Category Archives: Microsoft

Security News for the Week Ending April 15, 2022

Cyber Command Says Chip Shortage is a National Security Issue

The head of U.S. Cyber Command, General Paul Nakasone, told Congress that China’s continued progress towards domestic chip production is a problem. If China achieves chip independence, that puts them in a position to do what they want and not worry about sanctions. For example, they could cut off our access to precious metals that we need to produce chips ourselves. Credit: Cyber Scoop

Russian Crooks Worried Sanctions Will Delete Their Ill-Gotten Gains

Russian crooks are nothing if not capitalists. They are worried that sanctions could impact their net worth and they are chattering about that on the underground web. They are worried about funds in Russian banks and how much their Rubles might not be worth in six months. I am so sad for them. Not. Of course, that might mean the Russian mob might do some kinetic adjustments themselves. Credit: Cyber News

CISA Advises D-Link Users to Take Vulnerable Routers Offline

CISA is really rocking when it comes to telling folks about bad stuff. The newest vulnerabilities are a remote code execution on a whole family of D-Link routers. Unfortunately, they have reached their end of support, so D-Link not going to fix them. Users all the time ask why they have to replace working hardware that has reached end of life. The answer is because you want to keep the bad guys out. If you don’t care, keep using them. You can rest easy that the hackers are scanning the Internet looking for these routers – that will never be patched. Credit: Malware Bytes

New Bug in MS RPC Runtime – Zero-Click Remote Code Execution

CVE 2022-26809 has emerged just a couple of days after patch Tuesday. It is a remotely exploitable, unauthenticated, zero-click (no user interaction) remote code execution bug. It doesn’t get much worse than that. The bug is in the Microsoft Remote Procedure Call runtime and affects multiple Windows versions. If you block port 445 at your firewall (both in and out, which you should), that will stop direct external attacks, but it won’t stop attacks from a compromised workstation. Credit: Helpnet Security

Reminder: 3G Cell Networks Shutting Down. Old Devices Will Stop Working

Wireless spectrum is scarce. Buying it from someone else is very expensive. What are the carriers doing? Reusing old spectrum. The carriers have already shut down their 2G networks. Next comes their 3G networks. That means that old cars that talk to the Internet will stop talking. Alarm systems will stop sending alarms if they can only talk 3G (there may be a box that your alarm company can add to your system to fix this). Medical devices may stop talking to your doctor. Depending on the carrier, the shutdown has already begun. AT&T turned theirs off in February. Verizon is at the end of the year. If you have anything that uses the cell network, now is the time to check. Credit: ZDNet

New Attack Exploits Microsoft Software Signing Verification

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading

Security News for the Week Ending October 15, 2021

Microsoft Investigating Multiple Windows 11 Issues

While some of the issues are not fatal, others like a memory leak in File Manager that can only be recovered from by rebooting are more of a problem. I recommend waiting for a month or two in order for other users to detect more bugs. Credit: Bleeping Computer

Feds Arrest Nuke Navy Engineer for Selling Nuke Secrets to Foreign Power

A Navy nuclear engineer stole restricted data for a Virginia class nuclear submarine and tried to sell it to a foreign power. For whatever reason, the person that he contacted in the unnamed country shared his letter with the FBI. They strung him along for a while as he made several dead drops of data and they paid him cryptocurrency until they arrested him last week. He was able to smuggle the documents out past security, which just shows how hard it is to actually secure against a determined adversary. Credit: The Register

An unintended Consequence of Covid Vaccine Passports

The UK is one place where vaccine passports are required. The app that runs on people’s phones is managed by the National Health Service or NHS. The app has a barcode that security at the airport can use to check a passenger’s vaccine status. No proof of vaccine or negative Covid test and you can’t get on that plane. Which is great until the app’s backend database crashes like it did today. For about 4 hours. Heathrow came to a standstill. One journalist reported that she was offered a later flight for a 250 Pound fee. Oh, yeah, and she would need to take and pay for a rapid Covid test for another 119 Pounds. She opted not to fly. Another passenger tried using his paper vaccine card, but security would not accept it. The app has an offline mode or you could screenshot the barcode, but those only work if the app is running. Unintended consequences. Credit: BBC

Treasury Links $5 Billion in Bitcoin to Ransomware

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has done some trolling on the Bitcoin blockchain. Anyone who thinks that bitcoin is anonymous does not understand how that works. They identified Bitcoin wallet addresses after analyzing suspicious activity reports (SARs) that banks send in. This has nothing to do with actually recovering any money. If they put those wallets on the banned list then the hackers will create new wallets (which they should be doing anyway to make things harder to track). It is probably a good thing for them to do because a lot of crooks are stupid and those are the ones that they might catch out of this. Credit: Bleeping Computer

Fallout From the Epik Hack

Epik, as I reported earlier, is a domain registrar that is kind of a last resort for people who can’t get another registrar to manage their domain – along with many vanilla domains. Epik supports a number of conspiracy theory and alt-right domains because they say that they are neutral in the battle. As a result of being hacked, a lot of data which people would like to remain private became public. As a result of that, people are being fired and businesses are losing customers. One person, who’s information was disclosed, continued the conspiracy theory tactic and said that the data was easily falsiable (who did this – Epik or the hackers – and why?), that he was the possible victim of extortion and the newspaper that reported the information was “fake news”. Possible, but that is likely not going to help some people who get outed. Credit: The Washington Post

Remember When Microsoft Said Windows 10 Was the Last Version? Just Kidding!

Microsoft did learn something from Windows 10 – don’t mess with their cash cow. They will continue to work on Windows 10 for the enterprise with a new release in the fall and cumulative updates for years.

But for consumers eager for the next new shiny object – Windows 11, here we come. For early adopters, it will be available on the ‘dev’ channel next week with a release in the fall.

I am not sure if Microsoft has run out of things to do with Windows, but they are touting Win 11 features like rounded corners, colorful icons, new animations and UI controls. With new features like that, you can see why enterprises are likely to stick with Windows 10.

Of course, improving stability, memory management and task scheduling are not sexy – but very important to the enterprise. Getting rid of that 25 year old code that is still in Windows – nah!

I don’t know; maybe I will become a believer after I see it, but so far, I am not impressed.

It seems like they are tweaking at the margins. Some new features include:

In addition to the user interface refresh, Windows 11 also introduces many new features, including a redesigned floating and centered Start Menu, a revamped windows snapping feature called Snap Groups, a new and improved Windows Clipboard, modern disk management, redesigned settings screen, and much more.

Finally, they ARE killing off some of that 25 year old code. Companies that still run apps that require Internet Explorer will NOT be able to run Windows 11 except with Edge compatibility mode. Given that IE is a hacker’s delight, removing that is good.

Credit: Bleeping Computer

Windows 11’s file explorer boasts rounded corners and new icons, but will it crash less? They aren’t saying.

They are finally adding a way to manage your webcam without having to install third party apps. That is nice.

They are also adding support for DNS over HTTPS, a nice security feature.

Credit: Bleeping Computer

Now here is an interesting feature. Apparently, Windows 11 will have an Android emulator* so that you can run any Android app (no, not iPhone apps, Apple probably would get upset if they did that). That means all sorts of games and productivity apps that people run on their phones will run on your PC too.

* The emulator is really not an emulator but a post compiler that allows apps to run natively . If this is true, that means that app performance should be good.

Credit: Bleeping Computer

Some things will be going away in Windows 11, although you may be able to load them from the app store if you insist, including:

IE, Timeline, Tablet mode, Wallet, 3d viewer Paint 3D, One Note, Skype, Cortana, Windows 10 S mode and others.

Not going to miss any of these.

Credit: Bleeping Computer

Why The Microsoft Exchange Email Hack is So Bad

The media continues to report on the Microsoft Exchange hack, likely perpetrated by China. Reports are that at least 30,000 Exchange servers in the United States are impacted and some people say that number is likely way underestimated. On top of that, the number of servers worldwide is maybe ten times that number.

Given all the media attention, you would think that everyone would, at least, install the patches. It appears that AT LEAST 46,000 servers are not patched, according to The Record.

So why is this a big deal? First, the attackers could read any email on those servers. Whatever that might contain. One organization affected was the European Banking Authority. They say that no data was accessed. Sure, we believe them.

Second, the attackers, in many cases, left behind a present called a web shell. It is a way for the attackers to get back in to the server later. Many of our IT partners decided the only way to make sure that the hackers are really out is by rebuilding the servers from bare metal, not a simple task, especially if you have to do that to tens of thousands of servers.

So lets look at the timeline involved. We are getting more details every day and this timeline is interesting. This timeline comes from Brian Krebs, who Chris Krebs, former head of DHS CISA called his brother from another brother (i.e. they are not related).

Security testing firm Devcore says they alerted Microsoft on January 5 – two months ago.

On January 6th, Veloxity spots attacks that use unknown Exchange bugs

On January 8th, Devcore told Microsoft that they had been able to reproduce the bug.

On January 27th Dubex tells microsoft about new attacks on Exchange servers.

On January 29th, Trend Micro reports in their blog about these web shells infecting Exchange servers, but incorrectly says this was allowed by a bug patched last year.

In February, Microsoft tells the folks who reported the bug that they had escalated the problem and that they had a target release date of March’s patch Tuesday, March 9th.

By the end of February, the cat is out of the bag (it is hard to keep good news secret) and security folks are seeing global mass scans of Exchange servers looking for vulnerable systems.

This forces Microsoft’s hand and they released the patches a week before they planned to, now on March 2.

By March 3rd, tens of thousands of Exchange servers have been compromised. Once the patch is out, especially knowing that it is an emergency patch, hackers worldwide reverse engineer the patch, likely within hours of it being released.

By this time it is a national security emergency and everyone from CISA (who told government agencies that they had 48 hours to patch their servers or shut them down) to the White House to the National Security Advisors are sounding the alarm bell.

On March 5th, Chris Krebs, former head of DHS CISA says that the real number of compromised servers dwarfs the numbers being reported.

Needless to say, this is a big problem.

A couple of interesting footnotes.

Microsoft says that Office 365 was not compromised. Why? Don’t know. Possibly their server configuration is different. Possibly, since they knew about the bugs in early January, they were able to tweak their security before the word got out. I vote for number 2. Apparently at this point, now that we know how the attacks work, it is easy to block new attacks.

Second, Microsoft released patches for every supported version of Exchange. That means that the bug goes back, at least, to 2013.

But wait. Microsoft even patched an unsupported version of Exchange – Exchange 2010. That means that the bugs go back at least a decade. Possibly more.

Now here is the answer that we don’t have.

Were these bugs being quietly exploited for years? Remember if you do it quietly, you probably won’t get noticed.

If so, by whom?

China?

Russia?

Private hackers?

The NSA, CIA, Others?

Foreign intelligence agencies – friendly or not?

And if so, what have they stolen?

Likely we will never know the full extent of the attack, but between the SolarWinds hack and the Microsoft Exchange attack, one thing should be clear. We came to a gun fight with a spoon. And if we do not improve on our security efforts, we are going to continue to lose.

Security News for the Week Ending Jan 1, 2021

Happy New Year. May 2021 be more sane than 2020.

Microsoft Says Goal of Solar Winds Attack Was Your Cloud Data

Microsoft says that the objective of the Solar Winds Hackers was to get into a number of organizations and then pick and choose which ones to attack, leaving the back door in place at the others for future operations. One way to do that was to generate SAML login tokens from inside the network and then use those tokens to gain access to cloud resources, including, but not limited to email. The article also provides more information on how to detect if the hackers did compromise your cloud resources. Credit: Bleeping Computer

“Swatting” Moves to the Next Level

Swatting, the practice of calling in a fake 911 call so that SWAT teams are deployed to the victim’s location based on, say, a fake kidnapping, are moving to the next level. As if having the police show up unexpected with lots of guns and breaking down your door isn’t bad enough, now the perpetrators are taking advantage of the fact that people choose crappy passwords and are watching and listening to the police assault on the victim’s own smart devices. On occasion, the situation becomes deadly when the police, not really knowing what to believe, shoot the victim. On rare occasions, the swatters, as they are called, are caught and prosecuted. Credit: Bleeping Computer

I Think The Wasabi Got a Little Too Hot

Wasabi, the cloud storage competitor to Amazon S3 that claims that it is significantly cheaper than Amazon and 99.999999999% reliable just got a little less reliable. Their domain registrar notified them of some malware hosted on one of their domains. Only they sent the email to the wrong email address. The registrar, following normal procedures, suspended their domain for not responding to an email they never got, knocking many of their customers offline.

After Wasabi discovered they had been DDoSed by their domain registrar, they suspended the offending customer and asked to get their domain back. That process took over 13 hours. Are you ready for this kind of attack from your suppliers?

That attack probably knocked several of those 9’s off their reliability, depending on how the mess with the data.

Credit: Bleeping Computer

Solar Winds Troubles Are Not Over

A second piece of malware called SUPERNOVA and a zero-day vulnerability that it exploited makes it look like there may have been a second attack against Solar Winds. This appears to be a separate attack from the Russian attack. The attack vector is different too – this is not an attack against Solar Winds code base. This spells additional trouble for Solar Winds. Credit: Security Week