, simply put, it is the very foundation of our cyber security"

                  The CEO then asked - "Wait. Can just anyone request and extract credentials from Active Directory?"

                  The CISO replied - "Sir, not everyone can. Only those individuals whose have sufficient access to do so, and by that I mean, specifically only those who have Get-Replication-Changes-All effective-permissions on the domain root object, can do so."

                  The CEO then said - "This does not sound right to me. I'm no technical genius, but shouldn't we have known exactly who all have this, whatever you just said, er yes that Get-Replication-Changes-All effective permissions in our Active Directory?!"

                  The CISO replied - "Sir, it turns out that accurate determination of effective permissions in Active Directory is actually very difficult, and as a result it is almost impossible to figure out exactly who has this effective permissions on our domain root!"

                  The CEO figured it out - "So you're saying that the intruder had compromised the account of someone who was not on your radar and not supposed to have this access, but actually did, and the intruder used that access to steal everyone's credentials?"

                  The CISO replied - "That's right. It appears we did not know that this someone had sufficient access (i.e. effective permissions) to be able to replicate secrets from Active Directory, because it is very difficult to accurately figure this out in Active Directory."



                  The CEO was furious! - "You're kidding right?! Microsoft's spent billions on this new fad called the "Cloud", yet it doesn't even have a solution to help figure out something as vital as this in Active Directory? How long has Active Directory been around ?!

                  The CISO replied - "Seventeen years."

                  The CEO then said in disbelief - "Did you just 17 years, as in S-E-V-E-N-T-E-E-N years?!  Get Satya Nadella on the line now! Perhaps I should #REFRESH his memory that we're a customer, and that we may have just lost a few B-I-L-L-I-O-N dollars!"




                  This is for Real

                  Make NO mistake about it. As amusing as it might sound, the scenario shared above is very REAL, and in fact today, most business and government organizations worldwide that operate on Active Directory have no idea as to exactly who has sufficient effective permissions to be able to replicate secrets out of their Active Directory. None whatsoever!


                  We can demonstrate the enactment of this exact scenario, and its underlying cause, to any organizations that wishes to see it.




                  This Could've Been (and Can Be) Easily Prevented 

                  This situation could easily have been prevented, if this organization's IT personnel had only possessed the ability to adequately and accurately determine effective permissions in their foundational Active Directory deployments.


                  Sadly, since Microsoft apparently never educated its customers about the importance of Active Directory effective permissions, most of them have no clue, and in fact have no idea as to exactly who can do what across their Active Directory deployments!

                  Unfortunately, Mimikatz DCSync is just the Tip of the Iceberg. Today most organizations are likely operating in the dark and have no idea about the actual attack surface, and thus about exactly who can create, delete and manage the entirety of their domain user accounts, domain computer accounts, domain security groups, GPOs, service connection points (SCPs), OUs etc. even though every insider and intruder could try and figure this out and misuse this insight to compromise their security.

                  Technically speaking, with even just minimal education and the right tooling, here is how easy it is for organizations to figure this out and lock this down today, i.e. to lock this down before an intruder can exploit it to inflict colossal damage - RIGHT HERE.


                  Oh, and you don't need to call Microsoft for this, although you certainly can and should. If you do, they'll likely have no answer, yet they might use even this to pitch you their latest toy, Microsoft ATA, and of course, their Cloud offering, Microsoft Azure.

                  Wait, weren't these C*O discussing the Cloud (and likely Microsoft Azure) just a few hours (and a few billion dollars) ago?!




                  Fast-Forward Six Months

                  Unfortunately, given the massive scale of this breach, the company did not survive the attack, and had to declare bankruptcy. The C*Os of this company are still looking for suitable employment, and its shareholders ended up losing billions of dollars.


                  All of this could've been prevented, if they only knew about something as elemental as this, and had the ability to determine this.





                  Summary

                  The moral of the story is that while its fine to fall for the latest fad, i.e. consider moving to the "Cloud" and all, but as AND while you consider and plan to do so, you just cannot let you on-prem cyber defenses down even for a moment, because if you do so, you may not have a company left to move to the Cloud. A single excessive effective permission in Active Directory is all it takes.


                  I'll say this one more time and one last time - what I've shared above could easily happen at almost any organization today.

                  Best wishes,

                  CEO, Paramount Defenses



                  PS: If this sounds too simple and high-level i.e. hardly technical, that is by intent, as it is written for a non-technical audience. This isn't to showcase our technical depth; examples of our technical depth can be found here, here, here, here, here  etc.  etc.



                  PS2: Note for Microsoft - This may be the simplest example of "Active Directory Access Control Lists - Attack and Defense."

                  Here's why - Mimikatz DCSync, which embodies the technical brilliance of a certain Mr. Benjamin Delpy, may be the simplest example of how someone could attack Active Directory ACLs to instantly and completely compromise Active Directory. On the other hand, Gold Finger, which embodies the technical expertise of a certain former Microsoft employee, may be the simplest example of how one could defend Active Directory ACLs by being able to instantly identify/audit effective permissions/access in/across Active Directory, and thus lockdown any and all unauthorized access in Active Directory ACLs, making it impossible for an(y) unauthorized user to use Mimikatz DCSync against Active Directory.



                  PS3: They say to the wise, a hint is enough. I just painted the whole picture out for you. (You may also want to read this & this.)

                  PS4: If you liked this, you may also like - How To Easily Identify & Thwart Sneaky Persistence in Active Directory

                  Some Help & Good News for Microsoft regarding Active Directory Security


                  Folks,

                  You'll want to read this short blog post very carefully because it not only impacts Microsoft, it likely impacts you, as well as the foundational security of 85% of all business and government organizations worldwide, and it does so in a positive way.



                  A Quick and Short Background

                  From the White House to the Fortune 1000, Microsoft Active Directory is the very foundation of cyber security at over 85% of organizations worldwide. In fact, it is also the foundation of cyber security of almost every cyber security company worldwide.


                  Active Directory is the Foundation of Cyber Security Worldwide

                  The entirety of an organization's building blocks of cyber security, including the user accounts used by the entirety its workforce, as well as the user accounts of all its privileged users, the computer accounts of the entirety of its computers, and the security groups used to provision access to the entirety of its IT resources, are stored, managed and protected in Active Directory.

                  During the past few years, credential-theft attacks aimed at the compromise of an organization's privileged users (e.g. Domain Admins) have resulted in a substantial number of reported and unreported breaches at numerous organizations worldwide. In response, to help organizations combat the menace of these credential-theft attacks, Microsoft has had to make substantial enhancements to its Windows Operating Systems as well as acquire and introduce a technology called Microsoft ATA.

                  These enhancements have made it harder for perpetrators to find success with traditional credential-theft attacks, so they've started focusing their efforts on trying to find ways to attack the Active Directory itself, as evidenced by the fact that in the last year alone, we've seen the introduction of Mimikatz DCSync, BloodHound and recently the advent of Active Directory Botnets.

                  Make no mistake about it. There's no dearth of opportunity to find ways to exploit weaknesses in Active Directory deployments because there exists an ocean of access within Active Directory, and sadly due to an almost total lack of awareness, education, understanding and tooling, organizations have no idea as to exactly what lies within their Active Directory, particularly in regards to privileged access entitlements, and thus today there likely are 1000s of privilege escalation paths in most Active Directory deployments, waiting to be identified and exploited. All that perpetrators seem to lack today is the know-how and the tooling.

                  Unfortunately, since the cat's out of the bag, perpetrators seem to be learning fast, and building rapidly, so unless organizations act swiftly and decisively to adequately lock-down vast amount of access that currently exists in their foundational Active Directory deployments, sadly the next big wave of cyber breaches could involve compromise of Active Directory deployments.





                  Clearly, Microsoft Has No Answers

                  It gives me absolutely no pleasure to share with you that unfortunately, and sadly as always, Microsoft yet again seems to be playing catch-up, and in fact, it has no clue or any real answers, ideas or solutions to help organizations in this vital regard.


                  Here's Proof - Last week, on September 18, 2017, Microsoft's Advanced Threat Analytics (ATA) Team posted this -



                  If and when you read it, it will likely be unequivocally clear to you as to just how little Microsoft understands about not just the sheer depth and breadth of this monumental challenge, but about the sheer impact it could have on organizations worldwide!

                  You see, if you understand the subject of Active Directory Security well enough, then you know that Active Directory access control lists (ACLs) today don't just impact organizational security worldwide, they likely impact national and global security!

                  That said, in that post, the best Microsoft could do is concede that this could be a problem, wonder why organizations might ever need to change AdminSDHolder, falsely assume that it may not impact privileged users, praise a massively inaccurate tool for shedding light on this attack vector, and end by saying - "if you find a path with no obstacles, it probably leads somewhere."

                  Oh, and the very last thing they tell you that is their nascent ATA technology can detect AD multiple recon methods.


                  In contrast, here's what they should have said - "We care deeply about cyber security and we understand that left unaddressed, this could pose a serious cyber security risk to our customers. Be rest assured that Microsoft Active Directory is a highly robust and securable technology, and here's exactly how organizations can adequately and reliably identify and lock-down privileged access in their Active Directory deployments, leaving no room for perpetrators to identify and exploit any weaknesses."

                  The reason I say that should've been the response is because if you know enough about this problem, then you also know that it can actually be completely and sufficiently addressed, and that you don't need to rely on detection as a security measure.

                  BTW, to appreciate how little Microsoft seems to understand about this huge cyber security challenge, you'll want a yardstick to compare Microsoft's response with, so here it is (; you'll want to read the posts) - Active Directory Security School for Microsoft.



                  Er, I'm really sorry but you are Microsoft, a US$ 550 Billion corporation, not a kid in college. If the best you can do concerning such a profoundly important cyber security challenge is show how little you seem to know about and understand this problem, and only have detection to offer as a solution, frankly, that's not just disappointing, that's deeply concerning, to say the least.

                  Further, if this is how little you seem to understand about such a profoundly important cyber security challenge concerning your own technology, I cannot help but wonder how well your customers might actually be protected in your recent Cloud offering.





                  Fortunately There's Help and Good News For Microsoft

                  I may appear to be critical of Microsoft, and I do still believe that they ought to at least have educated their customers about this and this huge cyber security challenge, but I also love Microsoft, because I've been (at) Microsoft, so I'm going to help them.


                  To my former colleagues at Microsoft I say - "Each one of us at Microsoft are passionate, care deeply and always strive to do and be the best we can, and even though I may no longer be at Microsoft, (and I still can't believe how you missed this one), luckily and fortunately for you, we've got this covered, and we're going to help you out."

                  So, over the next few days, not only am I going to help reduce the almost total lack of awareness, education and understanding that exists at organizations today concerning Active Directory Security, I am also going to help organizations worldwide learn just how they can adequately and swiftly address this massive cyber security challenge before it becomes a huge problem.

                  Specifically, in days to come, as a part of our 30-Day Active Directory Security School, you can expect the following posts -


                  1. What Constitutes a Privileged User in Active Directory

                  2. How to Correctly Audit Privileged Users/Access in Active Directory

                  3. How to Render Mimikatz DCSync Useless in an Active Directory Environment

                  4. How to Easily Identify and Thwart Sneaky Persistence in Active Directory

                  5. How to Easily Solve The Difficult Problem of Active Directory Botnets

                  6. The World's Top Active Directory Permissions Analysis Tools (and Why They're Mostly Useless)

                  7. The Paramount Need to Lockdown Access Privileges in Active Directory

                  8. How to Attain and Maintain Least Privileged Access (LPA) in Active Directory

                  9. How to Securely Delegate and Correctly Audit Administrative Access in Active Directory

                  10. How to Easily Secure Active Directory and Operate a Bulletproof Active Directory Deployment

                  You see, each one of these Active Directory security focused objectives can be easily accomplished, but and in order to do so, what is required is the capability to accurately audit effective access in Active Directory. Sadly, let alone possessing this paramount cyber security capability, Microsoft doesn't even seem to have a clue about it.

                  Each one of these posts is absolutely essential for organizational cyber security worldwide, and if you know of even one other entity (e.g. individual, company etc.) on the planet that can help the world address each one of these today, do let me know.

                  So, over the next few days, I'll pen the above, and you'll be able to access them at the Active Directory Security Blog.

                  Until then, you may want to go through each one of the 20 days of posts that I've already shared there, as well as review this.



                  In fact, this cannot wait, so let us begin with the "actual" insight on Active Directory ACLs that all organizations worldwide must have today -


                  Together, we can help adequately secure and defend organizations worldwide and deny perpetrators the opportunities and avenues they seek to compromise our foundational Active Directory deployments, because we must and because we can.


                  Best wishes,
                  Sanjay

                  CEO, Paramount Defenses

                  Formerly Program Manager,
                  Active Directory Security,
                  Microsoft Corporation


                  PS: Microsoft, you're welcome. Also, I don't need anything from you, except a Thank you note.

                  Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

                  Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

                  On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

                  Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

                  FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

                  Attack Process

                  The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

                  1. Target receives and opens a Word document.
                  2. Macro in document is invoked to run PowerShell in hidden mode.
                  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
                  4. On successful connection, the ransomware is written to the disk of the victim.
                  5. PowerShell executes the ransomware.
                  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
                  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
                  8. Files are encrypted and messages are presented to the user requesting payment.

                  Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

                  The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

                  PowerShell Abuse

                  When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

                  Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

                  It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

                  In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

                  Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

                  Cerber in Action

                  Initial payload behavior

                  Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

                  If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

                  Shadow deletion

                  As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

                  Vssadmin.exe "delete shadows /all /quiet"

                  WMIC.exe "shadowcopy delete"

                  Bcdedit.exe "/set {default} recoveryenabled no"

                  Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

                  Coercion

                  People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

                  Figure 2. A message to the victim after encryption

                  The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

                   

                   

                  Figure 3. Ransom offered to victim, which is discounted for five days

                  Multilingual Support

                  As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

                  Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

                  Encryption

                  Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

                  Selective Targeting

                  Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

                  The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

                  Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

                  Anti VM Checks

                  The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

                  Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

                  Persistence

                  Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

                  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
                  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
                  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
                  • Common persistence methods such as run and runonce key are also used.
                  A Solid Defense

                  Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

                  Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

                  Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

                  FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

                  Conclusion

                  Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

                  Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

                  HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

                  Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

                  Click here for more information about Exploit Guard technology.