Category Archives: microsoft

Cyber Security Week in Review (Feb. 15, 2019)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
  • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
  • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

From Talos


  • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
  • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
  • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

Malware roundup


  • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
  • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
  • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

The rest of the news


  • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
  • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
  • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


Bromium: Preview Pain: Malware Triggers in Outlook Preview Without User Opening Word Document

A recent malware sample forwarded to our Threat Intelligence service had some very interesting properties which we think would be useful to share. The sample itself is a Word document which is emailed as part of a phishing attack. If the user interacts with the document, it would download a payload to run on the user’s machine. So far, nothing particularly unusual, this infection route is de rigueur and the Bromium blog contains many recent examples, including my write-up on an Emotet campaign and Mathew Rowen’s excellent post.

There are three reasons why this specific sample is somewhat unusual. Firstly, the user does not have to open the document for the malware to trigger. Secondly, it still works if the file is marked with an ADS security Zone identifier of 3 (meaning the file is known to come from an untrustworthy location). And finally, it successfully avoids having the payload it downloads scanned by some AV APIs. In this blog I intend to cover the first two issues, and there will be a follow-up post in a few days to cover the final part of the attack.

For those that wish to dig a little deeper, the hash for the malicious document is:

  • 3FEA120D39B1F0B63DC6A73D0EE2D197169FC765DD5B1EAFC5658C6799D4B00F

How do you get infected without opening the document?

Short answer is—document preview! When you highlight a document in Windows Explorer or Outlook, there is a Preview pane on the right-hand side (or below, depending on your preferences) that gives you a small image of what the document looks like. This is a convenient usability feature, but it has issues from a security perspective—in order to create the image, the content of the document needs to be parsed. Microsoft has generally done a good job of securing this. For example, all the macros will be switched off, and we rarely see attacks that are triggered in the preview.

PowerShell is executing inside the Explorer Preview pane

This attack triggered when the document is highlighted and opened in the Windows Explorer Preview on my corporate laptop (yes, I run malware on my work laptop, but it’s safely isolated within a uVM). Since macro support in the preview is disabled, it leads us to the conclusion that this attack is not using a macro within Word itself, which is indeed unusual. From the above image, you can notice that PowerShell is executing inside the Explorer Preview pane, which is not something we see often.

This same executable is used for the preview of attachments in Outlook, and it results in the same behaviour. If Outlook loads the attachment in the Office Preview, the attack will run. The user never needs to open the attachment directly.

How did the bad guys manage that?

Bromium-Preview-Pain-Word-Malware

As expected, the document does not contain a macro, but instead, it makes use of a feature of RTF document format that allows the embedding of Excel using “\objupdate” to force an update. It contains five embedded Excel workbooks in the footer, each holding some base64 encoded text in cell G135 (See image above). The embedded workbook itself does contain a macro that runs on opening of Excel, which in turn reads the content of cell G135 and converts that text into the script to run in PowerShell. This results in a child Excel instance that isn’t running in the same security state as the preview process that launched it, which in turn gives the attacker the ability to launch PowerShell.

Without Bromium Secure Platform installed on my machine, my experience would have been a little different, since the various spawned processes of the malware would not be contained in the VM, allowing them to be seen more easily. The difference in user experience is that once the Office Preview loads the Word document, an Excel workbook would unexpectedly open on the machine in the foreground. This looks to be an oversight in the document preview code in Microsoft Office, as it is neither a good user experience, nor a desirable behaviour from a security point of view.

Mark of the web

When you use your web browser or your Outlook client to download a file, there is some clever code which looks at the location (such as the domain the file came from) to see if it originated inside the enterprise or from some unknown place. If it originated outside the enterprise, an ADS zone identifier is applied to the file, which allows other processes to recognize that there is an increased risk of using this file and behave differently. From this point forward, I will refer to this as “mark of the web”.

The standard use of “mark of the web” is to disable macros in Office documents, should they come from an untrusted location, which is referred to as Office Protected View. This is a powerful security feature because it forces malware authors to have some social engineering in the document to get the user to take it out of the protected view to allow the malware to run. Users who are familiar with security protocols are significantly less likely to fall for such social engineering, and thus are more protected, even if the document is opened. I was surprised to see that there was no attempt at social engineering on this document, even though in my experience, most other documents are taking that route. We tested out what happens if the file has the “mark of the web” applied to it. Maybe no social engineering effort has been made because none is needed?

The behaviour in the test was interesting: if I opened the document after the “mark of the web” was applied, the malware would no longer execute, since the method used to launch Excel no longer worked. So far, it behaves as expected, and this outcome is desirable. However, even with the “mark of the web” applied to the file, the Office Preview-mode attack still worked, so it seems that the Office Preview process is not respecting this security feature. I speculate that since macros are disabled in the preview anyway, no one considered the need to look whether the “mark of the web” is set on the file. This would be reasonable if it wasn’t for the issue where the preview would allow Excel to be invoked from an RTF document.

How dangerous is this?

The severity of the attack may vary depending on security stack and configuration. If you have Bromium Secure Platform installed, then the preview is running isolated within a virtual machine (we have done this for the last six years), so there is no risk.

Microsoft has also done good things to help – if the Office installation is in the default configuration, there is a prompt displayed to the user before any macro can run in Excel by way of a modal dialog indicating that the document might not be trustworthy. This feature could prevent this attack from getting as far as the payload without at least some user interaction. Unfortunately, this specific configuration is often switched off since it leads to usability issues, where legitimate Excel workbooks always display the prompt, annoying users. Even if the dialog does appear, there’s no guarantee that the user will not click on it by mistake. If a user works with a lot of Excel documents and has many of them open at any given time, they may not realise a particular Excel instance is unexpected. It is possible they may just allow the macro to run anyway since they might be used to having to clear a warning dialog when working with legitimate files.

Finally, there’s a concern that although this attack required a macro in Excel to run, which could be prevented by paying attention to the prompt, it is fair to say that Excel is a complex program and it is entirely possible that a future sample would be able to come up with a smarter way to infect the host.

Since the attack also works with the preview mode in Outlook, the risk of infection increases, the user does not need to save the file to disk so that it could be run by the Explorer Preview. Just clicking on the attachment in Outlook with previews enabled would be enough for the attack to work.

Bromium considers this attack to have a significantly higher chance of success than other attack methods that we traditionally see in Office documents. With the reduction in social engineering required for the attack to be successful, even well-trained users will be at risk of infection.

Mitigation:

We recommend that machines without Bromium installed have the Office Preview feature disabled. Doing so will reduce the risk to a similar level to other Office malware varieties that we see in the wild.

If you want to know more about this malware, look out for a follow-up post in a few days.

The post Preview Pain: Malware Triggers in Outlook Preview Without User Opening Word Document appeared first on Bromium.



Bromium

DigiCert and Utimaco work on securing the future of IoT through collaboration with Microsoft

DigiCert, the world’s leading provider of TLS/SSL, IoT and PKI solutions; Utimaco, one of the world’s top three Hardware Security Module providers; and Microsoft Research, a leader in quantum-safe cryptography, announced a successful test implementation of the “Picnic” algorithm, with digital certificates used to encrypt, authenticate and provide integrity for connected devices commonly referred to as the Internet of Things (IoT). This proof of concept provides a path toward a full solution, currently in development, … More

The post DigiCert and Utimaco work on securing the future of IoT through collaboration with Microsoft appeared first on Help Net Security.

Malicious Windows EXE Files Infect macOS Users With Infostealers and Adware

Security researchers discovered several Microsoft Windows EXE files using malicious payloads to infect macOS users with infostealers and adware.

Trend Micro found one adware-bearing sample hiding within an installer for the Windows and Mac firewall app Little Snitch, which is available for download from various torrent websites. The sample was able to bypass Mac’s Gatekeeper, since this built-in protection mechanism doesn’t conduct code signature checks for or otherwise verify EXE files on machines running macOS.

Contained within the ZIP file downloaded from the torrent websites is a DMG file that hosts the Little Snitch installer. This installer hides an EXE file that loads an infostealer. The malware then gathers basic system information, such as Memory, BootROMVersion and SMCVersion, and scans the /Application directory for installed apps, such as App Store, FaceTime and Mail. After completing these steps, the malware sends all its findings to its command-and-control (C&C) server.

Additionally, the executable is capable of downloading several files from the internet. These files, in turn, download adware and other potentially unwanted applications.

Bridging Windows and macOS With Malware

These files don’t constitute the only instance of a digital threat crossing between Windows and macOS. In May 2017, for instance, Fox-IT identified a Mac OS X version of Snake malware, which traditionally targets the Windows platform. Less than a year later, security researcher Patrick Wardle of Objective-See uncovered CrossRat, a versatile threat capable of targeting Windows, macOS and Linux machines.

In a few cases, researchers have even observed attack campaigns distributing separate threats that target Windows and Mac computers. Security researchers at Microsoft came across one such instance in 2011 containing both the Mac-based Olyx backdoor and other Windows malware.

How to Defend Against Malicious EXE Files

Security professionals can help protect against adware-laden EXE files by creating security policies that limit the types of websites from which employees can download applications. They can frame this policy within the context of a larger app approval framework through which security teams follow a logical sequence to upload/review apps and ensure vendor integration. At the same time, security professionals should apply user activity analytics to a long-term data repository to sufficiently protect corporate data against digital threats like infostealers.

The post Malicious Windows EXE Files Infect macOS Users With Infostealers and Adware appeared first on Security Intelligence.

Businesses: It’s time to implement an anti-phishing plan

Businesses: phishers aren’t just coming for you. They’re coming for your employees and your customers, too.

Phishing attacks are on the rise this year, thanks in part to massive Emotet and TrickBot campaigns, which make use of phishing emails to deliver their payloads. If you don’t already have one in place, then it’s time to implement an anti-phishing plan.

Where phishes are concerned, it doesn’t matter if the technique being used is revolutionary or old hat. Somebody, somewhere is going to fall for it. It’s up to you and your employees to ensure that your business is secure, and that your customers are performing safe email practices, too.

If your customers are logging into fake portals, eventually they’re going to tie up your support channels asking for help, refunds, reorders, and more. If your employees are being stung, they open the door to data theft, network infiltration, ransom demands, spying, and a massive dent in your company’s reputation to boot.

All of these are poor directions to head in. So let’s first take a look at some of the targets of phishing campaigns. Then, we’ll talk about what your employees and customers can do to identify a phish.

Targets for phishers

The 2018 Phishing Trends & Intelligence Report (PDF) from PhishLabs stated that Email/Online Services were the top targeted industry in the second half of 2017 by a margin of 26.1 percent, with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages.

Office 365 is enormously popular for businesses, with Microsoft revealing in 2016 that is has:

  • 60 million active commercial customers
  • 50,000 small business customers added every month
  • 340 million downloads of its mobile app

As our 2019 State of Malware report shows, there’s no real sector of industry left alone by malware attackers. Trojans (which include Emotet and TrickBot) lured in targets in manufacturing, education, and retail in 2018 with phishing emails. And ransomware, which is also a popular payload of phishing attacks, crippled organizations in government, as well as education, manufacturing, retail.

Outside of those verticals, however, phishers know that every business is sitting on something juicy: personally identifiable information (PII). Just about any organization in any vertical is sitting on databases of customer names, emails, and their payment details.

That’s a huge number of potential targets at which to aim.

What should we do?

While it’s nearly impossible to predict every threat model, or what an attacker may want with your company’s data, you can better thwart phishing attacks by putting in place a clear anti-phishing plan. There’s never been a better time to start beefing up your cybersecurity policy for employees, as well as update your website with solid anti-phishing tips for your customers.

If you’re short of a few ideas on how to help your employees and customers identify phishing attempts, we have a handy introductory list below.

Anti-phishing tips for your employees

  1. Attachments aren’t always a guarantee of malware. Often, phishers will send perfectly clean files as an additional confidence trick. “Please fill this in and send it back,” they’ll say. Having said that, many phish campaigns will happily try to backdoor a network with a rogue file alongside a phish attempt. When in doubt, do not open the file. Instead, try to contact someone you know from the organization listed in the email to confirm.
  2. Mobile devices are particularly at risk from lengthy scam URLs, as the visible portion may be tailored to appear legitimate, but the rest of it—which would give the game away—is hidden offscreen. Employees checking email on their phones or browsing the Internet should always review the whole URL before clicking. If it looks suspicious, or uses numbers or peculiar letters in place of what you’d expect to be there, it’s best to leave immediately.
  3. Dubious apps are also a potential problem, so it’s best to review apps you plan to install on your work mobile device or desktop with a hawk eye. Are the logos the same? Does the user experience match what you’d expect?
  4. Promoted content on social media can lead to phishing, and it’s worth advising all employees and customers to be wary of this—especially as ads tend to be targeted to your interests (thanks, trackers). While you may not want to prohibit use of social media at work entirely (especially as it’s part of the job for many folks in marketing), recommending that users not engage on social media from work devices, or limiting their engagements to work-specific tasks, could help thwart phishing attempts.
  5. Bit of a niche one, but you may wish to advise employees not to waste spammer’s/phisher’s time with any of these tactics during work hours. Using personal accounts is all fun and games, but replying with anything work-related could go terribly wrong. The bad guys know your work mail exists for one thing, and they’ll either spam it hard, send you more junk, or go after your business even more than they were already.

Anti-phishing tips for your customers

  1. Look at some anti-phish pages from the biggest brands. You’ll notice that they all mention the most obvious forms of attack. If you’re eBay, you’re going to see customers sent fake auction missives, or “problem with your auction” attacks. If you’re Steam, it’ll be “problems with your marketplace item” or free game keys. A bank? it’ll be bogus re-authentication mails. For Apple, it’ll be issues with pending refunds for items they don’t remember purchasing. This is how you should lead the charge.
  2. Point out that the presence of a padlock isn’t a guarantee the site they’re on is real. Certificates for websites are easily obtained for free these days, and scammers are taking full advantage of it. It may have been useful to tell people “Avoid sites with no padlock because it isn’t real” years ago, but the game has changed and so must our messaging.
  3. Warn them about bad spelling, errors in formatting, and email addresses in the “From” field which look suspicious. Also mention that many phishers spoof mails in the “From” field so this isn’t a guarantee of safety either. Perhaps the formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. The possibilities are endless.
  4. Desperation is a surefire sign that something may be wrong. It’s panic buying, but not as we know it. Emails claiming a tight time limit to login and perform an action, alongside the threat of losing X or Y forever, is a good sign of bad things afoot.
  5. Warn them off emails asking for additional personal information (and if your organization sends such emails, try to wean yourself off this practice, too). Links to sites asking for logins is bad practice. Train your customers and employees out of this habit. If they won’t click links asking for information, the battle is halfway won.
  6. The URL shown on the email and the URL that displays when you hover over the link are different from one another. An oldie, but goodie.

My business uses Office365, what else can I do?

Microsoft has a handy list of security suggestions for you to deploy on your network. Suggestions include:

And finally

Google has come up with a short, fun, and difficult anti-phishing test. It’s a fantastic way to experience some common phishing techniques safely. There aren’t many ways to experience real phishing examples in a safe environment, so it’s well worth having a go. You’ll likely find that there’s a few tactics in there you haven’t seen before, and it’s always a good idea to test your employees on some left-field phishing techniques. However you choose to go about putting together an anti-phishing plan for your organization, we wish you many years of safe emailing ahead.

The post Businesses: It’s time to implement an anti-phishing plan appeared first on Malwarebytes Labs.

February 2019 Patch Tuesday: PrivExchange hole plugged

For the February 2019 Patch Tuesday, Microsoft has released fixes for over 70 CVE-numbered vulnerabilities, 20 of which are rated Critical. Also rated Critical are the Adobe Flash security update (ADV190003, which carries a fix for CVE-2019-7090, an information disclosure flaw in Adobe Flash Player), and the latest servicing stack updates (ADV990001). Previously disclosed and exploited vulnerabilities “Two vulnerabilities were publicly disclosed previous to today’s releases,” notes Greg Wiseman, senior security researcher for Rapid7. “CVE-2019-0686, … More

The post February 2019 Patch Tuesday: PrivExchange hole plugged appeared first on Help Net Security.

Microsoft Patch Tuesday updates for February 2019 fixes IE Zero-Day

Microsoft released Patch Tuesday updates for February 2019 that address 77 flaws, including an Internet Explorer issue that has been exploited in attacks.

Microsoft released Patch Tuesday updates for February 2019 that address 77 flaws, 20 critical vulnerabilities, 54 important and 3 moderate in severity. One of the issue fixed by the tech giant is a zero-day vulnerability in Internet Explorer discovered by Google that has been exploited in attacks.

This zero-day, tracked as CVE-2019-0676, is an information disclosure flaw that tied the way Internet Explorer handles objects in memory.

An attacker can exploit the flaw by tricking the victims into visiting a malicious website using a vulnerable version of Internet Explorer. The flaw could be exploited by attackers to test for the presence of files on the targeted device’s disk.

“An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.” reads the security advisory.

“An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website. The security update addresses the vulnerability by changing the way Internet Explorer handles objects in memory.”

The vulnerability affects Internet Explorer 11, it was reported by Clement Lecigne from Google’s Threat Analysis Group

Microsoft Patch Tuesday

Microsoft’s Patch Tuesday updates for February 2019 also addressed several flaws whose details were publicly disclosed before a patch was made available.
The tech giant fixed flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code.

The list of patched issues includes two critical remote code execution vulnerabilities in SharePoint (CVE-2019-0594 and CVE-2019-0604) and a flaw in Windows DHCP Servers (CVE-2019-0626). The exploitation of these flaws could allow attackers to run arbitrary code and take control of the server.

Pierluigi Paganini

(SecurityAffairs – Kunbus, hacking)

The post Microsoft Patch Tuesday updates for February 2019 fixes IE Zero-Day appeared first on Security Affairs.

Microsoft Patch Tuesday — February 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine and the Internet Explorer and Exchange web browsers. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Critical vulnerabilities

Microsoft disclosed 20 critical vulnerabilities this month, 12 of which we will highlight below.

CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652 and CVE-2019-0655 are all memory corruption vulnerabilities in Microsoft scripting engine. The bugs all lie in the way the engine processes objects in memory in the Microsoft Edge web browser. An attacker could exploit this vulnerability to corrupt the machine’s memory, eventually allowing them to execute code remotely in the context of the current users. A user could trigger this bug by either visiting a malicious web page while using Edge, or by accessing specially crafted content created by the attacker.

CVE-2019-0606 is a memory corruption vulnerability in Microsoft Internet Explorer. The problem lies in the way the web browser accesses objects in memory. An attacker could exploit this vulnerability by tricking a user into visiting a specially crafted website or user-created content in Internet Explorer. Once triggered, the attacker could gain the ability to execute code remotely in the context of the current user.

CVE-2019-0645 and CVE-2019-0650 are memory corruption vulnerabilities that exist in Microsoft Edge when the web browser fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking a user into visiting a maliciously crafted website in Edge, or clicking on specially crafted content. An attacker could use this bug to gain the ability to execute arbitrary code in the context of the current user.

These are the other critical vulnerabilities:


Important vulnerabilities

This release also contains 46 important vulnerabilities:

Moderate

There were also three moderate vulnerabilities in this release: CVE-2019-0641, CVE-2019-0643 and CVE-2019-0670.

Coverage 

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 49128 - 49170

Microsoft Patch Tuesday — February 2019 Update Fixes 77 Flaws

Microsoft has issued its second Patch Tuesday for this year to address a total of 77 CVE-listed security vulnerabilities in its Windows operating systems and other products, 20 of which are rated critical, 54 important and 3 moderate in severity. February security update addresses flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps,

An info stealer .exe malware is targeting Mac users around the globe

By Waqas

Cybercriminals have identified a unique method of attacking Mac devices, which involves exploiting executable or .EXE files. Those files that can be executed both on Mac and Windows devices have the potential of infecting Mac computers as these unload a .exe malware. Discovered by Trend Micro researchers, the new malware can bypass the macOS security […]

This is a post from HackRead.com Read the original post: An info stealer .exe malware is targeting Mac users around the globe

Microsoft Teases HoloLens 2

"Microsoft is expected to announce the next generation HoloLens headset at an already announced event on February 24, and the company's doing a bit more to stoke the flames," reports TechCrunch. One of the key people behind the original HoloLens, Alex Kipman, tweeted a video showing "vague forms of chips and cables [that] take shape out of melted ice, rocks and air," reports TechCrunch. From the report: The original headset was ahead of the mixed reality wave, but now that AR is starting to catch on all over the industry, the timing could be right for a big second-generation launch. Reports have suggested a Qualcomm 850 chip and new Project Kinect Sensors. The headset is also said to be cheaper and smaller than its developer-focused predecessor, which could put Microsoft in prime position to push augmented reality forward.

Read more of this story at Slashdot.

E Hacking News – Latest Hacker News and IT Security News: Amazon, Microsoft calls for Regulation on Face Recognition




Amazon is batting in favor of regulating and legislating the use of facial recognition technology and has written a  long, detailed blog post detailing its stand on the issue.

In the blog post written by the Vice-President of Global Public Policy at Amazon Web Services (AWS),  Michael Punke, the company revealed its "proposed guidelines" for the use of the technology by the companies, so that it cannot be used to discriminate. 

Punke wrote that the company “supports the creation of a national legislative framework covering facial recognition through video and photographic monitoring on public or commercial premises.”

Amazon has faced criticism after tests by civil rights groups and ACLU found out that Amazon's face Rekognition functions are less accurate for black people. In January, two researchers reported an Amazon Web  Services that determine the gender of the people in photos is also less accurate in the case of black women. 

However, Amazon refuted the claims of the studies saying that the Rekognition was “not used properly"  by the researchers.
Amazon wants legislation “that protects individual civil rights and ensures that governments are transparent in their use of facial recognition technology,” Punke wrote. 
The blog post is seen as the move to counter the facial recognition backlash.


E Hacking News - Latest Hacker News and IT Security News

Amazon, Microsoft calls for Regulation on Face Recognition




Amazon is batting in favor of regulating and legislating the use of facial recognition technology and has written a  long, detailed blog post detailing its stand on the issue.

In the blog post written by the Vice-President of Global Public Policy at Amazon Web Services (AWS),  Michael Punke, the company revealed its "proposed guidelines" for the use of the technology by the companies, so that it cannot be used to discriminate. 

Punke wrote that the company “supports the creation of a national legislative framework covering facial recognition through video and photographic monitoring on public or commercial premises.”

Amazon has faced criticism after tests by civil rights groups and ACLU found out that Amazon's face Rekognition functions are less accurate for black people. In January, two researchers reported an Amazon Web  Services that determine the gender of the people in photos is also less accurate in the case of black women. 

However, Amazon refuted the claims of the studies saying that the Rekognition was “not used properly"  by the researchers.
Amazon wants legislation “that protects individual civil rights and ensures that governments are transparent in their use of facial recognition technology,” Punke wrote. 
The blog post is seen as the move to counter the facial recognition backlash.

Microsoft Advises Its Users to Stop Using Its Legacy Internet Explorer Web Browser


Microsoft's cyber security expert Chris Jackson advises users to quit utilizing the 'legacy' internet browser, which Microsoft formally ended in 2015 encouraging them to move to a much more 'modern browser' that is fully informed regarding current web guidelines as well as standards.

In a blog entry post the 'Perils of using Internet Explorer as your Default Browser ' Jackson clarified with explanation with several reasons as to why the users should switch.

“Internet Explorer is a compatibility solution, we're not supporting new web standards for it and, while many sites work fine, developers by and large just aren't testing for Internet Explorer these days. They're testing on modern browsers.”


'...As new apps are coming out with greater frequency, what we want to help you do is avoid having to miss out on a progressively larger portion of the web,' he adds later.

While he includes further that it's commonly fine for users to utilize Internet Explorer in an undertaking situation, yet they would secure themselves better on the off chance if they change to a more up to date browser.


Microsoft wants you to stop using Internet Explorer

Microsoft is urging its users to stop using Internet Explorer

Microsoft in a blog post has begged its users to not use Internet Explorer (IE) as a main or primary web browser, as it is a ‘compatibility solution’ for enterprise customers to deal with legacy websites.

“We’re not supporting new web standards for it and, while many sites work fine, developers by and large just aren’t testing for Internet Explorer these days. They’re testing on modern browsers,” said Chris Jackson, worldwide head of cyber-security at Microsoft’s Windows division, in the blog post.

Jackson said that developers now no longer test on the legacy Web browser, but instead use “modern browsers”.

While many of the users these days either use Google Chrome or Mozilla Firefox, some firms still depend on Internet Explorer for web apps that have been built using the old infrastructure.

The security expert also explained why companies need to be aware of their “technical debt”, as they are paying for extended support of older software.

Responding to the user comments section of his blog post, Jackson clarified that he’s not influencing people to never use Internet Explorer.

“My concern is that to accommodate apps that do need IE, we use it for everything. We want you to use IE for the sites that need it — what I’m trying to say here is that I hope you don’t use it for everything else,” he said.

“The candle is burning from the other side with that approach — now your new sites break while keeping your old sites fixed. I’d like to craft a solution where both your old sites and your new sites work.”

Launched in 1995 with Windows computers, Internet Explorer, was one of the most widely used web browsers, that once held 95 percent of the market in 2003.

In 2015, Microsoft had announced that Microsoft Edge would replace Internet Explorer as the default browser on its Windows 10 devices. However, Edge has struggled to make a mark due to stiff competitors like Chrome, Firefox, and Safari. Microsoft recently announced that it will be ending support for Internet Explorer 10 on January 31, 2020.

 

The post Microsoft wants you to stop using Internet Explorer appeared first on TechWorm.

Please Stop Using Internet Explorer, Microsoft Says

Microsoft cybersecurity expert Chris Jackson recently published a post on the official Windows IT Pro blog, titled "The perils of using Internet Explorer as your default browser." Jackson urges users that it's time to stop using its old web browser, a product Microsoft officially discontinued in 2015. From a report: In his post, Jackson explains how Microsoft customers still ask him Internet Explorer related questions for their business. The fact of the matter is that while most average internet users have moved on to Google Chrome, Firefox, or Microsoft's Edge, some businesses are still working with older web apps or sites that were designed for Internet Explorer. Instead of updating its tech, many companies have chosen to just keep using the various enterprise compatibility modes of Microsoft's old web browser. But, Jackson says "enough is enough." It's time to event stop calling Internet Explorer a web browser.

Read more of this story at Slashdot.

Mild to medium volume expected for February 2019 Patch Tuesday

If you look at the recent Patch Tuesday lineups, we have seen the usual updates for the Microsoft Windows OS, browsers, and Office. In the last two months we have seen updates for .Net Framework and in the last four months we have seen updates for Exchange Server. For non-Microsoft updates we have a pre-notification from Adobe, but Oracle released their CPU in January and both Chrome and Firefox just released at the end of … More

The post Mild to medium volume expected for February 2019 Patch Tuesday appeared first on Help Net Security.

New Accenture Microsoft Business Group will empower enterprises to thrive in the era of digital disruption

Accenture and Microsoft, in conjunction with their joint venture Avanade, today announced the launch of the Accenture Microsoft Business Group. The new group elevates a longstanding strategic alliance, expanding combined service capabilities, global scale and joint solution development to help clients overcome disruption and lead transformation in their industries. Majority owned by Accenture, Avanade was founded in 2000 by Accenture LLP and Microsoft Corporation. Clients around the globe are looking to Accenture, Microsoft and Avanade … More

The post New Accenture Microsoft Business Group will empower enterprises to thrive in the era of digital disruption appeared first on Help Net Security.

Flaws in RDP protocols leaving machines prone to remote code execution

By Waqas

Major Security Flaws Identified in RDP Protocols making Machines Prone to Remote Code Execution and Reverse RDP Attacks. Check Point researchers have identified that three remote desktop protocol (RDP) tools, which are probably the most popular ones for Windows, macOS, and Linux systems, are plagued with not one or two but twenty-five CVE-listed security flaws. […]

This is a post from HackRead.com Read the original post: Flaws in RDP protocols leaving machines prone to remote code execution

ExileRAT Malware Targets Tibetan Exile Government

Researchers have discovered a new cyber-espionage campaign targeting the organization representing the exiled Tibetan government.

The post ExileRAT Malware Targets Tibetan Exile Government appeared first on The Security Ledger.

Related Stories

Cyber Security Roundup for January 2019

The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018.  On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.

B&Q said it had taken action after a security researcher found and disclosed details of B&Q suspected store thieves online. According to Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs, which included: the first and last names of individuals caught or suspected of stealing goods from stores descriptions of the people involved, their vehicles and other incident-related information the product codes of the goods involved the value of the associated loss.

Hundreds of German politicians, including Chancellor Angela Merkel, have had personal details stolen and published online at the start of January.  A 20 year suspect was later arrested in connection to this disclosure. Investigators said the suspect had acted alone and had taught himself the skills he needed using online resources, and had no training in computer science. Yet another example of the low entry level for individuals in becoming a successful and sinister hacker.

Hackers took control of 65,000 Smart TVs around the world, in yet another stunt to support YouTuber PewDiePie. A video message was displayed on the vulnerable TVs which read "Your Chromecast/Smart TV is exposed to the public internet and is exposing sensitive information about you!" It then encourages victims to visit a web address before finishing up with, "you should also subscribe to PewDiePie"
Hacked Smart TVs: The Dangers of Exposing Smart TVs to the Net

The PewDiePie hackers said they had discovered a further 100,000 vulnerable devices, while Google said its products were not to blame, but were said to have fixed them anyway. In the previous month two hackers carried out a similar stunt by forcing thousands of printers to print similar messages. There was an interesting video of the negative impact of that stunt on the hackers on the BBC News website - The PewDiePie Hackers: Could hacking printers ruin your life?

Security company ForeScout said it had found thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools. Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.

Reddit users found they were locked out of their accounts after an apparent credential stuffing attack forced a mass password invoke by Reddit in response. A Reddit admin said "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access."

Kaspersky reported that 30 million cyber attacks were carried out in the last quarter of 2018, with cyber attacks via web browsers reported as the most common method for spreading malware.

A new warning was issued by Action Fraud about a convincing TV Licensing scam phishing email attack made the rounds. The email attempts to trick people with subject lines like "correct your licensing information" and "your TV licence expires today" to convince people to open them. TV Licensing warned it never asks for this sort of information over email.

January saw further political pressure and media coverage about the threat posed to the UK national security by Chinese telecoms giant Huawei, I'll cover all that in a separate blog post.


BLOG
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Microsoft’s Moving Xbox Ad Was the Best Thing About the Super Bowl

Mark Serrels, writing for CNET: Super Bowl 53 has come and gone and, for me at least, there was one clear highlight. This Microsoft commercial. [...] Essentially a commercial for Microsoft's Xbox Adaptive Controller, this ad follows up on an earlier ad from the Christmas period, which highlights young kids with limited mobility playing video games. It's incredible. It tells the story of kids with limited mobility and their love for video games. All kids love video games and if you're a person with limited mobility, video games can often provide a pathway to experiences that are often difficult in the real world. But in some cases, particular types of limited mobility can make even the games themselves difficult to play -- which is where the Xbox Adaptive Controller comes in.

Read more of this story at Slashdot.

Microsoft releases Windows Template Studio 3.0 – here’s what’s new

Microsoft’s Windows Template Studio 3.0 released!

Microsoft yesterday released its version 3.0 of Windows Template Studio, which is its first major update since version 2.0 was released in April last year.

For those unaware, launched in 2017, Windows Template Studio is kind of replacement for the Windows App Studio and the company has been working continuously on improving it since its launch. Template Studio, an open-source project, makes it easier for developers to build full-fledged UWP (Universal Windows Platform) apps without writing a line of code.

Yesterday’s update includes a variety of enhancements in this version, which are:

  • Code now generates as a multi-project solution. This will enable better reuse and separation of code logic. This now will output a UWP project and .NET Core project.
  • Support adding new projects on right click
  • Horizontal Navigation View has replaced the Pivot navigation pattern.
  • Update MVVMLight to use .NET Standard library
  • Bug fixes

Dev platform updates:

  • AdaptiveCards to v1.1.2
  • Analytics to v 1.12.0
  • Crashes to v 1.12.0
  • Store.Engagement to v10.1810.16002
  • Xaml to v2.0.181018003.1
  • Json to v12.0.1
  • UniversalWindowsPlatform to v1.0.1.3

Further, there are also known issues with the Windows Template Studio 3.0 that one must be aware of.  One can experience issues while using this with Visual Studio 2019, as preview support for multi-project is showing a NuGet reference failure for the Core project. Also, Feedback Hub has been removed for now until a bug has been fixed in their SDK.

Microsoft is also currently building on few things that it plans to include in future builds, such as Menubar navigation pattern template (ETA is v3.1), Identity Login (ETA is v3.1), Improved Visual Studio 2019 support, Azure features starting to be added in (v3.1 and beyond), and Unit Test projects.

The post Microsoft releases Windows Template Studio 3.0 – here’s what’s new appeared first on TechWorm.

Email Attacks Increasingly Using Compromised Accounts

Hackers are realising that it’s easier to defraud someone if you’re using a legitimate email address, rather than creating one yourself. With that in mind, they’re increasingly using compromised emails

The post Email Attacks Increasingly Using Compromised Accounts appeared first on The Cyber Security Place.

Cradlepoint and Microsoft create integrated solution to simplify and accelerate enterprise IoT projects

Cradlepoint introduced a platform integration with Microsoft Azure that will make it faster and easier for enterprises to “Build Your Own IoT” solutions (BYOIoT). The solution includes Cradlepoint’s new NetCloud Edge Connector for Azure IoT Central to help simplify and accelerate the process of building and deploying IoT applications and devices. According to a recent study by Cisco, 74 percent of IoT initiatives fell short of achieving success with 54 percent citing the lack of … More

The post Cradlepoint and Microsoft create integrated solution to simplify and accelerate enterprise IoT projects appeared first on Help Net Security.

Windows Setup Error Messages Will Soon Actually Help Fix Problems

An anonymous reader quotes a report from Ars Technica: The next major Windows release, the Windows 10 April 2019 Update (codenamed 19H1), is going to offer some significant improvements [to error messages]. Microsoft described them on its Windows Insider webcast, and they were spotted initially by WinFuture. Currently, the best case during installation is something like this screen. The message says that an incompatible application is detected, and a Knowledge Base article is referenced. It turns out that most Windows users don't know what "KBxxxxxxx" actually means, and the article isn't hyperlinked to make accessing it any easier. Issues detected through the other setup experience aren't much better. Windows will offer to uninstall problem applications, but often the better solution is to upgrade the application in question. The new setup process aims to be both more informative and more useful. The general approach is to allow decisions to be made within the setup program where possible and to put meaningful descriptions in the error messages, rather than leaving people with just a KB number to go on. Further, the "learn more" links will take you directly to the relevant Knowledge Base article, rather than hoping that end users know what "KBxxxxxxxx" means. Third-party developers will also be able to provide information about upgrades and updates when applicable to resolving compatibility issues.

Read more of this story at Slashdot.

Stocks Extend Best Month Since 2015; S&P 500 Clinches Best January Since 1987

U.S. stocks finished higher on Thursday, as the S&P 500 rounded out its best January in 32 years on the back of strong corporate earnings. Cryptocurrencies turned defensive in afternoon trading as XRP failed to sustain a double-digit rally that began midweek. Stocks Close January in Positive Territory The S&P 500 Index rose 0.9% to […]

The post Stocks Extend Best Month Since 2015; S&P 500 Clinches Best January Since 1987 appeared first on Hacked: Hacking Finance.

The State of Security: Tripwire Patch Priority Index for January 2019

Tripwire’s January 2019 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle. First, on the patch priority list this month are patches for Microsoft’s Browser and Scripting Engine. These patches resolve 6 vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege, and Remote Code Execution vulnerabilities. Next on the list […]… Read More

The post Tripwire Patch Priority Index for January 2019 appeared first on The State of Security.



The State of Security

Tripwire Patch Priority Index for January 2019

Tripwire’s January 2019 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle. First, on the patch priority list this month are patches for Microsoft’s Browser and Scripting Engine. These patches resolve 6 vulnerabilities, including fixes for Memory Corruption, Elevation of Privilege, and Remote Code Execution vulnerabilities. Next on the list […]… Read More

The post Tripwire Patch Priority Index for January 2019 appeared first on The State of Security.

Microsoft rolls out new tools for enterprise security and compliance teams

Microsoft has announced a number of new capabilities and improvements for tools used by enterprise administrators. New Microsoft 365 security and compliance centers The new Microsoft 365 security center allows security administrators and other risk management professionals to manage and take full advantage of Microsoft 365 intelligent security solutions for identity and access management, threat protection, information protection, and security management. The new Microsoft 365 compliance center allows compliance, privacy, and risk management professionals to … More

The post Microsoft rolls out new tools for enterprise security and compliance teams appeared first on Help Net Security.

Xbox One Consoles Are Down

If you are having trouble getting your Xbox One online, you are not alone. Xbox One consoles around the world have stopped working. From a report: Xbox One owners are reporting major problems with their consoles online with displays being stuck on black screens at startup, games not loading, and errors when trying to login to Xbox Live. Microsoft is aware of the situation and has promised to give more information when they have it. Within a couple of hours, the official Xbox Support Twitter account updated everyone, saying that they have identified the problem and are working on fixing it. There is no estimate on how long it will take to fix. Bad week for Microsoft services continues. Update: The issue with Xbox Live appears to have been resolved.

Read more of this story at Slashdot.

Microsoft issues warning about Windows 10 update

Future Windows 10 updates to eat up more storage space on your computer

Microsoft in a blog post announced that future Windows 10 OS updates will now utilize more of your computer’s storage space in addition to the regular storage space reserved for the OS. The company is taking measures to ensure that Windows 10 computers will always be able to upgrade automatically.

The feature dubbed as ‘Reserved Storage’ will be introduced with Windows 10 Build 1903 (April 2019 update). However, this feature will use a lot of storage from the users’ hard drive which “cannot be removed from the OS.”

Microsoft program manager Jesse Rajwan in a blog post said that the additional storage exclusive for OS update would be taken from Windows 10 users’ hard drives, which will be around 7GB. This will be in addition to over 20GB of storage space that the OS version usually takes for storage.

“Through reserved storage, some disk space will be set aside to be used by updates, apps, temporary files, and system caches. Our goal is to improve the day-to-day function of your PC by ensuring critical OS functions always have access to disk space,” says Rajwan.

“When it’s time for an update, the temporary unneeded OS files in the reserved storage will be deleted and update will use the full reserve area. This will enable most PCs to download and install an update without having to free up any of your disk space, even when you have minimal free disk space,” Rajwan added.

“If for some reason Windows update needs more space than is reserved, it will automatically use other available free space. If that’s not enough, Windows will guide you through steps to temporarily extend your hard disk with external storage, such as with a USB stick, or how to free up disk space.”

In addition, the reserved storage feature will be “introduced automatically on devices that come with version 1903 pre-installed or those where 1903 was clean installed.” However, the reserved storage will not apply to those updating to 19H1 from a previous version.

In the blog post, Microsoft also suggests two methods that users can use to reduce the amount of reserve storage on Windows 10 PCs and laptops once the feature is rolled out. First, users can opt to uninstall optional features by going to Settings > Apps > Apps & features > Manage optional features. Second, users can opt to uninstall language that they don’t need by going to Settings > Time & Language > Language.

The Windows 10 update announcement is certainly not good news for users as it comes after the failure of October 2018 update 1809. Back in October 2018, Microsoft had to pause rollout of update 1809 after users had started complaining of data loss. Further, in November 2018, Windows 10 Pro users reported being downgraded to Windows 10 Home after downloading an update.

What do you think about the Reserved Storage feature? Do let us know your thoughts in the comments section below.

The post Microsoft issues warning about Windows 10 update appeared first on TechWorm.

Windows Media Player Set To Lose a Feature on Windows 7

With Windows 7 reaching its end of life in less than a year, developers are likely to begin retiring features for the operating system. Kicking off the process of retiring features is Microsoft, which is retiring a feature in Windows Media Player, according to updated support documentation on its website. From a report: New metadata for music, TV shows and movies, will not be added to Windows Media Player. This means that additional information such as cover art, directors, actors, and more, will not display on Windows Media Player. This change also affects Windows Media Center on Windows 7, Windows 8, and Windows 8.1.

Read more of this story at Slashdot.

Windows Media Player feature getting retired from Windows 7

As Windows 7 extended support came to an end this year, the developers started retiring the services for Windows 7 in particular.

We are talking about the removal of Windows media player feature from Windows 7 and in fact Windows Media Center from Windows 7, 8, and 8.1.

As stated by Windows, Microsoft itself has quietly updated a support document on January 26, in which they said the new metadata won’t be updated on media players in Windows 7, which implies to Windows Media Player and Media Center.

Microsoft said that the decision has been made based on “customer’s feedback and data usage”, stating:

Going forward, you may be unable to view information (metadata) such as the title, genre, and artist for songs, and the director, actors, cover art, and TV guide for movies in Windows Media Center and Windows Media Player. After looking at customer feedback and usage data, Microsoft decided to discontinue this service. This means that new metadata won’t be updated on media players that are installed on your Windows device. However, any information that’s already been downloaded will still be available.

Well, it’s important to note that discontinuation of this feature will not affect Windows Media Player on Windows 10. You can use it safely and without any stress.

Furthermore, it also does not affect major functionalities such as playback, navigation, and streaming.

Stay tuned for more such Stories.

The post Windows Media Player feature getting retired from Windows 7 appeared first on TechWorm.

Microsoft Office 365 Is Now Available On Apple’s Mac App Store

Microsoft Office 365 is one of the most feature-rich office suite that is used by millions of users. The Microsoft Office 365 consists of many useful tools like Word, Outlook, Excel, PowerPoint, and OneNote. Well, the Microsoft’s Office 365 suite is now finally available on the Mac App Store.

So here’s everything you need to know about the availability of Microsoft Office 365 on Apple’s Mac App Store.

ALSO READ: Huawei Might Surpass Apple To Become Second Largest Smartphone Vendor In 2019

Microsoft Office 365 Is Now Available On Apple’s Mac Store

Last year at WWDC Apple promised to launch Microsoft Office 365. Apple has finally announced on Thursday that Microsoft Office 365 is now available on Mac App Store. Users can now directly download the signature Microsoft apps such as Outlook, Word, PowerPoint, OneNote, and Excel on their MacOS computers.

Earlier, Mac users relied on Microsoft’s website for downloading Microsoft apps. It is worth noting, that the Microsoft Office 365 for MacOS will also offer some nifty features like Dark Mode and Continuity Camera. These features are exclusively available on MacOS only.

Phil Schiller, Apple’s senior vice president of worldwide marketing stated that “Apple and Microsoft have worked together to bring great Office productivity to Mac users from the very beginning. Now, with Office 365 on the Mac App Store, it’s easier than ever to get the latest and best version of Office 365 for Mac, iPad, and iPhone.”


Microsoft Office 365 Subscription Plans

You can use the Microsoft Office 365 suite completely free of cost for a month. Later you can pay $70 per year for using the Microsoft services as a personal edition. Furthermore, you can pay $100 a year and upgrade to the Home version. It is worth noting that the Home version can be used by up to 6 people.

In addition to Microsoft Apps, the Home version also offers 1TB of Onedrive storage and 60 minutes of monthly Skype calls.

The post Microsoft Office 365 Is Now Available On Apple’s Mac App Store appeared first on TechWorm.

Hackers abusing Google App Engine to spread PDF malware

By Waqas

The Cobalt Strike advanced persistent threat (APT) group is using Google App Engine to spread PDF malware against financial firms. The IT security researchers at Netskope have discovered a sophisticated malware campaign in which cybercriminals are abusing Google App Engine (GCP), a web framework and cloud computing platform to deliver malware via PDF decoys. According to researchers, the malware campaign is currently […]

This is a post from HackRead.com Read the original post: Hackers abusing Google App Engine to spread PDF malware

How to Avoid Windows 7 Security Issues After Support Ends

Windows 7 is coming to the end of its support cycle. Microsoft announced that it is ending support for the

How to Avoid Windows 7 Security Issues After Support Ends on Latest Hacking News.

Microsoft’s Fact Checker NewsGuard Brands The Mail Online as Untrustworthy

Update – Brian Gluckman has made the following update: Microsoft is partnering with NewsGuard to offer the NewsGuard browser extension

Microsoft’s Fact Checker NewsGuard Brands The Mail Online as Untrustworthy on Latest Hacking News.

Microsoft Says Bing is Restored in China

Roughly a day after users in China began complaining that they were unable to access Bing, stoking fear that perhaps Microsoft's search engine is joining the long list of services that will not be permitted by the local government, Microsoft says it has fixed the situation. From a report: Bing is accessible in China again. In a statement, a Microsoft spokesperson said, "We can confirm that Bing was inaccessible in China, but service is now restored." Microsoft did not offer an explanation for Bing's outage, but in a televised interview with Fox News at the World Economic Forum, company president Brad Smith addressed the matter. He noted that this is not the first time Bing has faced an outage in China. "It happens periodically." He added, "You know, we operate in China pursuant to some global principles that's called the Global Network Initiative in terms of how we manage censorship demands and the like. There are times when there are disagreements, there are times when there are difficult negotiations with the Chinese government, and we're still waiting to find out what this situation is about."

Read more of this story at Slashdot.

Microsoft Office Lands on the Mac App Store

The next time you open up a new Apple computer, go to the App Store to start downloading apps, and type in "Microsoft Office," you'll actually get something. From a report: Until now, anyone who wanted to use Microsoft Office and its popular Word, Excel, PowerPoint and OneNote apps had to do so by going to Microsoft's website and downloading it all from there. Now, the are available on the Mac App Store as well, making it even easier for people to download and use.

Read more of this story at Slashdot.

China Blocks Microsoft’s Bing Search Engine, Despite Offering Censored Results

Update: Microsoft's search engine Bing has been restored in China after being inaccessible in the country for almost two days. According to sources familiar with the matter, Bing was blocked due to an accidental technical error and not due to an attempt at censorship. China has blocked Microsoft-owned search engine Bing, the company confirmed after receiving complaints from users throughout

Microsoft remains the most impersonated brand, Netflix phishing spikes

Although Microsoft remains the top target for phishers, Netflix saw an incredible surge in Dec., making it the second most impersonated brand in Q4 2018, according to Vade Secure. Microsoft remains the #1 impersonated brand, receiving more than 2.3 times the number of phishing URLs than Netflix. One credential can provide hackers with a single entry point to all of the apps under the Office 365 platform—as well as the files, data, contacts, etc. stored … More

The post Microsoft remains the most impersonated brand, Netflix phishing spikes appeared first on Help Net Security.

Most out of date applications exposed: Shockwave, VLC and Skype top the list

More than half (55%) of PC applications installed worldwide are out-of-date, making PC users and their personal data vulnerable to security risks. Avast’s PC Trends Report 2019 found that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%). The report, which uses anonymized and aggregated … More

The post Most out of date applications exposed: Shockwave, VLC and Skype top the list appeared first on Help Net Security.

Security Affairs: 0patch releases unofficial security patches for 3 Windows flaws yet to be fixed

Researchers from 0patch, a community of experts that aims at addressing software flaws, released unofficial patches for three Windows vulnerabilities that Microsoft has yet to be fixed.

The list of vulnerabilities addressed by 0patch include a denial-of-service (DoS) bug, a file read issue, and a code execution flaw.

“While we’re busy ironing out the wrinkles before 0patch finally exits its adolescence (i.e., Beta) and becomes a fully responsible adult able to pay for its own rent, we did find some time to produce… not one, … not two, … but three 0day micropatches in the past few days.” reads the blog post published by 0patch.

“That’s right, at this very moment you can get three 0days on your Windows computer micropatched for free!  “

One of the patches addressed a flaw publicly disclosed last month by the researcher known as SandboxEscaper, the vulnerability could be exploited by an attacker with low privileges to elevate them on the vulnerable system. The expert shared the PoC exploit code (deletebug.exe) to delete critical system files, an operation that requests admin level privileges.ù

Security experts noticed that the flaw only affects Windows 10 and recent versions of Windows Server editions because older versions of the Microsoft operating systems don’t implement the Microsoft Data Sharing service.

This vulnerability could be exploited to overwrites some important system file and cause a DoS condition.

0patch also released a patch for another flaw disclosed last month by SandboxEscaper, it is an arbitrary file read vulnerability that could be exploited by a low-privileged user or a malicious program to read the content of any file on a Windows system.

The Windows zero-day flaw affects the”MsiAdvertiseProduct” function that generates an advertise script or advertises a product to the computer. The MsiAdvertiseProduct function enables the installer to write to a script the registry and shortcut information used to assign or publish a product. The script can be written to be consistent with a specified platform by using MsiAdvertiseProductEx.

According to the SandboxEscaper, the lack of proper validation could allow an attacker to force installer service into making a copy of any file as SYSTEM privileges and read its content.

The third flaw addressed by 0patch was disclosed by the expert John Page via ZDI.

The security expert discovered a zero-day vulnerability in the processing of VCard files that could be exploited by a remote attacker, under certain conditions, to hack Windows PC. 

An attacker can use create a specially crafted VCard file that contains in the contact’s website URL field that points to a local executable file. 
This second file can be sent within a zipped file as an email attachment or delivered via drive-by-download attacks.

When the victim clicks that website URL, the Windows operating system would execute the malicious file without displaying any warning. John Page also published proof-of-concept exploit code for the vulnerability,

Further details on the patches released by 0patch experts, including their codes are available here:

https://blog.0patch.com/2019/01/one-two-three-micropatches-for-three.html

Pierluigi Paganini

(SecurityAffairs – security patches, Microsoft)

The post 0patch releases unofficial security patches for 3 Windows flaws yet to be fixed appeared first on Security Affairs.



Security Affairs

0patch releases unofficial security patches for 3 Windows flaws yet to be fixed

Researchers from 0patch, a community of experts that aims at addressing software flaws, released unofficial patches for three Windows vulnerabilities that Microsoft has yet to be fixed.

The list of vulnerabilities addressed by 0patch include a denial-of-service (DoS) bug, a file read issue, and a code execution flaw.

“While we’re busy ironing out the wrinkles before 0patch finally exits its adolescence (i.e., Beta) and becomes a fully responsible adult able to pay for its own rent, we did find some time to produce… not one, … not two, … but three 0day micropatches in the past few days.” reads the blog post published by 0patch.

“That’s right, at this very moment you can get three 0days on your Windows computer micropatched for free!  “

One of the patches addressed a flaw publicly disclosed last month by the researcher known as SandboxEscaper, the vulnerability could be exploited by an attacker with low privileges to elevate them on the vulnerable system. The expert shared the PoC exploit code (deletebug.exe) to delete critical system files, an operation that requests admin level privileges

Security experts noticed that the flaw only affects Windows 10 and recent versions of Windows Server editions because older versions of the Microsoft operating systems don’t implement the Microsoft Data Sharing service.

This vulnerability could be exploited to overwrites some important system file and cause a DoS condition.

0patch also released a patch for another flaw disclosed last month by SandboxEscaper, it is an arbitrary file read vulnerability that could be exploited by a low-privileged user or a malicious program to read the content of any file on a Windows system.

The Windows zero-day flaw affects the”MsiAdvertiseProduct” function that generates an advertise script or advertises a product to the computer. The MsiAdvertiseProduct function enables the installer to write to a script the registry and shortcut information used to assign or publish a product. The script can be written to be consistent with a specified platform by using MsiAdvertiseProductEx.

According to the SandboxEscaper, the lack of proper validation could allow an attacker to force installer service into making a copy of any file as SYSTEM privileges and read its content.

The third flaw addressed by 0patch was disclosed by the expert John Page via ZDI.

The security expert discovered a zero-day vulnerability in the processing of VCard files that could be exploited by a remote attacker, under certain conditions, to hack Windows PC. 

An attacker can use create a specially crafted VCard file that contains in the contact’s website URL field that points to a local executable file. 
This second file can be sent within a zipped file as an email attachment or delivered via drive-by-download attacks.

When the victim clicks that website URL, the Windows operating system would execute the malicious file without displaying any warning. John Page also published proof-of-concept exploit code for the vulnerability,

Further details on the patches released by 0patch experts, including their codes are available here:

https://blog.0patch.com/2019/01/one-two-three-micropatches-for-three.html

Pierluigi Paganini

(SecurityAffairs – security patches, Microsoft)

The post 0patch releases unofficial security patches for 3 Windows flaws yet to be fixed appeared first on Security Affairs.

Microsoft Debuts New Low-Cost Laptops and ‘Classroom Pen’ For Schools

Microsoft is doubling down on the education market, a competitive arena for the world's largest tech giants, with a series of new low-cost laptops and tools to help students and teachers work together. From a report: At the BETT education conference in London Tuesday, Microsoft unveiled seven new laptops and two-in-one tablets made by partners like Lenovo, Dell and Acer and a new Microsoft Classroom Pen designed for the smaller hands of kids. Starting at $189, the low-cost devices are designed to stand up to tough treatment of being dragged around in a backpack everyday. The seven new devices showcased today are: Lenovo 100e -- priced from $189, Lenovo 300e (2-in-1) -- priced from $289, Lenovo 14w -- priced from $299, Acer TravelMate B1(B118-M) -- priced from $215, Acer TravelMate Spin B1 (B118-R/RN) -- priced from $299, Acer TravelMate B1-114 -- priced from $319, and Dell Latitude 3300 for Education -- priced from $299. The pen is priced at $40.

Read more of this story at Slashdot.

LinkedIn Says Glitch, Not FSB, to Blame for Russian Job Postings

LinkedIn Wednesday blamed an issue with its job ingestion tool–not Russian hackers or an online scam–as the reason the business social network was erroneously posting jobs located in Russia for a number of U.S.-based companies. The custom software tool that pulls in jobs from third-party websites onto LinkedIn’s site failed to...

Read the whole entry... »

Related Stories

Microsoft announces end of support for Windows 10 Mobile devices

Microsoft to officially stop supporting Windows 10 Mobile platform from December 2019

Microsoft recently published a support page where it announced that the company will be ending support for Windows Phone 10 mobile devices on December 10, 2019.

“Windows 10 Mobile, version 1709 (released October 2017) is the last release of Windows 10 Mobile and Microsoft will end support on December 10, 2019,” reads the Microsoft support note.

Further, smartphones running Windows 10 Mobile version 1703, such as Lumia 640 and 640 XL, will only be supported till June 11th, 2019. Moreover, in the support note, the Redmond giant also recommends Windows 10 Mobile users to shift to iOS or Android devices.

“As of December 10, 2019, Windows 10 Mobile users are no longer eligible to receive new security updates, non-security hotfixes, free assisted support options or online technical content updates from Microsoft for free,” explains an FAQ on Windows 10 Mobile end of life.

“With the Windows 10 Mobile OS end of support, we recommend that customers move to a supported Android or iOS device. Microsoft’s mission statement to empower every person and every organization on the planet to achieve more compels us to support our Mobile apps on those platforms and devices.”

It should be noted that Microsoft had stopped developing new features or hardware for Windows 10 Mobile since 2017. Although the company continued to provide security and software updates to Windows 10 Mobile devices, this too would now cease from December 10th, 2019, and devices will be no longer be supported after this date. However, the company might continue supporting third parties or paid support programs for the platform for a later date.

Once the device reaches the end of support, some of the features will slowly stop working. Microsoft notes, “After the end of support, automatic or manual creation of new device backups for settings and some applications will continue for 3 months, ending March 10, 2020.  Some services including photo uploads and restoring a device from an existing device backup may continue to work for up to another 12 months from the end of support.”

Microsoft also stated that it will also be phasing out its built-in backup tool after the support ends. Hence, the company is encouraging its users to manually create a backup before December 10, 2019. To do so, the users can go to the Settings -> Update & security -> Backup -> More Options and then tap Back up now before that date.

The post Microsoft announces end of support for Windows 10 Mobile devices appeared first on TechWorm.

Microsoft India to set up 10 AI labs, train 5 lakh youths in the country

Microsoft to set up 10 AI labs, train 5 lakh youths and upskill 10,000 Indian developers

Microsoft India on Wednesday announced its plans to set up Artificial Intelligence labs (AI) in 10 universities in the country in the next three years. The company also plans to upskill over 10,000 developers to bridge the skills gap and enhance employability, and train 5 lakh youths across the country in disrupting technologies.

Microsoft has 715 partners who are working with the company in India to help customers design and implement a comprehensive AI strategy.

“The next wave of innovation for India is being driven by the tech intensity of companies – how you combine rapid adoption of cutting edge tech with your company’s own distinctive tech and business capabilities,” Anant Maheshwari, President of Microsoft India, said at the ‘Media and Analyst Days 2019’ held in Bengaluru.

“We believe AI will enable Indian businesses and more for India’s progress, especially in education, skilling, healthcare, and agriculture. Microsoft also believes that it is imperative to build higher awareness and capabilities on security, privacy, trust, and accountability. The power of AI is just beginning to be realized and can be a game-changer for India.”

According to Microsoft, the company’s AI and cloud technologies has today digitally transformed more than 700 customers, of which 60 percent customers are large manufacturing and financial services enterprises.

The Redmond giant has partnered with Indian government’s policy think tank, NITI Aayog, to “combine the cloud, AI, research and its vertical expertise for new initiatives and solutions across several core areas including agriculture and healthcare and the environment,” said Microsoft India in an official press release.

“We are also an active participant along with CII in looking at building solution frameworks for application in AI across areas such as Education, skills, health, and agriculture,” the company added.

In December last year, Microsoft had announced a three-year “Intelligent Cloud Hub” collaborative programme in India, which will “equip research and higher education institutions with AI infrastructure, build curriculum and help both faculty and students to build their skills and expertise in cloud computing, data sciences, AI and IoT.”

Source: Microsoft

The post Microsoft India to set up 10 AI labs, train 5 lakh youths in the country appeared first on TechWorm.

Microsoft Suggests Windows 10 Mobile Users Switch To iOS or Android As Support Winds Down

Windows 10 Mobile devices will be officially unsupported starting on December 10, 2019. As a result, Microsoft is recommending users move to an Android or iOS device instead. Mac Rumors reports: Microsoft made the recommendation in a Windows 10 Mobile support document (via Thurrott) explaining its plans to stop offering security updates and patches for Windows 10 Mobile: "With the Windows 10 Mobile OS end of support, we recommend that customers move to a supported Android or iOS device. Microsoft's mission statement to empower every person and every organization on the planet to achieve more, compels us to support our Mobile apps on those platforms and devices." All customers who have a Windows 10 Mobile device will be able to keep using it after December 10, 2019, but no further updates will be available.

Read more of this story at Slashdot.

Microsoft Announces Azure DevOps Bug Bounty Program

The Microsoft Security Response Center (MSRC) has announced the creation of a bug bounty program for Azure DevOps services. On 17 January, MSRC said it would begin awarding bounties of up to $20,000 for reports on eligible vulnerabilities affecting Azure DevOps, a cloud service which helps developers collaborate on code across the entire development lifecycle. […]… Read More

The post Microsoft Announces Azure DevOps Bug Bounty Program appeared first on The State of Security.

Reminder: Microsoft to end support for Windows 7 in 1-year from today

A new reminder for those who are still holding on to the Windows 7 operating system—you have one year left until Microsoft ends support for its 9-year-old operating system. So it's time for you to upgrade your OS and say goodbye to Windows 7, as its five years of extended support will end on January 14, 2020—that's precisely one year from today. After that date, the tech giant will no longer

Microsoft Windows 7 & Windows 2008 End of Life

Microsoft Windows 7 and Windows Server 2008 End of Life is fast approaching. 'End of Life' is the point where the operating system will be no longer supported with security patches, unless you (as a business) take out a rather expensive extended warranty agreement with Microsoft.



As a home user, you should upgrade from Windows 7 without delay, as there are significant performance improvements to be gained with Windows 10. I always recommend installing Windows 10 from scratch onto a blank hard disk drive, rather than using the upgrade option. Ideally install onto a new Solid State Drive (SSD), which improves an operating system's performance massively. SSDs have come down in price in recent months, making a decent memory size SSD an affordable option. Always ensure all your important documents and data are backed up at all times, double check before attempting an operating system installation or upgrade.

Where as a businesses you have Windows 7 and Windows Server 2008 present, it is imperative not to leave your upgrade plan until the last minute, as mass operating systems upgrades within business can be fraught with delays due to technical issues to overcome, and unforeseen business circumstances. Also, Microsoft Windows Server 2016 has a significant virtualisation perform kick over 2008 & 2012 versions. And given the high security risk or cost in purchasing a Microsoft Extended Warranty, there really can be no solid business reason for delaying an upgrade project.

Microsoft Product     End of Life Date
Windows 7                      14/01/2020
Windows Server 2008    14/01/2020
Office 2010                     13/10/2020
Windows Server 2012    10/01/2023
Windows 8/8.1                10/01/2023
Office 2013                     11/04/2023
Windows 10                    14/10/2025
Office 2016                     14/10/2025

For further Microsoft EOF details see https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

Hackers Using Zero-Width Spaces to Bypass MS Office 365 Protection

Security researchers have been warning about a simple technique that cybercriminals and email scammers are already being using in the wild to bypass security features of Microsoft Office 365, including Safe Links, which are originally designed to protect users from malware and phishing attacks. Safe Links has been included by Microsoft in Office 365 as part of its ATP (Advanced Threat Protection

Microsoft Patch Tuesday — January 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, seven of which are rated “critical,” 40 that are considered “important” and one that is “moderate.” This release also includes a critical security advisory for multiple bugs in Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Jet Database Engine, Office SharePoint and the Chakra Scripting Engine. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Critical vulnerabilities


Microsoft disclosed seven critical vulnerabilities this month, which we will highlight below.

CVE-2019-0550 and CVE-2019-0551 are remote code execution vulnerabilities in Windows Hyper-V, a native hypervisor that can create virtual machines. These bugs exist due to the way a host server fails to properly validate input from an authenticated user on a guest operating system. An attacker could exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

CVE-2019-0539, CVE-2019-0567 and CVE-2019-0568 are memory corruption vulnerabilities in the way the Chakra Scripting Engine handles objects in memory on the Microsoft Edge web browser. An attacker could corrupt memory in a way that would allow them to execute code in the context of the current user. In order to trigger this vulnerability, a user would have to visit a specially crafted, malicious web page in Edge.

CVE-2019-0547 is a memory corruption vulnerability in the Windows DHCP client that exists when an attacker sends specially crafted DHCP responses to a client. An attacker could gain the ability to run arbitrary code on the client machine if they successfully exploit this vulnerability.

CVE-2019-0565 is a memory corruption vulnerability in Microsoft Edge that occurs when the web browser improperly handles objects in memory. An attacker could corrupt memory in a way that would allow them to execute arbitrary code in the context of the current user. A user would trigger this vulnerability if they visited a specially crafted, malicious web page in Edge.

Important vulnerabilities

This release also contains 40 important vulnerabilities, four of which we will highlight below.

CVE-2019-0555 is an escalation of privilege vulnerability in the Microsoft XmlDocument class that could allow an attacker to escape the AppContainer sandbox. An attacker could exploit this flaw to gain elevated privileges and break out of the Microsoft Edge AppContainer sandbox. While this vulnerability does not allow arbitrary code to run explicitly, it could be combined with other vulnerabilities to take advantage fo the elevated privileges while running.

CVE-2019-0572, CVE-2019-0573 and CVE-2019-0574 are elevation of privilege vulnerabilities in Windows Data Sharing that lie in the way the service improperly handles file operations. An attacker could exploit this vulnerability by running a specially crafted application to gain the ability to run processes in an elevated context.


Moderate

The only moderate vulnerability in this release is CVE-2019-0546, a remote code execution vulnerability in Microsoft Visual Studio.

Coverage 

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 48768 - 48770, 48773 - 48780, 48783, 48787 - 48790, 48793 - 48795, 48798, 48807 - 48810, 48876

Cyber Security Roundup for December 2018

The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.


A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
NASA InSight Lander arrives on Mars 

It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

126 Arrests: The Emergence of India’s Cyber Crime Detectives Fighting Call Center Scams

The Times of India reports that police have raided a call center in Noida Sector 63 where hundreds of fraud calls were placed every day to Americans and Canadians resulting in the theft of $50,000 per day.

 The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).

Times of India photo 


Noida police have been cooperating very well with international authorities, as well as Microsoft, leading to more than 200 people arrested in Noida and "scores" of fake call centers shut down, including four in Sector 63.  (In a case just last month, another call center was said to have stolen from 300 victims, after using online job sites Shine.com and VintechJobs.com to recruit young money seekers by having them work conducting the scams. )

In the current scam, callers already had possession of the victim's Social Security Number and full name.  This information was used to add authority to their request, which got really shady really fast.  The victim was instructed to purchase Apple iTunes Gift Cards, or Google Play Gift Cards, scratch the numbers, and read them to the call center employee.  The money was laundered through a variety of businesses in China and India before cashing out to bank accounts belonging to Pahuja and Ashija.

 Go to Tweet
Noida police are advancing in their Cyber Crime skills!

As more and more cyber crime enterprises spring up in India, the assistance of their new Centers for Cyber Crime Investigation thtat are becoming more critical to stopping fraud against Americans:

We applaud the Center for Cyber Crime Investigation in Noida


The US Embassy was quick to acknowledge the support of the newest cyber crime partners of the United States after their action at the end of November:

US Embassy to India thanks the Noida and Gurgaon Police for their help!
Another recent Times of India story from November 30, 2018, "Bogus Call Centres and Pop-up Virus Alerts - a Global Cyber Con Spun up in NCR" [NCR = National Capital Region] had more details of this trend, including this graphic:


That's at least 50 call centers shutdown just in these two regions, but with this weeks' 126 arrests being the culmination of an on-going investigation, receiving data from both the FBI and Microsoft.

Local news of India reported the names of some of the gang members held in the November 29-30th action in their story नोएडा: बड़ी कंपनियों में नौकरी दिलाने के नाम पर करते थे धोखाधड़ी, 8 गिरफ्तार (Noida: Fraud, 8 arrested for giving fake jobs in the name of big companies).

Sontosh Gupta, who was the ring leader, was previously employed by an online job site, but then created his own site,  vintechjobs (dot) com, which he used to attract call center employees, many of whom were duped into serving as his scammer army without ever being compensated for their work!

Others arrested then included Mohan Kumar, Paritosh Kumar, Jitendra Kumar, Victor, Himanshu, Ashish Jawla, and Jaswinder.

During that same two day raid, police swept through at least sixteen other call centers, according to this New York Times story, "That Virus Alert on Your Computer? Scammers in India May Be Behind It"
Ajay Pal Sharma, the senior superintendent of police, told the NYT that 50 of his officers swept through eight different call centers in Gautam Budh Nagar as part of the case.  Microsoft's Digital Crimes Unit told the Times that with 1.2 million people generating $28 Billion in India working for call centers, it isn't hard to disguise the shady callers among the legitimate businesses.

The problem is not unique to Delhi and the National Capital Region suburbs that are the current focus.  Back in July, Mumbai was in the headlines, as a massive IRS-imitating Call Center ring was broken up with the help of more great cyber crime investigators from India:

Madan Ballal, Thane Crime Branch, outside Mumbai
Police Inspector Madan Ballal had his story told as the focus of an article in Narratively, "This Indian Cop Took Down a Massive IRS Call-Center Scam".

Much more investigating and arresting needs to be done, but it is a great sign that the problem is now receiving help from an emerging new generation of Indian Cybercrime Detectives!



Microsoft Patches Out-of-Band Internet Explorer Scripting Engine Vulnerability After Exploitation Detected in the Wild

Overview

Microsoft released an out-of-band (OOB) patch on Wednesday related to a vulnerability in the scripting engine of Internet Explorer. This particular vulnerability is believed to be actively exploited in the wild and should be patched immediately.

This remote code execution bug lies in the way that Internet Explorer's scripting engine handles objects in memory. Triggering this vulnerability can corrupt memory in such a way to allow arbitrary code execution using the current user's rights. This vulnerability can be triggered in a variety of ways, including via a specially crafted web page that a user visits. The full details of the vulnerability can be found here.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them as well as coverage via AMP. Please note that additional SNORTⓇ rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 48699 - 48702.

AMP coverage




Its the most wonderful time of the year – Patching

does that say patching plaster or patch faster? 😉

Remember back when Summer and Christmas break was a high time of concern.  The kids were out of college and ready to try out their skills.  Christmas was worse because so many people were out of the office, no one would notice.  Or if they did the response would be limited.   Now that’s what we call Tuesday afternoon.  Now days, the sysadmins have to deal not just with college code projects, but insider threat, money motivated attackers, and nation states.

This week, Microsoft’s “out-of-band” security update reminded me of the old times.    An out-of-band update is simply a unscheduled one.  Its released out of the regular schedule because it is currently being exploited.  This lends a sense of urgency.    Some companies may have already bypassed December updates because of staffing, or scheduling.  Anyone in retail certainly has a change freeze in effect.  Now on top of that there is a special update for Internet Explorer.

Information about the update for Internet Explorer is available here : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653 

The post Its the most wonderful time of the year – Patching appeared first on Roger's Information Security Blog.

Microsoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 38 vulnerabilities, nine of which are rated “critical” and 29 that are considered “important.” There are no “moderate” or “low” vulnerabilities in this release.

The advisories cover bugs in the Chakra scripting engine, several Microsoft Office products and the Microsoft Internet Explorer web browser.

For coverage of these vulnerabilities, check out our Snort blog post on this week's rule update.

Critical vulnerabilities


Microsoft disclosed nine critical vulnerabilities this month, which we will highlight below.

CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624 and CVE-2018-8629 are all memory corruption vulnerabilities in the Chakra scripting engine that could allow an attacker to execute code on the victim machine remotely. All of the bugs lie in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker could exploit these vulnerabilities by tricking a user into visiting a web page using Microsoft Edge, or by tricking them into clicking on specially crafted content on other sites that accept user-created content.

CVE-2018-8540 is a remote code injection vulnerability in the Microsoft .NET framework. An attacker can exploit this flaw by passing a specific input to an application utilizing vulnerable .NET methods. If successful, the attacker could take control of an affected system.

CVE-2018-8626 is a remote code execution vulnerability that exists in Windows DNS servers when they fail to properly handle requests. An attacker could run arbitrary code on an affected system if they exploit the vulnerability by sending malicious requests to a Windows DNS server. Windows servers that are configured as DNS servers are susceptible to this vulnerability.

CVE-2018-8631 is a remote code execution vulnerability in Internet Explorer. The bug lies in the way the web browser accesses objects in memory. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page in Internet Explorer. If successful, the attacker could execute arbitrary code in the context of the current user.

CVE-2018-8634 is a memory corruption vulnerability in the Microsoft Edge that exists when the web browser improperly handles objects in memory. An attacker who successfully exploits this flaw by tricking a user into visiting a malicious, specially crafted web page could gain the ability to execute arbitrary code on the machine in the context of the current user.

Important vulnerabilities

This release also contains 29 important vulnerabilities, eight of which we will highlight below.

CVE-2018-8597 and CVE-2018-8636 are remote code execution vulnerabilities in Microsoft Excel that exist when the software fails to properly handle objects in memory. An attacker can exploit these bugs by tricking the user into opening a specially crafted Excel file, either via the web or as an email attachment. If successful, the attacker could gain the ability to execute arbitrary code on the system in the context of the current user.

CVE-2018-8587 is a remote code execution vulnerability in Microsoft Outlook that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted email attachment while using the Outlook client. If successful, the attacker could use a specially crafted file to perform actions in the security context of the current user. For example, the file could act on behalf of the logged-on user with the same permissions as the current users.

CVE-2018-8590 is a remote code execution vulnerability in Microsoft Word that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a malicious, specially crafted Word document, either via email, the web, or another vector.

CVE-2018-8619 is a remote code execution vulnerability that exists when the Internet Explorer VBScript execution policy improperly restricts VBScript in certain scenarios. An attacker could use this vulnerability to run arbitrary code with the permissions of the current user. A user could trigger this vulnerability if they visited a specially crafted web page using Internet Explorer.

CVE-2018-8625 is a remote code execution vulnerability in the VBScript engine. The vulnerability could corrupt memory in such a way that an attacker could execute code in the context of the current user. An attacker could trigger this flaw by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2018-8628 is a remote code execution vulnerability in Microsoft PowerPoint that lies in the way the software processes objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted, malicious PowerPoint file, which would eventually grant them the ability to execute code remotely in the context of the current user. The Preview Pane is not an attack vector this vulnerability — the user must open the file in PowerPoint.

CVE-2018-8643 is a remote code execution vulnerability that exists in the scripting engine handles objects in memory in Internet Explorer. An attacker could exploit this bug by tricking a user into visiting a specially crafted web page on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. If successful, the attacker could then corrupt memory in such a way that they could execute arbitrary code in the context of the current users.

The other important vulnerabilities in this release are:

Coverage 

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45142, 45143, 48509, 48510, 48513 - 48520, 48531 - 48534, 48559, 48562

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:
  • The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
  • The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
  • Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - Fontanka.ru and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
  • An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.

NEWS

Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


NEWS

Cyber Security Roundup for June 2018

Dixons Carphone said hackers attempted to compromise 5.9 million payment cards and accessed 1.2 million personal data records. The company, which was heavily criticised for poor security and fined £400,000 by the ICO in January after been hacked in 2015, said in a statement the hackers had attempted to gain access to one of the processing systems of Currys PC World and Dixons Travel stores. The statement confirmed 1.2 million personal records had been accessed by the attackers. No details were disclosed explaining how hackers were able to access such large quantities of personal data, just a typical cover statement of "the investigation is still ongoing".  It is likely this incident occurred before the GDPR law kicked in at the end of May, so the company could be spared the new more significant financial penalties and sanctions the GDPR gives the ICO, but it is certainly worth watching the ICO response to a repeat offender which had already received a record ICO fine this year. The ICO (statement) and the NCSC (statement) both have released statements about this breach.

Ticketmaster reported the data theft of up to 40,000 UK customers, which was caused by security weakness in a customer support app, hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. Ticketmaster informed affected customers to reset their passwords and has offered (to impacted customers) a free 12-month identity monitoring service with a leading provider. No details were released on how the hackers exploited the app to steal the data, likely to be a malware-based attack. However, there are questions on whether Ticketmaster disclosed and responded to the data breach quick enough, after digital banking company Monzo, claimed the Ticketmaster website showed up as a CPP (Common Point of Purchase) in an above-average number of recent fraud reports. The company noticed 70% of fraudulent transactions with stolen payment cards had used the Ticketmaster site between December 2017 and April 2018. The UK's National Cyber Security Centre said it was monitoring the situation.

TSB customers were targetted by fraudsters after major issues with their online banking systems was reported. The TSB technical issues were caused by a botched system upgrade rather than hackers. TSB bosses admitted 1,300 UK customers had lost money to cyber crooks during its IT meltdown, all were said to be fully reimbursed by the bank.
The Information Commissioner's Office (ICO) issued Yahoo a £250,000 fine after an investigation into the company's 2014 breach, which is a pre-GDPR fine. Hackers were able to exfiltrate 191 server backup files from the internal Yahoo network. These backups held the personal details of 8.2 million Yahoo users, including names, email addresses, telephone numbers, dates of birth, hashed password and other security data. The breach only came to light as the company was being acquired by Verizon.

Facebook woes continue, this time a bug changed the default sharing setting of 14 million Facebook users to "public" between 18th and 22nd May.  Users who may have been affected were said to have been notified on the site’s newsfeed.

Chinese Hackers were reported as stealing secret US Navy missile plans. It was reported that Chinese Ministry of State Security hackers broke into the systems of a contractor working at the US Naval Undersea Warfare Center, lifting a massive 614GB of secret information, which included the plans for a supersonic anti-ship missile launched from a submarine. The hacks occurred in January and February this year according to a report in the Washington Post.

Elon Musk (Telsa CEO) claimed an insider sabotaged code and stole confidential company information.  According to CNBC, in an email to staff, Elon wrote I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties". Telsa has filed a lawsuit accusing a disgruntled former employee of hacking into the systems and passing confidential data to third parties. In the lawsuit, it said the stolen information included photographs and video of the firm's manufacturing systems, and the business had suffered "significant and continuing damages" as a result of the misconduct.

Elsewhere in the world, FastBooking had 124,000 customer account stolen after hackers took advantage of a web application vulnerability to install malware and exfiltrate data. Atlanta Police Dashcam footage was hit by Ransomware.  And US company HealthEquity had 23,000 customer data stolen after a staff member fell for a phishing email.

IoT Security
The Wi-Fi Alliance announced WPA3, the next generation of wireless security, which is more IoT device friendly, user-friendly, and more secure than WPA2, which recently had a security weakness reported (see Krack vulnerability). BSI announced they are developing a new standard for IoT devices and Apps called ISO 23485. A Swann Home Security camera system sent a private video to the wrong user, this was said to have been caused by a factory error.  For Guidance on IoT Security see my guidance, Combating IoT Cyber Threats.

As always, a busy month for security patching, Microsoft released 50 patches, 11 of which were rated as Critical. Adobe released their monthly fix for Flash Player and a critical patch for a zero-day bug being actively exploited. Cisco released patches to address 34 vulnerabilities, 5 critical, and a critical patch for their Access Control System. Mozilla issued a critical patch for the Firefox web browser.

NEWS

Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction

FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.

Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.

Infection Vector

We have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).

The following industries have been the primary targets in this campaign:

  • Telecommunications
  • Insurance
  • Financial Services


Figure 1: Sample lure documents

Attack Flow

  1. Spam email arrives in the victim’s mailbox as a ZIP attachment, which contains a malicious DOC file.
  2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.
  3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.

A visual representation of the attack flow and execution chain can be seen in Figure 2.


Figure 2: Zyklon attack flow

Infection Techniques

CVE-2017-8759

This vulnerability was discovered by FireEye in September 2017, and it is a vulnerability we have observed being exploited in the wild.

The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).


Figure 3: Embedded URL in OLE object

CVE-2017-11882

Similarly, we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).


Figure 4: Embedded URL in OLE object


Figure 5: HTTP GET request to download the next level payload

The downloaded file, doc.doc, is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary Pause.ps1.


Figure 6: PowerShell command to download the Pause.ps1 payload

Dynamic Data Exchange (DDE)

Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (Pause.ps1) is downloaded.


Figure 7: DDE technique used to download the Pause.ps1 payload

One of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).

Figure 8 shows the network communication of the Pause.ps1 download.


Figure 8: Network communication to download the Pause.ps1 payload

Zyklon Delivery

In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).

The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.


Figure 9: Base64 decoded Pause.ps1

The injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.


Figure 10: Network traffic to download final payload (words.exe)

Once executed, the file performs the following activities:

  1. Drops a copy of itself in %AppData%\svchost.exe\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).
  2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.
  3. The unpacked code is Zyklon.


Figure 11: XML configuration file to schedule the task

The Zyklon malware first retrieves the external IP address of the infected machine using the following:

  • api.ipify[.]org
  • ip.anysrc[.]net
  • myexternalip[.]com
  • whatsmyip[.]com

The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.

Command & Control Communication

The C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).


Figure 12: Zyklon public RSA key

After the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.

Command

Action

sign

Requests system information

settings

Requests settings from C2 server

logs

Uploads harvested passwords

wallet

Uploads harvested cryptocurrency wallet data

proxy

Indicates SOCKS proxy port opened

miner

Cryptocurrency miner commands

error

Reports errors to C2 server

ddos

DDoS attack commands

Table 1: Zyklon accepted commands

The following figures show the initial request and subsequent server response for the “settings” (Figure 13), “sign” (Figure 14), and “ddos” (Figure 15) commands.


Figure 13: Zyklon issuing “settings” command and subsequent server response


Figure 14: Zyklon issuing “sign” command and subsequent server response


Figure 15: Zyklon issuing “ddos” command and subsequent server response

Plugin Manager

Zyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:

  • /plugin/index.php?plugin=<Plugin_Name>

The following plugins are found in the memory of the Zyklon malware:

  • /plugin/index.php?plugin=cuda
  • /plugin/index.php?plugin=minerd
  • /plugin/index.php?plugin=sgminer
  • /plugin/index.php?plugin=socks
  • /plugin/index.php?plugin=tor
  • /plugin/index.php?plugin=games
  • /plugin/index.php?plugin=software
  • /plugin/index.php?plugin=ftp
  • /plugin/index.php?plugin=email
  • /plugin/index.php?plugin=browser

The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.

Additional Features

The Zyklon malware offers the following additional capabilities (via plugins):

Browser Password Recovery

Zyklon HTTP can recover passwords from popular web browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera Browser
  • Chrome Canary/SXS
  • CoolNovo Browser
  • Apple Safari
  • Flock Browser
  • SeaMonkey Browser
  • SRWare Iron Browser
  • Comodo Dragon Browser
FTP Password Recovery

Zyklon currently supports FTP password recovery from the following FTP applications:

  • FileZilla
  • SmartFTP
  • FlashFXP
  • FTPCommander
  • Dreamweaver
  • WS_FTP
Gaming Software Key Recovery

Zyklon can recover PC Gaming software keys from the following games:

  • Battlefield
  • Call of Duty
  • FIFA
  • NFS
  • Age of Empires
  • Quake
  • The Sims
  • Half-Life
  • IGI
  • Star Wars
Email Password Recovery

Zyklon may also collect email passwords from following applications:

  • Microsoft Outlook Express
  • Microsoft Outlook 2002/XP/2003/2007/2010/2013
  • Mozilla Thunderbird
  • Windows Live Mail 2012
  • IncrediMail, Foxmail v6.x - v7.x
  • Windows Live Messenger
  • MSN Messenger
  • Google Talk
  • GMail Notifier
  • PaltalkScene IM
  • Pidgin (Formerly Gaim) Messenger
  • Miranda Messenger
  • Windows Credential Manager
License Key Recovery

The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.

Socks5 Proxy

Zyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.

Hijack Clipboard Bitcoin Address

Zyklon has the ability to hijack the clipboard, and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.

Zyklon Pricing

Researchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:

  • Normal build: $75 (USD)
  • Tor-enabled build: $125 (USD)
  • Rebuild/Updates: $15 (USD)
  • Payment Method: Bitcoin (BTC)

Conclusion

Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.

At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.

Detection Name

Product

Action

POWERSHELL DOWNLOADER D (METHODOLOGY)

HX

Detect

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

HX

Detect

POWERSHELL DOWNLOADER (METHODOLOGY)

HX

Detect

SUSPICIOUS EQNEDT USAGE (METHODOLOGY)

HX

Detect

TOR (TUNNELER)

HX

Detect

SUSPICIOUS SVCHOST.EXE (METHODOLOGY)

HX

Detect

Malware.Binary.rtf

EX/ETP/NX

Block

Malware.Binary

EX/ETP/NX

Block

FE_Exploit_RTF_CVE_2017_8759

EX/ETP/NX

Block

FE_Exploit_RTF_CVE201711882_1

EX/ETP/NX

Block

Table 2: Current detection capabilities by FireEye products

Indicators of Compromise

The contained analysis is based on the representative sample lures shown in Table 3.

MD5

Name

76011037410d031aa41e5d381909f9ce

accounts.doc

4bae7fb819761a7ac8326baf8d8eb6ab

Courrier.doc

eb5fa454ab42c8aec443ba8b8c97339b

doc.doc

886a4da306e019aa0ad3a03524b02a1c

Pause.ps1

04077ecbdc412d6d87fc21e4b3a4d088

words.exe

Table 3: Sample Zyklon lures

Network Indicators
  • 154.16.93.182
  • 85.214.136.179
  • 178.254.21.218
  • 159.203.42.107
  • 217.12.223.216
  • 138.201.143.186
  • 216.244.85.211
  • 51.15.78.0
  • 213.251.226.175
  • 93.95.100.202
  • warnono.punkdns.top

Uh Oh 365

In an earlier post, I talked about how some vendors tend to push enterprises into a weaker security posture. In this post, I continue with information relating to Office 365. Microsoft’s cloud implementation of the Office suite is mind boggling in its complexity and sheer want of native connectivity. If you are using a proxy, […]

Acknowledgement of Attacks Leveraging Microsoft Zero-Day

FireEye recently detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.

FireEye shared the details of the vulnerability with Microsoft and has been coordinating for several weeks public disclosure timed with the release of a patch by Microsoft to address the vulnerability. After recent public disclosure by another company, this blog serves to acknowledge FireEye’s awareness and coverage of these attacks.

FireEye email and network solutions detect the malicious documents as: Malware.Binary.Rtf.

Attack Scenario

The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.

The vulnerability is bypassing most mitigations; however, as noted above, FireEye email and network products detect the malicious documents. Microsoft Office users are recommended to apply the patch as soon as it is available. 

Acknowledgements

FLARE Team, FireEye Labs Team, FireEye iSIGHT Intelligence, and Microsoft Security Response Center (MSRC).

Second Circuit Holds Microsoft Cannot Be Compelled to Turn Over Emails Stored Abroad

This post has been updated. 

On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation (“Microsoft”) cannot be compelled to turn over customer emails stored abroad to U.S. law enforcement authorities.

As we previously reported, in April 2014 a judge in the U.S. District Court for the Southern District of New York ruled that Microsoft must release user data to U.S. law enforcement when issued a search warrant under the Stored Communications Act (“SCA”), even if the data is stored outside of the U.S. The case stems from a search warrant seeking the contents of all emails, records and other information regarding one of Microsoft’s email users. Microsoft complied with the warrant by producing “non-content” information related to the account (which is stored on U.S. servers), but refused to turn over the contents of the emails that are stored on a server in Ireland. The company argued that U.S. courts are not authorized to issue warrants for extraterritorial search and seizure of emails. The district court judge found that a search warrant for online data is unlike a conventional warrant, stating that if it were treated like a conventional warrant, the burden on the government would be substantial and law enforcement efforts would be impeded.

In reaching its decision to overturn the lower court’s ruling, the Second Circuit held that “Congress did not intend the [SCA’s] warrant provisions to apply extraterritorially…[and] the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”

UPDATE: On January 25, 2017, the U.S. Court of Appeals for the Second Circuit denied the U.S. Department of Justice’s (“DOJ’s”) request for a rehearing of the case. The DOJ might seek to appeal the decision to the U.S. Supreme Court.

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

Coercion

People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

 

 

Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

Encryption

Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

Persistence

Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

Conclusion

Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.

NTIA Announces Cybersecurity Stakeholder Meeting

On July 9, 2015, the National Telecommunications and Information Administration (“NTIA”) announced the launch of its first cybersecurity multistakeholder process, in which representatives from across the security and technology industries will meet in September to discuss vulnerability research disclosure.

This process is the first effort of the multistakeholder initiative, which was announced by the Department of Commerce in March. The initiative aims to address the major cybersecurity threats and issues facing the digital ecosystem as a whole, shoring up such threats with an eye toward fostering a healthy economy in the digital space.

The NTIA will act as a neutral facilitator for discussions among security researchers, software vendors, and “those interested in a more secure digital ecosystem,” as those parties work toward developing best practices and common principles for operating safely in the digital arena. Although there is no set agenda or proposed result, the NTIA suggested in a fact sheet released by the White House that “potential outcomes could include a set of high level principles that could guide future private sector policies, or a more focused and applied set of best practices for a particular set of circumstances.”

The topic of vulnerability disclosure was selected after a comment period, which drew responses from the American Civil Liberties Union and Microsoft, as well as a number of cybersecurity organizations and other industry groups. Many of these groups expressed concern about the current climate of vulnerability disclosure, in which large corporations have frequently threatened legal action against “security researchers” who discover weaknesses in their systems and propose to announce such weaknesses publicly. Among the solutions presented by the comments are “bug bounty” programs, which actually incentivize such detection, as well as industry-wide agreements not to sue or report to law enforcement individuals who detect vulnerabilities.

The meeting has not been given an exact date or location, but is expected to be held in the San Francisco Bay-area, and will be simultaneously webcast.

Irish Government Files Amicus Brief in Microsoft Case

In December 2014, we reported that various technology companies, academics and trade associations filed amicus briefs in support of Microsoft’s attempts to resist a U.S. government search warrant seeking to compel it to disclose the contents of customer emails that are stored on servers in Ireland. On December 23, 2014, the Irish government also filed an amicus brief in the 2nd Circuit Court of Appeals.

The amicus brief filed by the Irish government notes the servers are located in Ireland and stresses the importance of Irish sovereignty. The Irish government argues that the appropriate mechanism for obtaining data held on servers in Ireland is through international cooperation and the use of existing international treaties that were entered into for the specific purpose of enabling a government to request information that is subject to the laws of a foreign country.

The Irish government also noted a previous case where the Supreme Court of Ireland held that an Irish court can compel the disclosure of information stored by an Irish entity outside of Ireland if the information is for a criminal or similar investigation and there are no alternative means of obtaining the information. It is unclear, however, to what extent the U.S. court will consider a decision issued by a foreign court, such as the Supreme Court of Ireland.

Echoing its previous appeal to the U.S. government to “find a better way forward,” Microsoft welcomed the Irish government’s brief and reiterated its view that an international dialogue is the best way to resolve the issue of cross-border disclosure requests.

Industry, Privacy Advocates Join Microsoft to Protect Customer Emails in Foreign Servers

On December 15, 2014, Microsoft reported the filing of 10 amicus briefs in the 2nd Circuit Court of Appeals signed by 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations, in support of Microsoft’s litigation to resist a U.S. Government’s search warrant purporting to compel the production of Microsoft customer emails that are stored in Ireland. In opposing the Government’s assertion of extraterritorial jurisdiction in this case, Microsoft and its supporters have argued that their stance seeks to promote privacy and trust in cross-border commerce and advance a “broad policy issue” that is “fundamental to the future of global technology.”

The Government issued a domestic search warrant to Microsoft under the Stored Communications Act, demanding that Microsoft hand over emails that it maintains and controls in a Microsoft data center in Dublin. Microsoft challenged the warrant but the U.S. District Court confirmed the Government’s right to obtain these emails. Microsoft then appealed to the Second Circuit on December 8, 2014.

According to Microsoft, the company stores private communications in data centers close to their customers for legitimate business reasons, in this case in its Irish datacenter so that European customers can retrieve their information more quickly and securely. Microsoft’s position in this litigation, now officially supported by leading stakeholders and experts, is that “the U.S. Government’s unilateral use of a search warrant to reach email in another country puts both fundamental privacy rights and cordial international relations at risk.”

Specifically, Microsoft and the amici are making the following key points:

  • The U.S. Government should more appropriately use treaties to obtain the information it needs from other countries, which will help ensure the application of the relevant legal protections available in those countries.
  • Allowing the U.S. Government to access emails in foreign jurisdictions would have a negative impact on foreign customers’ trust in American companies and undermine the customers’ privacy rights.
  • The U.S. Government’s policy on extraterritorial jurisdiction also would have a negative impact on U.S. customers if foreign countries adopted the same approach towards emails held in U.S. datacenters.
  • The policy would undermine the efficiencies of cloud computing.
  • The policy would undermine legal protections for reporters’ email that are housed in foreign jurisdictions.

Microsoft also called on the Obama Administration and the U.S. Congress to “engage in a holistic debate on the solutions to these issues and find a better way forward.”

U.S. Court Rules Microsoft Must Release User Data Stored Overseas

On April 25, 2014, a judge in the U.S. District Court for the Southern District of New York ruled that Microsoft must release user data to U.S. law enforcement when issued a search warrant, even if the data is stored outside of the U.S.

The case stems from a search warrant seeking the contents of all emails, records and other information regarding one of Microsoft’s email users. Microsoft complied with the warrant by producing “non-content” information related to the account (which is stored on U.S. servers), but refused to turn over the contents of the emails that are stored on a server in Ireland. The company argued that U.S. courts are not authorized to issue warrants for extraterritorial search and seizure of emails. The judge found that a search warrant for online data is unlike a conventional warrant, stating that if it were treated like a conventional warrant, the burden on the government would be substantial and law enforcement efforts would be impeded.

In a blog post, Microsoft Deputy General Counsel David Howard indicated that Microsoft views the ruling as “the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.”

Active Directory Unification and Attribute Cleanup

I recently posted about Active Directory Unification. The main points were (1) that there is value in AD consolidation and (2) that there's a right way to do it to meet the intended goals.

Sander Berkouwer posted earlier this month on Active Directory attribute integrity. He makes the point that with all the tools Microsoft provides to enable tighter management of identities and access (FIM, ADFS, ADRMS, DAC), Active Directory Cleanup is more important than ever. Berkouwer writes:
"When these attributes are inconsistent, access to files, apps, partners and cloud functionality becomes inconsistent. If you think it won’t happen to you, think twice. During the first internal Microsoft deployment of Dynamic Access Control, attribute inconsistency was the first encountered problem."
Absolutely.

Most people that I speak with jump into the benefits that cleanup will have on the AD Unification process. The reality is that the real value of cleanup is enabling the right functionality and access controls after the unification process is complete. (Of course, as I wrote, it's never really complete - it's not a onetime event.)

It's worth making the distinction.