Microsoft & NSA Confirm Killer Windows 10 Security Flaw, Patch Released
Article Courtesy of CNET
Instead of keeping a potential hacking resource to itself, the US National Security Agency alerted Microsoft to a serious security flaw in the Windows 10 operating system that could open computers to major breaches or surveillance. The NSA said the flaw is severe and that hackers will understand very quickly how to exploit it.
“The consequences of not patching the vulnerability are severe and widespread,” the NSA said in an advisory Tuesday.
Translation: Update your Microsoft systems immediately to avoid hacking.
Microsoft issued a patch Tuesday for the flaw, which was first reported by The Washington Post. The flaw affects devices running the Windows 10 operating system, as well as the Windows Server 2016 and 2019 operating systems. Using the flaw, attackers could create an exploit that creates fake security certificates, giving them a free pass to run malicious software on Windows devices while looking legitimate to the system.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said in its description of the vulnerability.
In other words, if your computer’s security systems are like a bouncer in front of a nightclub, a spoofed security certificate is like a fake ID for sneaky malware, said Tenable cybersecurity researcher Satnam Narang. With the spoofed certificate, he said, malware “can enter the club, so to speak.”
Cybersecurity researchers also expressed concern Tuesday that the flaw could let attackers compromise communications secured with encryption as they travel from sender to recipient, something that relies on a protocol known as TLS. “If you are a developer of an app that’s using TLS, I would also be thinking hard right now about the impact of this issue on your threat model,” said Dmitri Alperovitch, CTO of cybersecurity firm Crowdstrike, on Twitter.
If you are a developer of an app that’s using TLS, I would also be thinking hard right now about the impact of this issue on your threat model https://t.co/WmSvlCqOAi
— Dmitri Alperovitch (@DAlperovitch) January 14, 2020
The company released this month’s updates and technical information as part of its regular Update Tuesday. It’s the first time Microsoft has credited the NSA for reporting a security flaw, according to security expert Brian Krebs.
The cooperation between the NSA and Microsoft is a promising development, said Michael Kaiser, former executive director of the National Cyber Security Alliance. As part of his work, Kaiser helped small- and medium-sized businesses address cybersecurity, and he says the level of trust and sharing between businesses and government was very low 10 years ago. This could be a sign that things are improving.
“You can’t make the world more secure unless you share these kinds of things,” Kaiser said.
Microsoft said in its description of the vulnerability that it hasn’t seen active exploitation of the flaw. The NSA has previously developed hacking tools using flaws in Microsoft systems, including an exploit called Eternal Blue. The NSA’s exploit was stolen by hackers and used by criminals in a series of ransomware attacks that hit cities in the US and beyond.
News of Tuesday’s security flaw comes the same day that Microsoft is ending support for Windows 7. The company has encouraged people to upgrade to Windows 10 to keep their PCs and laptops secure.
To install the latest Windows 10 Security Patch, follow the steps below or contact our Team for assistance.
Update Windows 10
- Select the Start button, and then go to Settings > Update & Security > Windows Update .
- Here’s some other info you might be looking for:
- If you get an error when trying to update, see Fix Windows Update issues.
- If you’re trying to activate Windows 10, see Activation in Windows 10 for more info.
- If you’re having trouble installing updates, see Troubleshoot problems updating Windows 10.
- For answers to frequently asked questions, see Windows Update: FAQ.
- To get the latest major update of Windows 10, see Get the Windows 10 November 2019 Update.
Alternatively, you can click the link below to automatically open Windows Update.
How Microsoft’s Windows 10 Privacy Update Could Impact You
Windows Insider Program participants will now be able to view and manage their Microsoft accounts via a newly released, diagnostics-based privacy dashboard.
Dubbed “The Windows Diagnostic Data Viewer,” the new dashboard (which is still in beta) gives Microsoft Windows 10 users the ability to see, search, and make changes to diagnostic data associated with their accounts.
For example, users will be able to monitor the different operating systems associated with the account, including which version of the OS is installed, on which devices the OS is installed, and how the devices are performing—both from a network management and a physical hardware perspective.
This dashboard gives families and small businesses the ability to monitor their Microsoft account for deviations from normal performance. Say, for example, that your account is being accessed by a device in a foreign country to which you’ve never traveled. The dashboard lets you proactively disable the account or contact Microsoft to further investigate; the same can be said for unknown Wi-Fi and Bluetooth connections.
The Windows Diagnostic Data Viewer also provides some oversight into which applications, services, settings, and preferences have been installed on the device. Users will see a list of the characteristics and can take appropriate action if something appears to be amiss. All features and data listed in the dashboard can be searched and filtered to provide users with a more streamlined approach to investigating.
“We believe in the timeless value of privacy. We are on a journey with our customers and fully committed to putting them in control of their data, and providing the information they need to make informed decisions about their privacy,” said Marisa Rogers, Windows & Devices Group (WDG) Privacy Officer at Microsoft.
“The Diagnostic Data Viewer is the next step in helping customers and customer advocates verify the commitments in our online documentation,” Rogers continued. “The Activity History in the dashboard provides a new aggregated view of the data associated with a customer’s Microsoft account. We will continue to listen to input from our customers and customer advocates to refine privacy experiences for our customers.”
Mcrosoft Privacy Dashboard
The company also added new features to its pre-existing Microsoft Privacy Dashboard. Users can now view and manage data consumption on the same page as product and service activity. This gives users an easier way to compare and contrast normal usage versus anomalies within the system (as opposed to tabbing back and forth between pages).
Also, any data within the dashboard can be exported from the account for offline viewing. Users can even delete specific items from the dashboard should their media consumption cause a bit of embarrassment with family members or co-workers.
Microsoft’s Data Collection
Microsoft has traditionally collected diagnostic data to ensure OSes are functioning properly, both from a performance and security perspective. In addition to the data referenced above, Microsoft also collects browsing history, inking, typing, and speech utterance data. With this week’s releases, Microsoft wants you to be able to see and proactively monitor this data on your end as well, according to a company statement.
Earlier this month, Microsoft announced it would add additional privacy settings to the Microsoft Windows 10 Creators Update setup experience (scheduled for this spring). With the changes, users will be presented with a full-page screen that will give them the option to turn off location- and speech-based services, diagnostics reporting, and personalized advertising. Late last year, Microsoft updated the Windows Defender Security CenterBuilt in to Windows 10 at Microsoft to provide diagnostic abilities, endpoint protection, parental controls, SmartScreen Filter, and Windows Firewall.
Of course, most of the privacy controls Microsoft currently enables come as the result of loud and consistent protests by users, government agencies, and consumer rights groups about data collection and user privacy. In years past, the Electronic Frontier Foundation (EFF) has argued that Microsoft was aggressive in pushing Microsoft Windows 10 on users in order to collect more data than the company had with previous OSes.
“Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single, unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward and not try to bypass user choice and privacy expectations,” Amul Kalia, Analyst and Intake Coordinator at the EFF, wrote in an August 2016 blog post.
Story Provided by PC Review
ESET wins two Cyber Defense Magazine InfoSec Awards at RSA 2018
April 16, 2018
As RSA 2018 kicks off in San Francisco, Cyber Defense Magazine announced today that IT security leader ESET is taking home two of their annual InfoSec Awards.
ESET was the sole winner in the InfoSec Research category, and one of the winners in the Best Endpoint Security category.
In its 30 years of business, ESET has excelled in both technology innovation and malware research, and now protects over 110 million users across the globe.
ESET’s global research team has long been revered for the work it has done tracking, analyzing and communicating cyber threats. From cyber-espionage groups, to nation-state attackers, ESET has been behind some of the most important and influential research including Industroyer and Petya/NotPetya.
In June 2017, ESET released its findings on Industroyer (discovered by ESET), which was the first piece of malware that demonstrated the ability to control electrical substations. Industroyer caused a blackout in Kiev, Ukraine. ESET’s discovery was critically important in the realm of industrial control cybersecurity (ICS) as it exemplified how malware can negatively impact physical ICS controls.
ESET Endpoint Security is used by some of the most iconic brands in the world, and has steadily incorporated layered technology and machine learning. Gartner recently awarded ESET with the Gartner Peer Insights Customer Choice Award for Endpoint Protection Platforms. ESET Endpoint Security was also one of the few security products that actually stopped the spread of the outbreak of WannaCry due to its innovative AI-based Network Attack Protection module, a layer of security that ESET introduced in 2015.
“With cybercrime continuing to gain momentum, surpassing global drug crime last year and reaching over $600 billion in theft and damages, we are proud to see this company as an award-winning innovator, offering a new approach to defeat these criminals,” said Pierlugi Paganini, editor in chief, Cyber Defense Magazine.
Researchers Uncover Polymorphic AutoRun Worm
W32/Autorun.worm.aaeb-h is an evolved, virtual machine-aware AutoRun worm that makes use of obfuscation and polymorphic techniques in order to evade detection and infect removable media and mounted network shares, according to McAfee.
Researchers have seen an increase in samples for the year-old malware family, which is compiled in Visual Basic 6. This family of malware generally compromises machines through drive-by downloads or spam and ends up looking like any other thumb-drive infecting, AutoRun worm. W32/Autorun.worm.aaeb-h is the most complicated virus among known members of this family.Its authors have upped their game with this latest version by encrypting all the important strings with one or in some cases two rounds through the RC4 cipher algorithm using a randomly generated encryption key. McAfee’s Sanchit Karve notes that earlier variants stored much of their code in plain-text.
The initial infection requires that users either willingly execute the malicious file directly or navigate to a folder storing the files. Once a machine is compromised, the malware writes an “autorun.inf” file so that it can automatically execute itself on any machines with AutoRun enabled as the worm spreads. Researchers have also observed the malware copying itself to Zip and RAR archive files and downloading new software from its command and control server.
The worm is also changing relevant directories so that they appear hidden in affected drives. Beyond that the worm is copying itself as that hidden directory file but also as “secret.exe,” “sexy.exe,” “porn.exe,” and “passwords.exe” among other apparently-alluring-things in what McAfee claims is an attempt to trick new users into running the malicious executables.
Whoever is responsible for this worm is packaging it with VB6 projects in order to make it seem like legitimate software. Most of the payload files themselves are originating from the Zbot and BackDoor malware families.
Joomla Sites Hit by IFrame Injection Attacks
Users of the popular Joomla content management system are being urged by security experts to upgrade to the latest version after reports of exploits being used to compromise websites built on the platform.
The SANS Internet Storm Center received numerous reports that Joomla sites, as well as WordPress sites, had been compromised and iFrames had been injected that were pointing visitors to malicious sites.
“The interesting thing to note is that it doesn’t seem to be a scanner exploiting one vulnerability, but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” said ISC handler John Bambenek.
Joomla sites built with extensions were, in particular, being exploited, Bambenek said.
The ISC report identified a pair of IP addresses, 78.157.192.72 and 108.174.52.38, as the biggest offenders. The exploits, Bambenek said, were loading scareware on victims’ computers.
German security and tech site The H reports that the German Computer Emergency Response Team (CERT-Bund) also confirmed attacks emanating from Joomla sites. CERT-Bund said the iFrame points visitors to a Sutra Traffic Distribution System that eventually lands them on a site hosting an exploit kit.
In September, Joomla warned of a series of automated attacks against the Joomla Content Editor versions 2.0.11 and earlier that were infecting websites with malicious content. The attacks were dropping malicious GIF images; attackers were able to attack the front end without authentication, Joomla said at the time in an advisory.
The GIF is a PHP shell which gives the attacker a launchpad for further Java exploits such as redirecting visitors to a malicious site, spam or phishing attacks, or unauthorized database access.
The H added that the use of the traffic redistribution systems, which are channels used by attackers that buy and sell Web traffic. Visitors clicking on a particular link would be redirected by the TDS to the vendor, which would sell the traffic to the attacker in this case.
New Linux Rootkit Emerges
A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks.
The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine.
“To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to,” Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
“The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored.”
The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites.
The rootkit, like many pieces of malware, relies on a remote command-and-control server for some instructions. The server is still active right now and researchers said that it has some other related tools stored on it, as well. In order to inject the iframes onto targeted sites the rootkit uses a custom method.
“The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets,” Marta Janus of Kaspersky Lab said in her analysis of the rootkit.
“In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication. We weren’t able to connect to the C&C on the port used by malware, but the malicious server is still active and it hosts other *NIX based tools, such as log cleaners.”
Once the rootkit connects to the C&C server, the server sends back instructions about what code the malware should inject onto the target site. The C&C server will send details on whether it should inject JavaScript or an iframe and the specific code to be used. Wicherski said that the rootkit’s method for maintaining persistence on the infected machine is somewhat sloppy.
“Since the command is appended to the end of rc.local, there might actually be shell commands that result in the command not being executed as intended. On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded,” he wrote.
Researchers believe that the Linux rootkit likely is being used in cybercrime operations rather than in targeted attacks, as the quality of the code isn’t high enough to have come from one of the groups engaged in the upper level attacks right now.
“Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack,” Wicherski said.
Shamoon Malware Steals Data
A new piece of malware known as Shamoon that has the ability to destroy files on infected machines and overwrite the master boot record has researchers scratching their heads, wondering what the tool’s purpose might be and why the attackers behind it would destroy infected PCs. There are some indications that the malware could be related to Wiper, but researchers believe this is a red herring.
The Shamoon malware came to light on Thursday when researchers at Kasperksy Lab said that they had analyzed samples that included some odd and puzzling characteristics. One module in the malware has a string with a name that includes “wiper” as part of it, something that could point to a connection to the Wiper or Skywiper malware discovered earlier this year. Wiper was erasing files from disks, but it doesn’t appear that the two are connected at this point.
“Our opinion, based on researching several systems attacked by the original Wiper, is that it is not. The original “Wiper” was using certain service names (“RAHD…”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware,” Kaspersky researchers said.
However, researchers at Seculert who looked at Shamoon found that the malware not only has the ability to destroy data on infected PCs, but it also can overwrite the machine’s MBR, making the PC essentially useless. They discovered that before Shamoon executes its destructive instructions, it collects data from various files on the infected machine and then feeds that data to another infected PC on the same internal network. It’s a confusing routine, but there may be a reason for it.
“The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet,” Aviv Raff, Seculert CTO, said in his analysis.
After the attackers got whatever information they wanted off of the Shamoon-infected PCs, they then executed the instructions to delete the data on the hard disk and overwrite the MBR. Shamoon then communicates the results back to the command-and-control server through the internal proxy, Seculert said.
The intent of the attackers behind the Shamoon malware isn’t too clear at this point, but the tool is collecting data from infected machines and sending off to parts unknown. That puts it in the league of the cyber espionage tools that have become the favored weapons of attackers of late.
YouTube launches face-blurring feature
YouTube launches new face-blurring feature to disguise identities
Google (GOOG) on Wednesday announced a new face-blurring tool for its video-sharing website YouTube. The site is the first to roll out such a feature, which is meant to protect the identity of protesters around the world. “Whether you want to share sensitive protest footage without exposing the faces of the activists involved, or share the winning point in your 8-year-old’s basketball game without broadcasting the children’s faces to the world, our face blurring technology is a first step towards providing visual anonymity for video on YouTube,” Google wrote on its blog. The Internet giant does note, however, that because it is using “emerging technology,” it may sometimes run into problems “detecting faces depending on the angle, lighting, obstructions and video quality,” and “it’s possible that certain faces or frames will not be blurred.”
Botnet responsible for spam taken down
Botnet responsible for as much as 50% of global spam taken down
Computer security experts on Wednesday revealed that they had successfully taken down Grum, the world’s third-largest botnet, which was responsible for roughly 18% of global spam, according to The New York Times. According to CNNMoney, that figure could be as high as 50%. The security experts were able to block the botnet’s command and control servers in both the Netherlands and Panama. While the service was successfully shut down, it wasn’t long before Grum’s architects set up seven new command and control centers throughout Russia and Ukraine. The team, however, was able to successfully block those servers, too.
The researchers were able to kill the botnet again by tracing it back to its servers and alerting various Internet service providers. Most botnets are able to come back online within weeks, however the team still counts the shutdown as a massive win.
“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” said Atif Mushtaq, a computer security specialist at FireEye. “They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”
Targeted Attacks on SMB’s Increase
Targeted Attacks on SMB’s Increase in 2012
In the first six months of 2012, 36 percent of targeted attacks focused on small businesses of fewer than 250 employees, and there were an average of 58 attacks per day, according to a new research report. At the end of 2011, small businesses were on the receiving end of only 18 percent of such attacks.
Despite that statistic, those large corporations with more than 2,500 employees remain the most common targets, averaging 69 blocked attacks per day, according to the Symantec Intelligence Report.
“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said the cyber security intelligence manager at Symantec, Paul Wood. “It almost seems attackers are diverting their resources directly from the one group to the other.”
Organized by industry, the defense industry, which Symantec considers a subset of the public sector, was the most sought-after target, experiencing 7.3 attacks per day. The chemical and pharmaceutical sectors continue to occupy the second and third spots, accounting for one in five targeted attacks.
Wood claims that despite these increases, targeted attacks, those that make use of customized malware and refined social engineering tactics to compromise sensitive information, are still exceptionally rare.
Other notable findings include that spam continued its gradual decline, dropping one percent in June from May, however, it still accounts for more than two thirds of global email. Meanwhile, phishing attacks are up 0.04 percent, which, coincidentally, is identical to the increase in email-borne threats. Web-based malware threats decreased 51.7 percent over that same period.
You can read more details here.
