Category Archives: microsoft

Microsoft’s Next-Gen Xbox Consoles Are Codenamed ‘Anaconda’ and ‘Lockhart’

According to Windows Central, there are two upcoming next-generation Xbox consoles in the works -- a cheaper "S"-style console to succeed the Xbox One S, and a more beastly "X"-style console to succeed the Xbox One X. "The codename for the 'S 2' seems to be 'Lockhart,' and the codename for the 'X 2' seems to be 'Anaconda,' which may also be serving as a dev kit," reports Windows Central. From the report: The next-gen Lockhart console will be the affordable SKU, providing the next-gen Xbox experience in a package potentially around as powerful as the current Xbox One X hardware wise, with refinements under the hood. The Anaconda console will be more powerful and more expensive, providing a cutting-edge console gaming experience. We've also heard Microsoft is exploring technology to dramatically reduce loading times, potentially including SSD storage in the package. We've heard from multiple places that the next-gen Xbox consoles will be fully compatible with everything on your current Xbox One consoles, including your OG Xbox and Xbox 360 library via backward compatibility. We've also heard that Microsoft is working on a new platform for games dubbed "GameCore," as part of Windows Core OS, which the Scarlett family will support when it's ready. It extends the work Redmond has been doing on UWP. GameCore should make it easier for developers to build games that function not only on Xbox "Scarlett" consoles but also Windows 10 PCs, further reducing the amount of work studios need to do to get games running across both platforms. The report doesn't mention if the cheaper next-generation Xbox console will be streaming-only, or if it will still support traditional discs and downloads. With a disc-free version of the Xbox One reportedly coming next spring, this seems like a possibility.

Read more of this story at Slashdot.

How Microsoft Embraced Python

Steve Dower, a Python developer at Microsoft, describes how the language become popular internally: In 2010, our few Pythonistas were flying under the radar, in case somebody noticed that they could reassign a few developers to their own project. The team was small, leftover from a previous job, but was chipping away at a company culture that suffered from "not invented here" syndrome: Python was a language that belonged to other people, and so Microsoft was not interested. Over the last eight years, the change has been dramatic. Many Microsoft products now include Python support, and some of the newest only support Python. Some of our critical tools are written in Python, and we are actively investing in the language and community.... In 2018, we are out and proud about Python, supporting it in our developer tools such as Visual Studio and Visual Studio Code, hosting it in Azure Notebooks, and using it to build end-user experiences like the Azure CLI. We employ five core CPython developers and many other contributors, are strong supporters of open-source data science through NumFOCUS and PyData, and regularly sponsor, host, and attend Python events around the world. "We often felt like a small startup within a very large company" Downer writes, in a post for the Medium community "Microsoft Open Source Stories."

Read more of this story at Slashdot.

Microsoft December Patch Tuesday Addresses Nine Critical Vulnerabilities Including A Zero-Day

This week, Microsoft has rolled out the last scheduled updates for this year. Nonetheless, it again has released a fix

Microsoft December Patch Tuesday Addresses Nine Critical Vulnerabilities Including A Zero-Day on Latest Hacking News.

Microsoft Is Readying a Consumer Microsoft 365 Subscription Bundle

Microsoft is working on a new "Microsoft 365 Consumer" bundle that "will be the consumer-focused complement to Microsoft's existing Microsoft 365 subscription bundle for business users," reports ZDNet. From the report: A couple of recent Microsoft job postings mention the consumer subscription bundle, which Microsoft has yet to announce publicly. One job posting for a Product Manager for the "M365 Consumer Subscription" notes: "The Subscription Product Marketing team is a new team being created to build and scale the Microsoft 365 Consumer Subscription." The job description says the product manager for this service will help "identify, build, position and market a great new Microsoft 365 Consumer Subscription." The job post notes that the team behind Microsoft 365 Consumer oversees the Windows platform, the Microsoft Surface device portfolio, Office 365 consumer plans, Skype, Cortana, Bing search, as well as the Microsoft Education team. If I were betting on what Microsoft 365 Consumer might include, I'd think some variant of Windows 10, Office 365 Home, Skype, Cortana, Bing, Outlook Mobile, Microsoft To-Do and maybe MSN apps and services could figure into the picture. Maybe this subscription will be tied to Surface devices only? Maybe a monthly leasing fee for Surfaces will be part of the bundle itself?

Read more of this story at Slashdot.

Windows Server 2019 Officially Supports OpenSSH For the First Time

Microsoft said in 2015 that it would build OpenSSH, a set of utilities that allow clients and servers to connect securely, into Windows, while also making contributions to its development. Neowin: Since then, the company has delivered on that promise in recent releases of Windows 10, being introduced as a feature-on-demand in version 1803. However, Windows Server hadn't received the feature until now, at least not in an officially supported way -- Windows Server version 1709 included it as a pre-release feature. But that's finally changed, as Microsoft this week revealed that Windows Server 2019, which was made available (again) in November, includes OpenSSH as a supported feature.

Read more of this story at Slashdot.

Update now! Microsoft and Adobe’s December 2018 Patch Tuesday is here

If you find patching security flaws strangely satisfying, you’re in luck - Microsoft’s and Adobe’s December Patch Tuesdays have arrived with plenty for the dedicated updater to get stuck into.

Microsoft urges for Legal Framework to govern Facial recognition

Microsoft has reportedly sought for a reasonable legal framework for the deployment and use of facial recognition technology. While this

Microsoft urges for Legal Framework to govern Facial recognition on Latest Hacking News.

An critical bug in Microsoft left 400M accounts exposed

By Waqas

A bug bounty hunter from India, Sahad Nk who works forSafetyDetective, a cybersecurity firm, has received a reward from Microsoft for uncovering and reporting a series of critical vulnerabilities in Microsoft accounts. These vulnerabilities were present on users’ Microsoft accounts from MS Office files to Outlook emails. This means, all kinds of accounts (over 400 […]

This is a post from HackRead.com Read the original post: An critical bug in Microsoft left 400M accounts exposed

December 2018 Patch Tuesday: Microsoft patches Windows zero-day exploited in the wild

It’s Patch Tuesday again and, as per usual, both Microsoft and Adobe have pushed out patches for widely-used software packages. The Microsoft patches Microsoft’s December 2018 Patch Tuesday release is pretty lightweight: the company has plugged 38 CVE-numbered security holes, nine of which are considered to be Critical. Among the most notable bugs in this batch are CVE-2018-8611, an elevation of privilege vulnerability that arises when the Windows kernel fails to properly handle objects in … More

The post December 2018 Patch Tuesday: Microsoft patches Windows zero-day exploited in the wild appeared first on Help Net Security.

TrendLabs Security Intelligence Blog: December Patch Tuesday: Year-End Batch Addresses Win32k Elevation of Privilege and Windows DNS Server Vulnerabilities

The just-released Patch Tuesday for December includes a fix for the actively exploited Win32k Elevation of Privilege Vulnerability (CVE-2018-8611). The flaw allows an attacker to exploit a bug in the Windows Kernel and run arbitrary code to install programs; view, change, or delete data; or create new accounts with full user rights. It is also pointed out as likely being used with other bugs in targeted attacks.

The patch release fixes another vulnerability that’s currently under active attack: CVE-2018-8626, a Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability that exists when DNS servers fail to properly handle requests. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account. Taking advantage of the vulnerability can be done by sending a specially crafted request to an affected DNS server.

Other noteworthy patches in the batch include a Critical-rated remote code injection vulnerability in the .NET Framework and a text-to-speech RCE bug.

Microsoft closes out the year with 39 security patches and one advisory that cover issues in Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework. Of the 39 CVEs, nine are listed as Critical and 30 as Important in severity. Five were disclosed through the Zero Day Initiative (ZDI) program.

On the Adobe front, a total of 87 CVEs were covered by their release, with 39 of these handled by the ZDI. All of the bugs are listed as Important, save for one Moderate CVE. As early as December 5, Adobe also shipped an early patch for Flash Player that addresses two CVEs, with one designated as CVE-2018-15982 and listed as under active attack. The use-after-free (UAF) exploit allows an attacker to execute code at the level of a logged on user. The embedded Flash SWF in a Microsoft Office document is being spread through spear phishing campaigns.

Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities addressed in this month’s round of updates via the following DPI rules:

  • 1009409-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8583)
  • 1009410-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8619)
  • 1009411-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8617)
  • 1009412-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8618)
  • 1009413-Microsoft Text-To-Speech Remote Code Execution Vulnerability (CVE-2018-8634)
  • 1009414-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2018-8631)
  • 1009415-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8629)
  • 1009416-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8624)
  • 1009427-Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2018-8628)
  • 1009428-Microsoft Outlook Remote Code Execution Vulnerability (CVE-2018-8587)
  • 1009429-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8643)
  • 1009430-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8625)
  • 1009431-Microsoft Windows Multiple Security Vulnerabilities (Dec-2018)

Trend Micro™ TippingPoint™ customers are protected from threats that may exploit this month’s list of vulnerabilities via these MainlineDV filters:

  • 33685: HTTP: Microsoft Edge Chakra JIT Type Confusion Vulnerability
  • 33686: HTTP: Microsoft Edge Chakra InlineArrayPush Type Confusion Vulnerability
  • 33687: HTTP: Microsoft Edge Chakra defineSetter Type Confusion Vulnerability
  • 33688: HTTP: Microsoft Edge Memory Corruption Vulnerability
  • 33689: HTTP: Microsoft Edge ArrayBuffer Out-of-Bounds Write Vulnerability
  • 33690: HTTP: Microsoft Internet Explorer Array Prototype Out-of-Bounds Write Vulnerability
  • 33691: HTTP: Microsoft Edge SpeechSynthesis Buffer Overflow Vulnerability
  • 33708: HTTP: Microsoft XML XSL VBScript Usage
  • 33711: HTTP: Adobe Flash Player SWF Parsing Use-After-Free Vulnerability
  • 33818: HTTP: Microsoft PowerPoint Use-After-Free Vulnerability
  • 33819: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
  • 33820: HTTP: Microsoft Windows Kernel Use-After-Free Vulnerability
  • 33822: HTTP: Microsoft Windows win32kfull.sys Integer Overflow Vulnerability

The post December Patch Tuesday: Year-End Batch Addresses Win32k Elevation of Privilege and Windows DNS Server Vulnerabilities appeared first on .



TrendLabs Security Intelligence Blog

Microsoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 38 vulnerabilities, nine of which are rated “critical” and 29 that are considered “important.” There are no “moderate” or “low” vulnerabilities in this release.

The advisories cover bugs in the Chakra scripting engine, several Microsoft Office products and the Microsoft Internet Explorer web browser.

For coverage of these vulnerabilities, check out our Snort blog post on this week's rule update.

Critical vulnerabilities


Microsoft disclosed nine critical vulnerabilities this month, which we will highlight below.

CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624 and CVE-2018-8629 are all memory corruption vulnerabilities in the Chakra scripting engine that could allow an attacker to execute code on the victim machine remotely. All of the bugs lie in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker could exploit these vulnerabilities by tricking a user into visiting a web page using Microsoft Edge, or by tricking them into clicking on specially crafted content on other sites that accept user-created content.

CVE-2018-8540 is a remote code injection vulnerability in the Microsoft .NET framework. An attacker can exploit this flaw by passing a specific input to an application utilizing vulnerable .NET methods. If successful, the attacker could take control of an affected system.

CVE-2018-8626 is a remote code execution vulnerability that exists in Windows DNS servers when they fail to properly handle requests. An attacker could run arbitrary code on an affected system if they exploit the vulnerability by sending malicious requests to a Windows DNS server. Windows servers that are configured as DNS servers are susceptible to this vulnerability.

CVE-2018-8631 is a remote code execution vulnerability in Internet Explorer. The bug lies in the way the web browser accesses objects in memory. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page in Internet Explorer. If successful, the attacker could execute arbitrary code in the context of the current user.

CVE-2018-8634 is a memory corruption vulnerability in the Microsoft Edge that exists when the web browser improperly handles objects in memory. An attacker who successfully exploits this flaw by tricking a user into visiting a malicious, specially crafted web page could gain the ability to execute arbitrary code on the machine in the context of the current user.

Important vulnerabilities

This release also contains 29 important vulnerabilities, eight of which we will highlight below.

CVE-2018-8597 and CVE-2018-8636 are remote code execution vulnerabilities in Microsoft Excel that exist when the software fails to properly handle objects in memory. An attacker can exploit these bugs by tricking the user into opening a specially crafted Excel file, either via the web or as an email attachment. If successful, the attacker could gain the ability to execute arbitrary code on the system in the context of the current user.

CVE-2018-8587 is a remote code execution vulnerability in Microsoft Outlook that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted email attachment while using the Outlook client. If successful, the attacker could use a specially crafted file to perform actions in the security context of the current user. For example, the file could act on behalf of the logged-on user with the same permissions as the current users.

CVE-2018-8590 is a remote code execution vulnerability in Microsoft Word that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a malicious, specially crafted Word document, either via email, the web, or another vector.

CVE-2018-8619 is a remote code execution vulnerability that exists when the Internet Explorer VBScript execution policy improperly restricts VBScript in certain scenarios. An attacker could use this vulnerability to run arbitrary code with the permissions of the current user. A user could trigger this vulnerability if they visited a specially crafted web page using Internet Explorer.

CVE-2018-8625 is a remote code execution vulnerability in the VBScript engine. The vulnerability could corrupt memory in such a way that an attacker could execute code in the context of the current user. An attacker could trigger this flaw by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2018-8628 is a remote code execution vulnerability in Microsoft PowerPoint that lies in the way the software processes objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted, malicious PowerPoint file, which would eventually grant them the ability to execute code remotely in the context of the current user. The Preview Pane is not an attack vector this vulnerability — the user must open the file in PowerPoint.

CVE-2018-8643 is a remote code execution vulnerability that exists in the scripting engine handles objects in memory in Internet Explorer. An attacker could exploit this bug by tricking a user into visiting a specially crafted web page on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. If successful, the attacker could then corrupt memory in such a way that they could execute arbitrary code in the context of the current users.

The other important vulnerabilities in this release are:

Coverage 

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45142, 45143, 48509, 48510, 48513 - 48520, 48531 - 48534, 48559, 48562

Driveway Encounter With Microsoft’s President Led To $25 Million For Code.org

Long time reader theodp writes: At Monday's kickoff event with Melinda Gates for Computer Science Education Week 2018, Microsoft President Brad Smith revealed how a 2013 driveway encounter led to Microsoft's decision to commit $25 million to Code.org, whose CEO Hadi Partovi happens to live next door to Smith. "At the top of the hill, we share a common driveway," Smith said. "I can't even drive into the garage at night if he is standing in the way. Well, actually I can, but running him over is not the right path." Five years ago, Smith recalled, Partovi was in his driveway (King of the Hill-inspired artist's impression), "and he said, 'I have an idea [for then-nascent Code.org]. There is an important problem that we can help solve, because for too many people they look at these opportunities in computer science, and they don't appreciate that in truth anybody can aspire to be the next Melinda Gates or the next Bill Gates or the next Jeff Bezos or the next Sheryl Sandberg or Mark Zuckerberg. What they need, what they deserve, is the opportunity to learn this fundamental field.'" Earlier this year, Code.org celebrated its 5th anniversary and thanked Microsoft and other tech donors for making it possible for the nonprofit to change U.S. K-12 public education. Smith also announced Monday that Microsoft would invest an additional $10 million in Code.org to help expand the tech-bankrolled nonprofit's work. "The renewed partnership," Microsoft explained, "will focus on ensuring that by 2020 every state will have passed policies to expand access to computer science and every school in the U.S. will have access to Code.org professional development."

Read more of this story at Slashdot.

December Patch Tuesday forecast: Let it snow, let it snow, let it snow

Grab your shovels, dust off the snow blower, and bundle up. The way patches are accumulating this month is making me think of winter in Minnesota. I’m talking about the kind where the snow flurries start and stop so many times over the course of a few weeks, you suddenly realize there is a lot of snow out there! So the question is, do you shovel in small amounts when there are breaks in the … More

The post December Patch Tuesday forecast: Let it snow, let it snow, let it snow appeared first on Help Net Security.

Mastercard and Microsoft join forces to advance digital identity innovations

Currently, verifying your identity online is still dependent on physical or digital proof managed by a central party, whether it’s your passport number, your proof of address, driver’s license, user credentials or other means. This dependence places a burden on individuals, who have to remember hundreds of passwords for various identities and are being subjected to complexity in proving their identity and managing their data. Working together, Mastercard and Microsoft aim to give people a … More

The post Mastercard and Microsoft join forces to advance digital identity innovations appeared first on Help Net Security.

Microsoft’s Designers Are Now Working Together on the Future of Windows, Office and Surface

Microsoft has changed the way it approaches design. The new Office icons unveiled this week are the first glimpse at a far bigger design overhaul that's going on inside the company. Windows is also getting its own icon changes, but the bigger change is a collaborative effort going on between the Windows, Office, and Surface teams. From a report: "This is definitely a cross company effort," explains Jon Friedman, Microsoft's head of Office design, in an interview with The Verge. The company's design leaders -- Friedman with Office, Albert Shum on the Windows side, and Ralf Groene for Surface -- all work together now. "We operate like an internal open source team," Friedman says. "So we're all openly sharing our design work, critiquing the work, working on it together. What we've found is that the best way to develop our Fluent Design system is to truly open source it internally. What's happened is that we're getting the best of everyone's work that way."

Read more of this story at Slashdot.

Microsoft is reportedly building a Chromium-based browser to replace EdgeHTML

Microsoft is looking to replace EdgeHTML with a Chromium-based browser

Microsoft had launched its built-in web browser ‘Edge’ to replace the much-maligned ‘Internet Explorer’ as the default browser on Windows 10.

However, Microsoft Edge has not able to see success or gain popularity since its debut in 2015.

As a result, Microsoft is rumored to be reportedly working to replace EdgeHTML, the rendering engine that Edge is built on, with a new Chromium-based web browser for Windows 10, according to a new report from Windows Central.

The new web browser will be built using Chromium, a rendering engine, which as popularized by its rival, Google Chrome.

The project rumored to be codenamed as Anaheim is likely to appear in the 19H1 development cycle, and will finally completely replace Edge early next year.

If the rumors are true, Microsoft’s new web browser would provide the same experience to users that they would get while using Google Chrome. Ironically, in terms of experience, Microsoft Edge is lagging far behind in comparison to its rival, Chrome, Safari, and Firefox.

Currently, Microsoft is shipping Windows 10 with two browsers, Internet Explorer and Edge. Will Microsoft replace Edge with a new browser or add a third browser to the OS remains to be seen. Keep watching this space as it is a developing story.

The post Microsoft is reportedly building a Chromium-based browser to replace EdgeHTML appeared first on TechWorm.

Windows 10 version 1809 is incompatible with Morphisec anti-malware

By Carolina

Another day, another reason for Windows 10 to make headlines for all the wrong reasons. It is a fact that Windows 10 is currently used by over 400 million users globally but lately, its updates have been causing users a great deal of trouble and especially with Microsoft’s October 2018 update for Windows 10 version […]

This is a post from HackRead.com Read the original post: Windows 10 version 1809 is incompatible with Morphisec anti-malware

Microsoft Launches Visual Studio 2019 Preview 1 For Windows and Mac; Open-Sources WPF, Forms and WinUI

An anonymous reader writes: At its Microsoft Connect(); 2018 virtual event today, Microsoft announced the initial public preview of Visual Studio 2019 -- you can download it now for Windows and Mac. Separately, .NET Core 2.2 has hit general availability and .NET Core 3.0 Preview 1 is also available today. At the event today, Microsoft also made some open-source announcements, as is now common at the company's developer shindigs. Microsoft open-sourced three popular Windows UX frameworks on GitHub: Windows Presentation Foundation (WPF), Windows Forms, and Windows UI XAML Library (WinUI). Additionally, Microsoft announced the expansion of the .NET Foundation's membership model.

Read more of this story at Slashdot.

Microsoft is Working On a New Iteration of Windows To Take On ChromeOS, Report Says

Petri's Brad Sams writes: For more than a year, we have been hearing about Windows Core OS and how it is a modern version of Windows. As Microsoft continues to build out the platform, it's time to take a look at what the secret project actually includes and how the company is positioning the platform. In Microsoft's feverish attempts to shove out insider builds at an impressive rate, the company doesn't always do a great job at scrubbing the finer details from the builds. Because of this, and some help from a couple insiders, I have been able to piece together what Lite is and where it's headed. Microsoft is working on a new version of Windows that may not actually be Windows. It's currently called Lite, based on documentation found in the latest build, and I can confirm that this version of the OS is targeting Chromebooks. In fact, there are markings all over the latest release of the insider builds and SDK that help us understand where this OS is headed. If you have heard this before, it should sound a lot like Windows 10 S and RT; Windows 10 Lite only runs PWAs and UWP apps and strips out everything else. This is finally a truly a lightweight version of Windows that isn't only in the name. This is not a version of the OS that will run in the enterprise or even small business environments and I don't think you will be able to 'buy' the OS either; OEM only may be the way forward.

Read more of this story at Slashdot.

Microsoft building Chrome-based browser to replace Edge on Windows 10

It is no secret how miserably Microsoft's 3-year-old Edge web browser has failed to compete against Google Chrome despite substantial investment and continuous improvements. According to the latest round of tech rumors, Microsoft has given up on Edge and reportedly building a new Chromium-based web browser, dubbed project codename "Anaheim" internally, that will replace Edge on Windows 10

Microsoft Adds Real-Time Captions and Subtitles To Skype — PowerPoint To Follow

Skype is getting real-time captions and subtitles, and PowerPoint will have these features, too, next year. From a report: Ostensibly an accessibility feature (and launched on United Nations International Day of Persons with Disabilities), the new option means that Skype will be able to use voice recognition to show you the text of what is being said in a voice or video call. Microsoft will also bring the same feature to PowerPoint next year. Microsoft promises that live captions and subtitles are "optimized to be fast, continuous, and contextually updated as people speak", and in the current incarnation they will automatically scroll during a call. In a future update, however, it will be possible to manually scroll through subtitles and take advantage of additional viewing options.

Read more of this story at Slashdot.

Indian police & Microsoft busts tech support scam centers

By Uzair Amir

You may have watched YouTube videos about tech support scam tricking unsuspecting users into believing that their devices have been compromised with some nasty malware and the only way to get rid of it is to pay the technician for their “services” over the phone or Skype call. This type of tech support scam has […]

This is a post from HackRead.com Read the original post: Indian police & Microsoft busts tech support scam centers

Microsoft Wins $480 Million Military Contract To Bring HoloLens To Battlefield

An anonymous reader quotes a report from Ars Technica: Microsoft has won a $480 million contract to develop an augmented reality system for use in combat and military training for the U.S. Army. Called Integrated Visual Augmentation System (IVAS), formerly Heads Up Display (HUD) 3.0, the goal of the project is to develop a headset that gives soldiers -- both in training and in combat -- an increase in "Lethality, Mobility, and Situational Awareness." The ambitions for the project are high. Authorities want to develop a system with a goggle or visor form factor -- nothing mounted on a helmet -- with an integrated 3D display, digital cameras, ballistic laser, and hearing protection. The system should provide remote viewing of weapon sights to enable low risk, rapid target acquisition, perform automated or assisted target acquisition, integrate both thermal and night vision cameras, track soldier vitals such as heart and breathing rates, and detect concussions. Over the course of IVAS's development, the military will order an initial run of 2,550 prototypes, with follow-on production possibly in excess of 100,000 devices.

Read more of this story at Slashdot.

Microsoft’s Surface Roadmap Reportedly Includes Ambient Computing and a Modular All-in-One PC

Journalist Brad Sams is releasing a book chronicling the company's Surface brand: Beneath a Surface. VentureBeat writes: While you'll want to read all 26 chapters to get the juicy details, the last one includes Microsoft's hardware roadmap for 2019, and even a part of 2020 -- spanning various Surface products and even a little Xbox. Here's a quick rundown of Microsoft's current Surface lineup plans: Spring 2019: A new type of Surface-branded ambient computing device designed to address "some of the common frustrations of using a smartphone," but that isn't itself a smartphone. Q4 2019: Surface Pro refresh with USB-C (finally), smaller bezels, rounded corners, and new color options. Q4 2019: AMD-based Surface Laptop -- Microsoft is exploring using the Picasso architecture. Late 2019: Microsoft's foldable tablet Andromeda could be larger than earlier small form factor prototypes for a pocketable device with dual screens and LTE connectivity. Q1 2020: Surface Book update that might include new hinge designs (high-end performance parts may delay availability). 2020: A Surface monitor, and the modular design debuted for Surface Hub 2 could make its way to Surface Studio. The idea is to bring simple upgrades to all-in-one PCs, rather than having to replace the whole computer. GeekWire adds: A pair of new lower-cost devices Xbox One S devices could come next year. Sams reports that one of the models may be all digital, without a disc drive.

Read more of this story at Slashdot.

YouTuber makes Microsoft’s Xbox Adaptive Controller work on the Nintendo Switch

Microsoft’s Xbox Adaptive Controller Can Be Used On The Nintendo Switch

There is good news for disabled gamers! A YouTuber has come up with a workaround to get Microsoft’s Xbox Adaptive Controller work on the Nintendo’s Switch console.

For those unaware, Microsoft’s Xbox Adaptive Controller (XAC) is a video game controller designed for Windows PCs and the Xbox One video game console.

The controller launched earlier this year was designed for people with disabilities to help make user input for video games more accessible. It has 19 ports that can be connected to all different kinds of controllers and inputs, including those used by people with disabilities or limited capabilities.

While Microsoft has not set up official support for other consoles, which also includes Nintendo Switch, a YouTube channel, My Mate VINCE, that specializes in ‘How to’ guides, has released a guide on how to use the Xbox Adaptive Controller on a Nintendo Switch console.

Currently, Nintendo players need to use the standard controllers or buttons supplied with each device.

The video shows the YouTuber got the device working on the Nintendo Switch with the help of a Mayflash Magic-NS wireless controller adapter costing $20 on Amazon and a bit of software troubleshooting to remap the buttons.

Check out the detailed guide below on how to get your Xbox set up and working on the Nintendo Switch.

Please note that since Nintendo Switch does not officially support the adapter, the risk that this support might be disabled, intentionally or not, in a future Switch update is likely possible.

As we can see from the video, it takes My Mate Vince nearly 20 minutes to complete the whole process.

While one can certainly make the Adaptive Controller work on the Nintendo Switch, it would be best if Nintendo in the future makes their hardware compatible with XAC to avoid such workarounds.

The post YouTuber makes Microsoft’s Xbox Adaptive Controller work on the Nintendo Switch appeared first on TechWorm.

Microsoft Fixed Outlook 2010 Crashes Triggered By November Patch Tuesday

While an update bundle supposedly addresses flaws, Microsoft November Patch Tuesday didn’t seem so good for users. After the update,

Microsoft Fixed Outlook 2010 Crashes Triggered By November Patch Tuesday on Latest Hacking News.

That Time The Windows Kernel Fought Gamma Rays Corrupting Its Processor Cache

Long-time Microsoft programmer Raymond Chen recently shared a memory about an unusual single-line instruction that was once added into the Windows kernel code -- accompanied by an "incredulous" comment from the Microsoft programmer who added it: ; ; Invalidate the processor cache so that any stray gamma ; rays (I'm serious) that may have flipped cache bits ; while in S1 will be ignored. ; ; Honestly. The processor manufacturer asked for this. ; I'm serious. invd "Less than three weeks later, the INVD instruction was commented out," writes Chen. "But the comment block remains. "In case we decide to resume trying to deal with gamma rays corrupting the the processor cache, I guess."

Read more of this story at Slashdot.

Microsoft Briefly Overtakes Apple as Most Valuable US Company

Microsoft briefly overtook Apple as the world's most valuable listed company, fulfilling what it almost did eight years ago and adding a feather on the cap on CEO Satya Nadella. From a report: Redmond, Washington-headquartered Microsoft had a market cap of $753.34 billion, beating out the iPhone maker's $746.82 billion in intra-day trade on Friday at the Nasdaq in New York. Apple, however, regained control at the close. According to the Nasdaq website, Apple's market cap rose back up to $817.58 billion. Right behind it is Microsoft, which also increased to $791.19 billion. Tech companies have undergone some rough times recently. In particular, the so-called FAANG group -- Facebook, Amazon, Apple, Netflix and Google (Alphabet) -- had, as at November 20, combined market cap losses of over $1.02 trillion from their recent highs.

Read more of this story at Slashdot.

Microsoft’s Sticky Notes To Add Support For Images

Microsoft teases new Sticky Notes feature that supports images

Microsoft’s Sticky Notes, which is the handiest feature for writing down tasks and notes, has been getting a lot of attention since the major overhaul of the app with version 3.0.

Now, Microsoft’s Jen Gentleman has teased a new feature that will allow users to add support for images in Sticky Notes. This feature will be made available to Windows Insiders first most likely in the upcoming update.

For those unaware, Microsoft had recently rolled out the new syncing feature on iOS and Android via the OneNote app. It also rolled out the new full-on Dark Mode that now use a dark grey background color for Sticky Notes.

The post Microsoft’s Sticky Notes To Add Support For Images appeared first on TechWorm.

Microsoft Now Lets You Log Into Outlook, Skype, Xbox Live With No Password

You and 800 million other people now can use hardware authentication keys -- and no password at all -- to log on to Microsoft accounts used for Outlook, Office 365, OneDrive, Skype and Xbox Live. From a report: Microsoft is using a technology called FIDO2, which employs hardware keys for the no-password logon, the company said Tuesday. New versions of Microsoft's Windows 10 operating system and Edge web browser support the technology. The hardware authentication keys plug into laptop USB ports or, for phones, use Bluetooth or NFC wireless communications to help prove who you are. Initially, they worked in combination with a password for dual-factor authentication, but FIDO2 and a related browser technology called WebAuthn expands beyond that to let the company ditch the password altogether. Microsoft's no-password logon offers three options: the hardware key combined with Windows Hello face recognition technology or fingerprint ID; the hardware key combined with a PIN code; or a phone running the Microsoft Authenticator app. It works with Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing and the MSN portal site.

Read more of this story at Slashdot.

Microsoft Pulls Some Non-Security Updates For Microsoft Office 2010, 2013 and 2016 That It Released Earlier This Month

Mark Wilson, writing for BetaNews: Having released a series of updates for Office 2010, 2013 and 2016 as part of this month's Patch Tuesday, Microsoft has now pulled two of them and advised sysadmins to uninstall the updates if they have already been installed. In both instances -- KB4461522 and KB2863821 -- Microsoft says that the problematic updates can lead to application crashes. While this is not as serious a problem as, say, data loss, it does little to quieten the fears that have been voiced about the quality control Microsoft has over its updates.

Read more of this story at Slashdot.

Office 365 Users in Europe, Asia, and Americas Who Have Enabled Multi-Factor Authentication (MFA) Are Impacted by an Outage

New submitter neo00 writes: Office 365 users in Europe, Asia, and Americas are impacted by a wide-spread outage causing users who have Multi-Factor Authentication (MFA) enabled by default policy to be unable to login to Office 365 and other services reliant on Azure Active Directory. According to The Register: "Microsoft confirmed that there were problems from 04:39 UTC with a subset of customers in Europe and Asia-Pacific experiencing 'difficulties signing into Azure resources' such as the, er, little used Azure Active Directory, when Multi-Factor Authentication (MFA) is enabled. Six hours later, and the problems are continuing." The Office 365 health status page has reported that: "Affected users may be unable to sign in using MFA" and Azure's own status page confirmed that there are "issues connecting to Azure resources" thanks to the borked MFA." Official Azure status updates are published here.

Read more of this story at Slashdot.

Dutch Government Report Says Microsoft Office Telemetry Collection Breaks EU GDPR Laws

"The Register reports that Microsoft has been accused of breaking EU's GDPR law by harvesting information through Office 365 and sending it to U.S. servers," writes Slashdot reader Hymer. "The discovery was made by the Dutch government." From the report: The dossier's authors found that the Windows goliath was collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States. Those actions break Europe's new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines. The Dutch authorities are working with the corporation to fix the situation, and are using the threat of a fine as a stick to make it happen. The investigation was jumpstarted by the fact that Microsoft doesn't publicly reveal what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues. Much of what Microsoft collects is diagnostics, the researchers found, and it has seemingly tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it also collected other data that contained private information and some of that data still ended up on U.S. servers.

Read more of this story at Slashdot.

Windows 10 October Update Brings Back Old Mapped Drives Bug

After a lot of chaos and problems, Microsoft has resumed the Windows 10 1809 rollout. While the recent October update

Windows 10 October Update Brings Back Old Mapped Drives Bug on Latest Hacking News.

Microsoft is Testing Ads in Mail App For Windows 10 in Select Markets

Mark Wilson writes: Ads in your inbox. Sounds like something you'd expect from the likes of Google or Yahoo, but Microsoft appears to be about to get in on the act as well. And we're not talking about online ads in your Outlook.com account -- we're talking about ads in the Mail app that's included with Windows 10. A new report says that Microsoft is currently testing ads with Windows Insiders, so it could be just a matter of time before they spread wider. In a support page, spotted first by news outlet Thurrott, Microsoft says, "Consistent with consumer email apps and services like Outlook.com, Gmail, and Yahoo Mail, advertising allows us to provide, support, and improve some of our products. We're always experimenting with new features and experiences. Currently, we have a pilot running in Brazil, Canada, Australia, and India to get user feedback on ads in Mail."

Read more of this story at Slashdot.

Windows 10 October 2018 Update Rolls Out Again, Still Full Of Flaws

Windows 10 October Update Still Incompatible With Some AMD GPUs

After a delay of over a month, Microsoft finally re-released its latest Windows 10 October 2018 Update (version 1809) on November 14. When one thought that Windows 10 October 2018’s share of problems were far from over, it doesn’t seem so.

Microsoft has updated its Windows 10 Update history page for version 1809 that provides details of issues affecting Windows 10 client as well as Server.

“Mapped drives may fail to reconnect after starting and logging onto a Windows device,” Microsoft says, noting that symptoms include a red X on the mapped network drives in File Explorer.

Given below is the current status of Windows, version 1809, Windows Server 2019, and Windows Server, version 1809 that are affected as of November 14:

Date Current Status Affected Platforms Details
November 14, 2018, 6:00 PM PT Known Issue
  • Windows 10, version 1809
  • Windows Server 2019
  • Windows Server, version 1809
Mapped drives may fail to reconnect after starting and logging onto a Windows device.

Symptoms include:

  • In File Explorer, a red “X” appears on the mapped network drives.
  • Mapped network drives show as “Unavailable when you run the net use command from a command prompt.
  • In the notification area, a notification displays, “Could not reconnect all network drives.”

Workaround: See KB4471218 for workaround scripts to automatically reconnect a mapped network drive when you log on to the device.

Next Steps: Microsoft is working on a resolution and will provide updates in the 2019 timeframe.

November 14, 2018, 6:00 PM PT Upgrade block in place
  • Windows 10, version 1809
  • Windows Server 2019
  • Windows Server, version 1809

 

Microsoft and Trend Micro have identified a compatibility issue with Trend Micro’s OfficeScan and Worry-Free Business Security software when attempting to update to Windows 10, version 1809.

To ensure a seamless update experience, we are blocking devices running the affected business endpoint security products from being offered Windows 10, version 1809, until a specific Trend Micro Critical Patch (CP) is applied.

Next Steps: For information on when critical patches will be available for these products, please refer to Trend Micro’s Business Support Portal.

 

November 14, 2018, 6:00 PM PT Upgrade block in place
  • Windows 10, version 1809
  • Windows Server 2019
  • Windows Server, version 1809
Note: AMD no longer supports Radeon HD2000 and HD4000 series graphic processor units (GPUs).

After updating to Window 10, version 1809, Microsoft Edge tabs may stop working when a device is configured with AMD Radeon HD2000 or HD4000 series video cards.

Customers may get the following error code:  “INVALID_POINTER_READ_c0000005_atidxx64.dll”.

Some users may also experience performance issues with the lock screen or the ShellExperienceHost. (The lock screen hosts widgets, and the ShellExperienceHost is responsible for assorted shell functionality).

Workaround: To ensure a seamless update experience, we are blocking devices with AMD Radeon HD2000 and HD4000 series graphics processors from being offered Window 10, version 1809.

Next Steps: Microsoft is investigating this issue.

 

As you can see from above, Microsoft is having a compatibility issue between the 1809 update and Trend Micro’s OfficeScan and Worry-Free Business Security software.

“If a customer tries to retrieve and apply the Windows 10 October 2018 Update via Windows Update before applying the required Trend Micro Critical Patch (CP) – validated by certain driver versions – it will not be able to obtain the update for a period of 60 days from the official release of the Windows 10 October 2018 Update. Please note there will be no warning message,” Trend said.

“If a customer tries to apply the Windows 10 October 2018 Update via an installation package before applying the required Trend Micro Critical Patch (CP) – again validated by certain driver versions – a warning message will appear notifying the customer to first upgrade the Trend Micro product.”

A support page about the issue together with its patches has been posted by Trend Micro. Patches are only available for OfficeScan. Additionally, on the request of Trend Micro, Microsoft has blocked the 1809 update for devices running these security products until a patch from Trend Micro has been installed. Patches are only available for OfficeScan.

Also, machines with AMD Radeon HD 2000 or HD 4000 series video cards are facing problems. If you’re using either of these cards, the new Windows build is showing up an “INVALID_POINTER_READ_c0000005_atidxx64.dll” error code and locking the screen.

Meanwhile, Microsoft says it is working on a resolution but warns admins not to expect a solution until “the 2019 timeframe”.

Considering the share of problems still surrounding the latest Windows 10 October 2018 Update, it will be advisable for users to wait a bit before installing a fresh new OS update.

Source: Microsoft, ZDNet

The post Windows 10 October 2018 Update Rolls Out Again, Still Full Of Flaws appeared first on TechWorm.

Microsoft Releases The New Light Theme In Windows 10 19H1 Insider Build 18282

Microsoft rolls out Windows 10 19H1 build 18282 to Insiders with a new light theme

Microsoft released Windows 10 Insider Preview Build 18282 (19H1) to Windows Insiders in the Fast Ring on November 14. While the next Windows 10 iteration 19H1 includes several improvements and bug fixes, it also introduces a true Light theme for the Taskbar, Start menu, Action Center, touch keyboard, and more.

Also Read-

Previously, if elements like the Taskbar, Start menu, Action Center, touch keyboard, etc., would be left out if one selected the Light theme. However, this changes with the new build.

“Ever since we introduced the ability to choose between light and dark in Windows 10, we’ve heard feedback asking for a truer separation between the two options,” Microsoft said in a blog post.

To enable light theme in Windows 10, you need to go to Settings > Personalization > Colors. Then, click the drop-down under ‘Choose your color’ and select Light. The new theme changes many elements of the OS UI, including the taskbar, Start menu, Action Center, touch keyboard and more. If you select the Light mode in the Settings app, all system UI elements will look lighter.

“When you update to this build, your system color won’t automatically change to the new light system color. This is because we want everything to be exactly as you left it before you did the update. We’re leaving the choice up to you,” Microsoft added.

As part of this new Light theme, Microsoft is also adding a new default wallpaper highlighting Windows Light. Go to Settings > Personalization > Themes and select Windows Light to apply it. This will change your PC to be light themed.

The UI change to Light theme is not ready yet. Microsoft is likely to introduce the new Light theme in the upcoming Windows 10 19H1 feature update due in Spring 2019.

The other notable changes in Windows 10 19H1 update are improved Action Center, dark themed OneDrive and more. Furthermore, there is also a new window snip option for Snip & Sketch, improvements to the printing experience, and more. Check out the general changes, improvements, and fixes for build 18282 here.

The post Microsoft Releases The New Light Theme In Windows 10 19H1 Insider Build 18282 appeared first on TechWorm.

Microsoft finally re-releases Windows 10 October 2018 Update

Microsoft resumes rollout of Windows 10 October 2018 (version 1809)update

Microsoft has finally re-released its latest Windows 10 October 2018 Update (version 1809) that was delayed by more than a month after users started complaining of data loss that forced the company to pull the update offline.

“Based on (telemetry) data, today we are beginning the re-release of the October Update by making it available via media and to advanced users who seek to manually check for updates,” John Cable, Director of Program Management, Windows Servicing and Delivery, said in an announcement in a new blog post.

According to Microsoft, the so-called October 2018 Update that was delayed due to “data destroying” bug has been thoroughly investigated and all related issues have been resolved. The decision to re-release the update was reached after the careful study of diagnostic data from millions of Windows Insiders showed no further evidence of data loss.

Unlike the April Update which had the fastest Windows 10 update rollout rate, the company is taking a more measured approach with the Windows 10 October Update. The update is available to download for advanced users straight away via media and manual updates. However, those who receive the update automatically through Windows Update will see a slower rollout.

The update will be offered to users via Windows Update when data shows their device is ready. However, the update might not get installed in a user’s system if an issue is detected.

“We will offer the October Update to users via Windows Update when data shows your device is ready and you will have a great experience,” Cable continued.

“If we detect that your device may have an issue, such as an application incompatibility, we will not install the update until that issue is resolved, even if you ‘Check for updates’, so you avoid encountering any known problems.”

Microsoft has promised a renewed focus in the way it approaches quality issues, including better communication with customers.

Michael Fortin, Windows corporate Vice President said: “While we do see positive trends, we also hear clearly the voices of our users who are facing frustrating issues, and we pledge to do more.”

The post Microsoft finally re-releases Windows 10 October 2018 Update appeared first on TechWorm.

Unpatched Microsoft Word Video Feature Vulnerability is Being Exploited In The Wild

Last month, researchers from a cybersecurity firm shared their findings on a bug in Microsoft Word online’s video feature that

Unpatched Microsoft Word Video Feature Vulnerability is Being Exploited In The Wild on Latest Hacking News.

63 New Flaws (Including 0-Days) Windows Users Need to Patch Now

It's Patch Tuesday once again…time for another round of security updates for the Windows operating system and other Microsoft products. This month Windows users and system administrators need to immediately take care of a total of 63 security vulnerabilities, of which 12 are rated critical, 49 important and one moderate and one low in severity. <!-- adsense --> Two of the vulnerabilities

VERT Threat Alert: November 2018 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s November 2018 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-805 on Wednesday, November 14th. In-The-Wild & Disclosed CVEs CVE-2018-8589 This vulnerability was reported to Microsoft by Kaspersky Labs, who discovered it being exploited by multiple threat actors. The target, at this point, […]… Read More

The post VERT Threat Alert: November 2018 Patch Tuesday Analysis appeared first on The State of Security.

Microsoft Patch Tuesday — November 2018: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 53 vulnerabilities, 11 of which are rated "critical," 40 that are rated "important” and one “moderate” and “low” vulnerability, each.

The advisories cover bugs in the Chakra scripting engine, Microsoft Outlook and DirectX.

This update also includes three advisories. One covers vulnerabilities in Adobe Flash Player, and another covers important bugs in the Microsoft Surface tablet. Additionally, there is guidance for how users should configure BitLocker in order to properly enforce software encryption.

For more on our coverage for these vulnerabilities, check out the SNORTⓇ blog post here.

Critical vulnerabilities

Microsoft disclosed 11 critical vulnerabilities this month, which we will highlight below. There is also a critical advisory covering Adobe Flash Player.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557 and CVE-2018-8588 are all memory corruption vulnerabilities in the Chakra scripting engine. They all lie in the way that the scripting engine handles objects in memory in the Microsoft Edge internet browser. These vulnerabilities could corrupt memory in a way that an attacker could execute code in the context of the current user. An attacker needs to convince a user to open a specially crafted, malicious website on Microsoft Edge in order to exploit these bugs.

CVE-2018-8476 is a remote code execution vulnerability in the Windows Deployment Services TFTP server. The bug lies in the way the TFTP server handles objects in memory. An attacker could exploit this vulnerability by supplying the user with a specially crafted request.

CVE-2018-8553 is a remote code execution vulnerability in Microsoft Graphics Components that lies in the way Graphics Components handles objects in memory. An attacker can exploit this vulnerability by providing the user with a specially crafted file.

CVE-2018-8544 is a remote code execution vulnerability that exists in the way that the VBScript engine handles objects in memory. An attacker needs to trick a user into visiting a specially crafted website on Internet Explorer in order to exploit this vulnerability. Alternatively, the attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts Internet Explorer’s rendering engine.

ADV180025 addresses several vulnerabilities in Adobe Flash Player, which are outlined by Adobe in a separate release. Microsoft recommends updating to the latest version of Flash Player, as well as disabling Flash on its web browsers.

Important vulnerabilities

There are also 40 important vulnerabilities in this release. We would like to specifically highlight seven of them.

CVE-2018-8256 is a remote code execution vulnerability in PowerShell when it improperly handles specially crafted files. An attacker could execute malicious code on a vulnerable system. This update fixes the vulnerability by ensuring that PowerShell properly handles files.

CVE-2018-8574 and CVE-2018-8577 are remote code execution vulnerabilities in Microsoft Excel that occurs when the software fails to properly handle objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted Excel file, either as an email attachment or another method.

CVE-2018-8582 is a remote code execution vulnerability in Microsoft Outlook when the software fails to properly parse specially modified rule export files. Users who have their settings configured to allow fewer user rights are less impacted by this vulnerability than those who operate with administrative user rights. Workstations and terminal servers that use Microsoft Outlook are also at risk. An attacker needs to convince a user to open a specially crafted rule export file in an email in order to trigger this bug.

CVE-2018-8450 is a remote code execution vulnerability that exists when Windows Search handles objects in memory. An attacker could trigger this vulnerability by sending a specially crafted function to the Windows Search service, or via an SMB connection.

CVE-2018-8550 is an elevation of privilege in Windows COM Aggregate Marshaler. An attacker who successfully exploits the vulnerability could run arbitrary code with elevated privileges. The vulnerability does not directly allow the user to execute arbitrary code, but it could be used in conjunction with other bugs to execute code with elevated privileges.

CVE-2018-8570 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. An attacker could exploit this bug by hosting a malicious website on Internet Explorer and then convincing the user to visit the link.

The other important vulnerabilities are:

Moderate vulnerabilities

The one moderate vulnerability is CVE-2018-8546, a denial-of-service vulnerability in the Skype video messaging service.

Low vulnerability

There is also one low-rated vulnerability, CVE-2018-8416, which is a tampering vulnerability in the .NET Core.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.


Snort rules: 32637, 45142, 45143, 48399 - 48404, 48374 - 48388, 48393 - 48395, 48360 - 48373, 48408 - 48410

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:
  • The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
  • The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
  • Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - Fontanka.ru and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
  • An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.

NEWS

Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers. Discovered by researchers at Cymulate, the bug abuses the 'Online Video' option in Word documents, a feature that allows users to embedded an online

Windows Built-in Antivirus Gets Secure Sandbox Mode – Turn It ON

Microsoft Windows built-in anti-malware tool, Windows Defender, has become the very first antivirus software to have the ability to run inside a sandbox environment. Sandboxing is a process that runs an application in a safe environment isolated from the rest of the operating system and applications on a computer. So that if a sandboxed application gets compromised, the technique prevents its

Microsoft WindowsCodecs.dll SniffAndConvertToWideString Information Leak Vulnerability

These vulnerabilities were discovered by Marcin Noga of Cisco Talos.

Today, Cisco Talos is disclosing a vulnerability in the WindowsCodecs.dll component of the Windows operating system.

WindowsCodecs.dll is a component library that exists in the implementation of Windows Imaging Component (WIC), which provides a framework for working with images and their data. WIC makes it possible for independent software vendors (ISVs) and independent hardware vendors (IHVs) to develop their own image codecs and get the same platform support as standard image formats (ex. TIFF, JPEG, PNG, GIF, BMP and HDPhoto).

Vulnerability Details

TALOS-2018-0644 - Microsoft WindowsCodecs.dll SniffAndConvertToWideString Information Leak Vulnerability

TALOS-2018-0644 (CVE-2018-8506) is an exploitable memory leak vulnerability that exists in the SniffAndConvertToWideString function of WindowsCodecs.dll, version 10.0.17134.1. A specially crafted JPEG file can cause the library to return uninitialized memory, resulting in a memory leak. An attacker can send or share a malformed JPEG file to trigger this vulnerability.

This vulnerability is present in the WindowsCodecs DLL library — an implementation of Windows Imaging Component (WIC) —that provides an extensible framework for working with images and image metadata.

An attacker can leak heap memory due to the improper sting null termination after calling `IWICImagingFactory::CreateDecoderFromFilename` on a JPEG file with properly malformed metadata.

Additional details can be found here.

Affected versions

The vulnerability is confirmed in the WindowsCodecs.dll, version 10.0.17134.1, but it may also be present in the earlier versions of the product. Users are advised to apply the latest Windows update.

Discussion

WIC enables developers to perform image processing operations on any image format through a single, consistent set of common interfaces, without requiring prior knowledge of specific image formats and it provides an extensive architecture for image codecs, pixel formats, and metadata with automatic run-time discovery of new formats.

It's recommended that developers use operating system components, such as Windows Imaging Component, that are updated frequently so they do not have to apply any specific updates to their own products.

Memory leak vulnerabilities are dangerous and could cause the instability in the system, as the program does not properly free the allocated memory and the memory blocks remain marked as being in use. Vulnerable applications continue to waste memory over time, eventually consuming all RAM resources, which can lead to abnormal system behavior. Developers should be aware of these vulnerabilities' potentially damaging consequences.

Coverage

The following SNORTⓇ rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47430 - 47433

Cyber Security Roundup for September 2018

September 2018 started with a data breach bang, with British Airways disclosing a significant hack and data loss. 380,000 of the airlines' website and mobile app customers had their debit and credit card details lifted via a maliciously injected script.  The breach even caused BA owners, IAG, to drop in value 4%. And to compound matters, there were several claims made that the BA website wasn't PCI DSS compliant, implying if they were PCI DSS compliant, their customer's personal and payment card information would still be safe.  For further details about this breach see my blog posts; British Airways Customer Data Stolen in Website and Mobile App Hack and British Airways Hack Update: Caused by Injected Script & PCI DSS Non-Compliance is Suspected.

Facebook continues to make all the wrong kind of privacy headlines after a massive user data breach was confirmed by the social media giant at the end of the month. Facebook said at least 50 million users’ data was at risk after hackers exploited a vulnerability the Facebook code. Facebook CEO Mark Zuckerberg said he doesn’t know who is behind the cyber attack, however, the FBI are investigating. 

There was a good measure of embarrassment at the Tory Conference after a flaw in the conference App revealed the personal data of senior UK government cabinet ministers, with Boris Johnson, Michael Gove, Gavin Williamson among those whose their personal information and phones numbers made available.

There was a number of large data breach fines handed out in September, Tesco Bank was hit by a whopping £16.4 by the Financial Conduct Authority (FCA), the fine would have been doubled if it weren't for Tesco's good co-operation with the FCA investigation. The FCA said Tesco had security deficiencies which left their bank account holders vulnerable to a cyber attack in November 2016. The attack netted the bad guys, via 34 transactions, a cool £2.26 million. The FCA report said the cyber criminals had exploited weaknesses in the bank's design of its debit card, its financial crime controls and in its financial crime operations team, to carry out the attack over a 48-hour period. 

Equifax was fined the maximum pre-GDPR law amount of £500K by the Information Commissioner's Office (ICO) after the US-based credit reference agency failed to protect the personal data of 15 million UK citizens. The ICO ruled Equifax's UK branch had "failed to take appropriate steps" to protect UK citizens' data. It added that "multiple failures" meant personal information had been kept longer than necessary and left vulnerable.

The ICO also fined Bupa £175K, for not having good enough security to prevent the theft of 547,000 customer records by an employee.  Uber has paid £133m to settle legal claims to customers and drivers, as a result of trying to cover up a huge breach which occurred in 2016 from their regulators. The ride-hailing company admitted to paying off hackers to the tune of $100,000 to delete the data they robbed from Uber's cloud servers. The personal data stolen was from 57 million Uber accounts, also included information about 600,000 driving license numbers. 

Looks like the MoD and GCHQ are looking to beef up Britan's Cyber Offense capabilities, announcing a plan to recruit a 2,000 strong 'cyber force' to take on the Russian threat. Meanwhile across the pond, the Mirai creators have done a deal to keep themselves out of jail in return for helping the FBI catch cybercrooks, which has echoes of the approach the FBI took with con artist and cheque fraud expert Frank Abagnale, the subject of book and movie "Catch me if you Can".

Bristol Airport was impacted by a ransomware attack, which took down their arrival and departure screens for a couple of days, and a Scottish Brewery was also hit by ransomware attack through infected CV it had received through an online job advertisement

Europol warned of 15 ways you could become a Cyber Crime Victim, and there was an excellent article in the New York Times on the Bangladesh’s Central Bank Cyber Theft

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Cyber Security Roundup for July 2018

The importance of assuring the security and testing quality of third-party provided applications is more than evident when you consider an NHS reported data breach of 150,000 patient records this month. The NHS said the breach was caused by a coding error in a GP application called SystmOne, developed by UK based 'The Phoenix Partnership' (TTP). The same assurances also applies to internally developed applications, case-in-point was a publically announced flaw with Thomas Cook's booking system discovered by a Norwegian security researcher. The research used to app flaw to access the names and flights details of Thomas Cook passengers and release details on his blog. Thomas Cook said the issue has since been fixed.

Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.

Other companies known to be impacted by the Typeform breach include:

The Information Commissioner's Office (ICO) fined Facebook £500,000, the maximum possible, over the Cambridge Analytica data breach scandal, which impacted some 87 million Facebook users. Fortunately for Facebook, the breach occurred before the General Data Protection Regulation came into force in May, as the new GDPR empowers the ICO with much tougher financial penalties design to bring tech giants to book, let's be honest, £500k is petty cash for the social media giant.
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs

A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.

Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.


NEWS

Cyber Security Roundup for June 2018

Dixons Carphone said hackers attempted to compromise 5.9 million payment cards and accessed 1.2 million personal data records. The company, which was heavily criticised for poor security and fined £400,000 by the ICO in January after been hacked in 2015, said in a statement the hackers had attempted to gain access to one of the processing systems of Currys PC World and Dixons Travel stores. The statement confirmed 1.2 million personal records had been accessed by the attackers. No details were disclosed explaining how hackers were able to access such large quantities of personal data, just a typical cover statement of "the investigation is still ongoing".  It is likely this incident occurred before the GDPR law kicked in at the end of May, so the company could be spared the new more significant financial penalties and sanctions the GDPR gives the ICO, but it is certainly worth watching the ICO response to a repeat offender which had already received a record ICO fine this year. The ICO (statement) and the NCSC (statement) both have released statements about this breach.

Ticketmaster reported the data theft of up to 40,000 UK customers, which was caused by security weakness in a customer support app, hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. Ticketmaster informed affected customers to reset their passwords and has offered (to impacted customers) a free 12-month identity monitoring service with a leading provider. No details were released on how the hackers exploited the app to steal the data, likely to be a malware-based attack. However, there are questions on whether Ticketmaster disclosed and responded to the data breach quick enough, after digital banking company Monzo, claimed the Ticketmaster website showed up as a CPP (Common Point of Purchase) in an above-average number of recent fraud reports. The company noticed 70% of fraudulent transactions with stolen payment cards had used the Ticketmaster site between December 2017 and April 2018. The UK's National Cyber Security Centre said it was monitoring the situation.

TSB customers were targetted by fraudsters after major issues with their online banking systems was reported. The TSB technical issues were caused by a botched system upgrade rather than hackers. TSB bosses admitted 1,300 UK customers had lost money to cyber crooks during its IT meltdown, all were said to be fully reimbursed by the bank.
The Information Commissioner's Office (ICO) issued Yahoo a £250,000 fine after an investigation into the company's 2014 breach, which is a pre-GDPR fine. Hackers were able to exfiltrate 191 server backup files from the internal Yahoo network. These backups held the personal details of 8.2 million Yahoo users, including names, email addresses, telephone numbers, dates of birth, hashed password and other security data. The breach only came to light as the company was being acquired by Verizon.

Facebook woes continue, this time a bug changed the default sharing setting of 14 million Facebook users to "public" between 18th and 22nd May.  Users who may have been affected were said to have been notified on the site’s newsfeed.

Chinese Hackers were reported as stealing secret US Navy missile plans. It was reported that Chinese Ministry of State Security hackers broke into the systems of a contractor working at the US Naval Undersea Warfare Center, lifting a massive 614GB of secret information, which included the plans for a supersonic anti-ship missile launched from a submarine. The hacks occurred in January and February this year according to a report in the Washington Post.

Elon Musk (Telsa CEO) claimed an insider sabotaged code and stole confidential company information.  According to CNBC, in an email to staff, Elon wrote I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties". Telsa has filed a lawsuit accusing a disgruntled former employee of hacking into the systems and passing confidential data to third parties. In the lawsuit, it said the stolen information included photographs and video of the firm's manufacturing systems, and the business had suffered "significant and continuing damages" as a result of the misconduct.

Elsewhere in the world, FastBooking had 124,000 customer account stolen after hackers took advantage of a web application vulnerability to install malware and exfiltrate data. Atlanta Police Dashcam footage was hit by Ransomware.  And US company HealthEquity had 23,000 customer data stolen after a staff member fell for a phishing email.

IoT Security
The Wi-Fi Alliance announced WPA3, the next generation of wireless security, which is more IoT device friendly, user-friendly, and more secure than WPA2, which recently had a security weakness reported (see Krack vulnerability). BSI announced they are developing a new standard for IoT devices and Apps called ISO 23485. A Swann Home Security camera system sent a private video to the wrong user, this was said to have been caused by a factory error.  For Guidance on IoT Security see my guidance, Combating IoT Cyber Threats.

As always, a busy month for security patching, Microsoft released 50 patches, 11 of which were rated as Critical. Adobe released their monthly fix for Flash Player and a critical patch for a zero-day bug being actively exploited. Cisco released patches to address 34 vulnerabilities, 5 critical, and a critical patch for their Access Control System. Mozilla issued a critical patch for the Firefox web browser.

NEWS

Cyber Security Roundup for April 2018

The fallout from the Facebook privacy scandal rumbled on throughout April and culminated with the closure of the company at the centre of the scandal, Cambridge Analytica.
Ikea was forced to shut down its freelance labour marketplace app and website 'TaskRabbit' following a 'security incident'. Ikea advised users of TaskRabbit to change their credentials if they had used them on other sites, suggesting a significant database compromise.

TSB bosses came under fire after a botch upgraded to their online banking system, which meant the Spanished owned bank had to shut down their online banking facility, preventing usage by over 5 million TSB customers. Cybercriminals were quick to take advantage of TSB's woes.

Great Western Railway reset the passwords of more than million customer accounts following a breach by hackers, US Sun Trust reported an ex-employee stole 1.5 million bank client records, an NHS website was defaced by hackers, and US Saks, Lord & Taylor had 5 million payment cards stolen after a staff member was successfully phished by a hacker.

The UK National Cyber Security Centre (NCSC) blacklist China's state-owned firm ZTE, warning UK telecom providers usage of ZTE's equipment could pose a national security risk. Interestingly BT formed a research and development partnership with ZTE in 2011 and had distributed ZTE modems. The NCSC, along with the United States government, released statements accusing Russian of large-scale cyber-campaigns, aimed at compromising vast numbers of the Western-based network devices.

IBM released the 2018 X-Force Report, a comprehensive report which stated for the second year in a row that the financial services sector was the most targeted by cybercriminals, typically by sophisticated malware i.e. Zeus, TrickBot, Gootkit. NTT Security released their 2018 Global Threat Intelligence Report, which unsurprisingly confirmed that ransomware attacks had increased 350% last year.  

A concerning report by the EEF said UK manufacturer IT systems are often outdated and highly vulnerable to cyber threats, with nearly half of all UK manufacturers already had been the victim of cybercrime. An Electropages blog questioned whether the boom in public cloud service adoption opens to the door cybercriminals.

Finally, it was yet another frantic month of security updates, with critical patches released by Microsoft, Adobe, Apple, Intel, Juniper, Cisco, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for February 2018

February saw over 5,000 websites infected by cryptocurrency mining malware after a popular accessibility plugin called ‘BrowseAloud’ was compromised by hackers. This led to several UK Government and Councils websites going offline, including the Information Commissioner's Office, the Student Loans Company, and Manchester City, Camden and Croydon Council website. Symantec Researchers also announced that 'Crytojacking' attacks had increased 1,200% in the UK. Cryptojacking once involved the installation of cryptocurrency mining malware on users computers, but now it is more frequently used in-browser, by hacking a website and execute a malicious mining JavaScript as the user visits the compromised website, as with the case with the 'BrowseAloud' incident.

More than 25% of UK Councils are said to have suffered a breach in the last five years according to the privacy group Big Brother Watch, who said UK Councils are unprepared for Cyber Attacks.

There was a  fascinating report released about Artificial Intelligence (AI) Threat, written by 26 leading AI experts, the report forecasts the various malicious usages for AI, including with cybercrime, and manipulation of social media and national news media agendas.

GDPR preparation or panic, depending on your position, is gaining momentum with less than 100 days before the privacy regulation comes into force in late May. Here are some of the latest GDPR articles of note.

Digital Guardian released an interactive article where you can attempt to guess the value of various types of stolen data to cybercriminals -.Digital Guardian: Do you know your data's worth?

Bestvpns released a comprehensive infographic covering the 77 Facts About Cyber Crime we should all know about in 2018.

February was yet another frantic month for security updates, which saw Microsoft release over 50 patches, and there were new critical security updates by Adobe, Apple, Cisco, Dell, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction

FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.

Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.

Infection Vector

We have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).

The following industries have been the primary targets in this campaign:

  • Telecommunications
  • Insurance
  • Financial Services


Figure 1: Sample lure documents

Attack Flow

  1. Spam email arrives in the victim’s mailbox as a ZIP attachment, which contains a malicious DOC file.
  2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.
  3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.

A visual representation of the attack flow and execution chain can be seen in Figure 2.


Figure 2: Zyklon attack flow

Infection Techniques

CVE-2017-8759

This vulnerability was discovered by FireEye in September 2017, and it is a vulnerability we have observed being exploited in the wild.

The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).


Figure 3: Embedded URL in OLE object

CVE-2017-11882

Similarly, we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).


Figure 4: Embedded URL in OLE object


Figure 5: HTTP GET request to download the next level payload

The downloaded file, doc.doc, is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary Pause.ps1.


Figure 6: PowerShell command to download the Pause.ps1 payload

Dynamic Data Exchange (DDE)

Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (Pause.ps1) is downloaded.


Figure 7: DDE technique used to download the Pause.ps1 payload

One of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).

Figure 8 shows the network communication of the Pause.ps1 download.


Figure 8: Network communication to download the Pause.ps1 payload

Zyklon Delivery

In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).

The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.


Figure 9: Base64 decoded Pause.ps1

The injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.


Figure 10: Network traffic to download final payload (words.exe)

Once executed, the file performs the following activities:

  1. Drops a copy of itself in %AppData%\svchost.exe\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).
  2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.
  3. The unpacked code is Zyklon.


Figure 11: XML configuration file to schedule the task

The Zyklon malware first retrieves the external IP address of the infected machine using the following:

  • api.ipify[.]org
  • ip.anysrc[.]net
  • myexternalip[.]com
  • whatsmyip[.]com

The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.

Command & Control Communication

The C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).


Figure 12: Zyklon public RSA key

After the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.

Command

Action

sign

Requests system information

settings

Requests settings from C2 server

logs

Uploads harvested passwords

wallet

Uploads harvested cryptocurrency wallet data

proxy

Indicates SOCKS proxy port opened

miner

Cryptocurrency miner commands

error

Reports errors to C2 server

ddos

DDoS attack commands

Table 1: Zyklon accepted commands

The following figures show the initial request and subsequent server response for the “settings” (Figure 13), “sign” (Figure 14), and “ddos” (Figure 15) commands.


Figure 13: Zyklon issuing “settings” command and subsequent server response


Figure 14: Zyklon issuing “sign” command and subsequent server response


Figure 15: Zyklon issuing “ddos” command and subsequent server response

Plugin Manager

Zyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:

  • /plugin/index.php?plugin=<Plugin_Name>

The following plugins are found in the memory of the Zyklon malware:

  • /plugin/index.php?plugin=cuda
  • /plugin/index.php?plugin=minerd
  • /plugin/index.php?plugin=sgminer
  • /plugin/index.php?plugin=socks
  • /plugin/index.php?plugin=tor
  • /plugin/index.php?plugin=games
  • /plugin/index.php?plugin=software
  • /plugin/index.php?plugin=ftp
  • /plugin/index.php?plugin=email
  • /plugin/index.php?plugin=browser

The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.

Additional Features

The Zyklon malware offers the following additional capabilities (via plugins):

Browser Password Recovery

Zyklon HTTP can recover passwords from popular web browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera Browser
  • Chrome Canary/SXS
  • CoolNovo Browser
  • Apple Safari
  • Flock Browser
  • SeaMonkey Browser
  • SRWare Iron Browser
  • Comodo Dragon Browser
FTP Password Recovery

Zyklon currently supports FTP password recovery from the following FTP applications:

  • FileZilla
  • SmartFTP
  • FlashFXP
  • FTPCommander
  • Dreamweaver
  • WS_FTP
Gaming Software Key Recovery

Zyklon can recover PC Gaming software keys from the following games:

  • Battlefield
  • Call of Duty
  • FIFA
  • NFS
  • Age of Empires
  • Quake
  • The Sims
  • Half-Life
  • IGI
  • Star Wars
Email Password Recovery

Zyklon may also collect email passwords from following applications:

  • Microsoft Outlook Express
  • Microsoft Outlook 2002/XP/2003/2007/2010/2013
  • Mozilla Thunderbird
  • Windows Live Mail 2012
  • IncrediMail, Foxmail v6.x - v7.x
  • Windows Live Messenger
  • MSN Messenger
  • Google Talk
  • GMail Notifier
  • PaltalkScene IM
  • Pidgin (Formerly Gaim) Messenger
  • Miranda Messenger
  • Windows Credential Manager
License Key Recovery

The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.

Socks5 Proxy

Zyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.

Hijack Clipboard Bitcoin Address

Zyklon has the ability to hijack the clipboard, and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.

Zyklon Pricing

Researchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:

  • Normal build: $75 (USD)
  • Tor-enabled build: $125 (USD)
  • Rebuild/Updates: $15 (USD)
  • Payment Method: Bitcoin (BTC)

Conclusion

Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.

At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.

Detection Name

Product

Action

POWERSHELL DOWNLOADER D (METHODOLOGY)

HX

Detect

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

HX

Detect

POWERSHELL DOWNLOADER (METHODOLOGY)

HX

Detect

SUSPICIOUS EQNEDT USAGE (METHODOLOGY)

HX

Detect

TOR (TUNNELER)

HX

Detect

SUSPICIOUS SVCHOST.EXE (METHODOLOGY)

HX

Detect

Malware.Binary.rtf

EX/ETP/NX

Block

Malware.Binary

EX/ETP/NX

Block

FE_Exploit_RTF_CVE_2017_8759

EX/ETP/NX

Block

FE_Exploit_RTF_CVE201711882_1

EX/ETP/NX

Block

Table 2: Current detection capabilities by FireEye products

Indicators of Compromise

The contained analysis is based on the representative sample lures shown in Table 3.

MD5

Name

76011037410d031aa41e5d381909f9ce

accounts.doc

4bae7fb819761a7ac8326baf8d8eb6ab

Courrier.doc

eb5fa454ab42c8aec443ba8b8c97339b

doc.doc

886a4da306e019aa0ad3a03524b02a1c

Pause.ps1

04077ecbdc412d6d87fc21e4b3a4d088

words.exe

Table 3: Sample Zyklon lures

Network Indicators
  • 154.16.93.182
  • 85.214.136.179
  • 178.254.21.218
  • 159.203.42.107
  • 217.12.223.216
  • 138.201.143.186
  • 216.244.85.211
  • 51.15.78.0
  • 213.251.226.175
  • 93.95.100.202
  • warnono.punkdns.top

Uh Oh 365

In an earlier post, I talked about how some vendors tend to push enterprises into a weaker security posture. In this post, I continue with information relating to Office 365. Microsoft’s cloud implementation of the Office suite is mind boggling in its complexity and sheer want of native connectivity. If you are using a proxy, […]

Cyber Security Roundup for December 2017

UK supermarket giant Morrisons, lost a landmark data breach court case in December after a disgruntled Morrisons employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused. Morrisons said it believed it should not have been held responsible and would be appealing against the decision. If the appeal is lost it could open up the possibility of further class action lawsuits cases by individuals. Pending the GDPR becoming law in May 2018, such a court ruling sets a legal precedent for individuals to claim damages after personal data losses by companies through the courts as well. After May 2018, the GDPR grants individuals the right sue companies for damages following personal data breaches. So we can expect 'ambulance chasers' lawyers to pick up on this aspect of the GDPR, with class action lawsuits following data breaches, it well could become the new "P.P.I. industry"

Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!

Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing. 

The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.

2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.

Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.

Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Acknowledgement of Attacks Leveraging Microsoft Zero-Day

FireEye recently detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office documents exploiting the vulnerability that download and execute malware payloads from different well-known malware families.

FireEye shared the details of the vulnerability with Microsoft and has been coordinating for several weeks public disclosure timed with the release of a patch by Microsoft to address the vulnerability. After recent public disclosure by another company, this blog serves to acknowledge FireEye’s awareness and coverage of these attacks.

FireEye email and network solutions detect the malicious documents as: Malware.Binary.Rtf.

Attack Scenario

The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.

The vulnerability is bypassing most mitigations; however, as noted above, FireEye email and network products detect the malicious documents. Microsoft Office users are recommended to apply the patch as soon as it is available. 

Acknowledgements

FLARE Team, FireEye Labs Team, FireEye iSIGHT Intelligence, and Microsoft Security Response Center (MSRC).

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

Coercion

People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

 

 

Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

Encryption

Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

Persistence

Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

Conclusion

Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.

Active Directory Unification and Attribute Cleanup

I recently posted about Active Directory Unification. The main points were (1) that there is value in AD consolidation and (2) that there's a right way to do it to meet the intended goals.

Sander Berkouwer posted earlier this month on Active Directory attribute integrity. He makes the point that with all the tools Microsoft provides to enable tighter management of identities and access (FIM, ADFS, ADRMS, DAC), Active Directory Cleanup is more important than ever. Berkouwer writes:
"When these attributes are inconsistent, access to files, apps, partners and cloud functionality becomes inconsistent. If you think it won’t happen to you, think twice. During the first internal Microsoft deployment of Dynamic Access Control, attribute inconsistency was the first encountered problem."
Absolutely.

Most people that I speak with jump into the benefits that cleanup will have on the AD Unification process. The reality is that the real value of cleanup is enabling the right functionality and access controls after the unification process is complete. (Of course, as I wrote, it's never really complete - it's not a onetime event.)

It's worth making the distinction.